International supply chains are becoming increasingly complex over time. A consequence of this is that it becomes increasingly difficult to spot vulnerabilities and risk in a timely manner. This most notably applies to cyber risk, which increases as complexity does, worsened perhaps by our desire to use technology to mitigate the very complexity that is at the root of its need.
This is a daunting prospect for supply chains to face. Even more concerning is the fact that these aren’t ‘what ifs’ but real and tangible problems. For example, it was recently reported in Bloomberg Business Week that servers of many significant US businesses had been infiltrated by Chinese spies as part of a well-planned, widespread and integrated cyber-attack on their supply chains.
The Bloomberg report specifically focused on Elemental Technologies, a software company, and its connection with Supermicro, which is the world’s biggest supplier of motherboards. The report claims that, back in 2015, when Amazon acquired Elemental, it was known that Supermicro motherboards, within Elemental’s hardware, had malicious chips and potentially modified hardware within them. Bloomberg made similar assertions towards Apple.
Both Apple and Amazon have been very insistent that these claims are not true. In fact, Amazon Chief Information Security Officer, Steve Schmidt, stated: “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems.”
Apple’s Vice President of Information Security, George Stathakopoulos, wrote a letter to Congress stating: “Apple has never found malicious chips, ‘hardware manipulations’, or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.”
Obviously, there is some wrangling to be done between Amazon, Apple and Bloomberg. However, what the report highlights is that cyber risks are really an inherent part of the supply chain, and paint a picture of how disastrous cyber-attacks could be. It is this that we need to learn from, regardless of the truthfulness of the Bloomberg report.
Best practices to adopt in supply chains to mitigate cyber attacks
All supply chains, and the individual businesses within them, need to take an enterprise-wide approach to reducing the risk that hardware may be compromised. There needs to be an integrated approach between different elements including IT, logistics, compliance, procurement and all the different elements of the supply chain.
It requires looking at every facet of the supply chain from a cybersecurity point of view. Cyber attacks can present in a range of different guises, from tampering to theft, counterfeiting, insertion of malicious hardware or software, and even simply poor manufacturing.
So what can be done about it? We recommend introducing the following steps as best practice guidelines:
Set stringent and clear requirements with your suppliers:
Security requirements should be outlined and established in every supplier contract. As much detail as possible should be included. This should include both the types of threat posed, but also what safeguards you expect to be put in place to mitigate risk. Additionally, it should be common practice that your IT and cybersecurity team work together with the supplier to identify and plug any security gaps.
Part of this can be by expecting all suppliers to meet specific industry-recognised compliance standards, such as ISO 28000. Amazon is a good example of this. They investigate all of the hardware and software before it goes into production whilst also undertaking security audits both within their own organisation and with suppliers.
Develop and use a cyber-security questionnaire:
A further part of this approach is to inquire directly to all your manufacturers about their security protocols. By understanding the way they do things, you can identify for yourself where weaknesses are inherent and seek for changes to be made.
The act of completing the questionnaire, by itself, can be enough to trigger action on the part of manufacturers in terms of how they do things and the security steps they have in place.
Example questions may include:
- In the production process, what controls do you have in place to monitor and manage risk?
- Explain your physical security measures and provide evidence of these.
- Is your design process for both hardware and software documented? If so, how?
Trust is, of course, a very important element of supply chain relationships. This can make verifying things tricky. However, it cannot be avoided. You will need to verify that answers to the questionnaire are indeed evidenced, and feel confident that the evidence is satisfactory. If it isn’t, then you will need to seek reassurance and clarification. Asking for evidence should simply become an expected part of client-supplier relationships.
For example, going back to Stathakopoulos’ letter to Congress on behalf of Apple, he explains: “Before we begin a relationship, vendors are submitted to a review process which can incorporate, depending on the criticality of the services offered, a layers-deep study of the infrastructure of the vendor in question. The hardware incorporated into our environment is also placed in the scope of Apple’s Vulnerability scans, patching, and security reviews.”
Technology controls should be implemented:
Automation tools can provide the assistance that is needed to make this all possible. Larger companies have greater scope for employing these more complex cyber-security methods. This can apply in a number of different areas, for example, by building in tampering prevention. Another example may be technological processes within the act of making component purchases. This may mean that ‘trusted’ vendors have pre-qualified purchases made, whereas other vendors must have their items fully inspected before being taken on.
No tolerance policies across the board:
There shouldn’t be any second chances. Cyber-security risks are very real and tangible and therefore everyone must appreciate that there cannot be room for error. If there are leaks or cyber security problems then this should equate to an automatic termination of the relationship and contract.