What is Supply Chain Security and What it Means to Critical Infrastructure ICS/OT
2021-09-03 | 7 min read
What is Supply Chain?
Supply Chain describes the entire process of producing and delivering product. One could argue that the Supply Chain defines the success or failure of a company and its products. The better one manages the supply chain, the better the outcome for both consumer and producer in terms of costs, quality, delivery, safety, customer satisfaction, and revenue.
Hardware and Firmware Supply Chain
Supply Chain is an easy concept to grasp in today’s global economy. For example, we understand the components built into the laptop I’m typing on are manufactured all around the world. Not just the obvious ones, like metal enclosures and keyboard caps, but all the components. The threat of tampering with hardware components somewhere along the manufacturing process isn’t unheard of. But it’s not the keyboard caps that hackers care about. It’s the firmware that controls devices like webcams, trackpads, hard drives, and network interface cards, that have been proven to be hackable, that hackers seek.
We all know that firmware is a software program that’s been ‘etched’ onto the hardware. It’s what makes the device function. Unfortunately, ‘etched’ is not as permanent as it used to be. Firmware is stored on flash ROMs that can be erased, infiltrated with malware, and rewritten. The beauty of firmware hacking is that it’s difficult to detect and cumbersome to remove (return to manufacturer for repair). And it’s pretty much god power with invisibility included. So successful firmware hackers gain direct access to not just one device, but every device the manufacturer makes, sells and delivers to customers. Hacked, and you didn't even know it!
And if firmware is hackable, how much more vulnerable are all those fun free apps that make life interesting? More importantly, in the ICS/OT world, how carefully managed is the software supply chain of your PLC, your HMI, and your SCADA?
Software Supply Chain
As a Product Manager, I worked with Engineering to build products that solved real world problems that customers would buy. I understand the need for a carefully managed hardware/firmware supply chain. While the concept of a supply chain in the hardware world is an easy concept, I didn’t think much about the software supply chain until I observed my college-aged son download clever new font modules to his computer. What we don’t often think about is the fact that coders around the world make extensive use of shared libraries and modules. As a result, the concept of a Supply Chain also applies to software, which in the grand scheme of things is a relatively new concept. New, that is, until NOBELIUM brought software supply chain hacks to the forefront.
Supply Chain Security and What it Means to Critical Infrastructure
As a result of the recent but ongoing attacks on our critical infrastructure, Joe Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (‘NSM’) on July 28, 2021. Light on details, but more information was promised.
On August 25th, the National Institute of Standards and Technology (‘NIST’) announced their leadership in creating a new framework to improve the security and integrity of the technology supply chain.
Technology Supply Chain
The focus of the NIST announcement is the technology supply chain as it applies to critical Infrastructure. Devices that used to be driven by the physical, like pneumatics or electro-mechanical, have been transformed into improved, digital, internet connected, and ahem—now hackable devices. Securing the supply chain is of paramount importance.
Important to note that hackers have also noticed the internet connectedness of our factories and critical infrastructure. They’ve settled into their newfound power as gods of the ICS/OT world and they’re unrelenting in their attempts to break into everything ICS/OT-- but of particular interest is critical infrastructure. Because now they can not only extort money from their unwitting victims, they also have the power to poison communities, stop oil production, blow stuff up, make headline news, and destroy the economic health of entire countries. In addition to the millions of dollars they extort in the process.
Hacking the ICS/OT environment allows hackers the ability to create their own WMD especially if the victim is one of the 16 sectors of the critical infrastructure.
Reducing Technology Supply Chain Risk is for Everyone
So this is serious. How do we secure the technology supply chain? The sweet spot, as explained by Patrick Miller, to reducing risk in the near term, is the Bill of Materials. The Hardware Bill of Materials, the Software Bill of Materials and the Firmware Bill of Materials. Knowing what’s inside is very telling. But because of the ongoing threat to the technology supply chain, nobody is excused. Everybody needs to come together- manufacturers, critical infrastructure, and consumers all have an active role to play in making our world a safer place.
In anticipation of this new technology framework, Patrick Miller, CEO of Ampere and I tackle the topic of Supply Chain Security. I hope you’ll join us in this video.