Information and communications technology, encompassing digital services and infrastructure, cybersecurity and software, is ubiquitous throughout the economy and society. As the digital transformation gathers pace, the number and complexity of ICT services is accelerating.
Information and Communications Technology (ICT) relies on a complex, globally distributed, and interconnected supply chain ecosystem that is long, has geographically diverse routes, and consists of multiple tiers of outsourcing. This ecosystem is composed of public and private sector entities (e.g., acquirers, system integrators, suppliers, and external service providers) and technology, law, policy, procedures, and practices that interact to design, manufacture, distribute, deploy, and use ICT products and services.
Commercially available ICT solutions present significant benefits including low cost, interoperability, rapid innovation, a variety of product features, and choice among competing vendors. However, the same globalization and other factors that allow for such benefits also increase the risk of a threat event which can directly or indirectly affect the ICT supply chain, often undetected, and in a manner that may result in risks to the end user.
These ICT supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the ICT supply chain.
Faulty hardware components can pose security threats. Hackers often scour online for vulnerabilities that’ll allow them to carry out attacks. Intel’s Meltdown and Spectre chip security flaws or vulnerabilities, which could allow attackers to read sensitive information on your CPU, affected hundreds of millions of chips from the last two decades. While companies like Intel, Apple and Microsoft have issued updates to patch the flaws, the fixes haven’t always worked as intended, and sometimes not implented. The WannaCry ransomware attack, for example, took advantage of Windows computers whose owners never implemented a Microsoft patch.
Apart inherent vulnerabilites there is also threat of fake or counterfeit parts that present critical risks in military systems, electronics systems and sensors, where a malfunction of a single part could endanger missions and lives. A 2012 Senate Armed Services Committee report on counterfeit electronic parts in the DoD supply chain found counterfeit parts to be a widespread problem in the defense supply chain. The “supply chain” is how the Pentagon refers to its global network of suppliers that provide key components for weapons and other military systems.
Apart from Counterfeit electronic components there is also risk of Hardware Trojans (HT), which are malicious circuit inclusions into the design from an adversary with an intention to damage the functionality of the chip at a much later date or leaking confidential information like keys used in cryptography. Time to market demand has forced integrated circuit design, manufacturing and testing to be done at different places across globe. This approach has led to numerous security concerns like overbuilding of chips from foundries, IP protection, counterfeiting and hardware Trojans.
One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs. About 27 percent of Lenovo Group Ltd. is owned by the Chinese Academy of Science, a government research institute. An internal report produced by the J-2 intelligence directorate warned that use of Lenovo products could facilitate cyber intelligence-gathering against both classified and unclassified—but still sensitive—U.S. military networks. The report One official said Lenovo equipment in the past was detected “beaconing”—covertly communicating with remote users in the course of cyber intelligence-gathering.
Recently During the ensuing top-secret probe, US DOD discovered that servers assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) their motherboards, testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
There are other threats. Side Channel Attacks (SCA) is another well-known attack on cryptographic circuits to leak the key used in encryption of the secret data. The adversary can use power side channel, timing side channel to get the key. The recent literature reports attacks based on EM waves and LASERs. Another well known SCA is based on test structures (Design for Testability circuits) inside the chip. There are also concerns of Intellectual Property (IP) Protection, The IP used in products and solutions from original equipment manufacturers (OEM) should be protected.
Threats and vulnerabilities created by malicious actors (individuals, organizations, or nation states) are often especially sophisticated and difficult to detect, and thus provide a significant risk to organizations. It should be noted that ICT products (including libraries, frameworks, and toolkits) or services originating anywhere (domestically or abroad) might contain vulnerabilities that can present opportunities for ICT supply chain compromises. For example, an adversary may have the power to insert malicious capability into a product or to coerce a manufacturer to hand over the manufacturing specifications of a sensitive U.S. system. Note that it is impossible to completely eliminate
all risks.
https://www.youtube.com/watch?v=QGIKhJrb9aA
Experts advocate secure manufacturing with total control of the manufacturing process from goods inwards to shipping. They maintain that the boards and components down to the tiniest diode and resistor that go into U.S. military systems must be made in America, and that each component and board that goes into these systems must be traceable to U.S. suppliers with approved security processes in place. “We believe the DOD [U.S. Department of Defense] should buy only American-designed, -manufactured and -owned servers from ITAR-approved American suppliers,” said Ben Sharfi, chief executive officer of General Micro Systems in Rancho Cucamonga, Calif. They also advocate Rigorous inspection of every incoming part – even down to the screw level – is crucial.
IDST Monthly Access Membership Required
You must be a IDST Monthly Access member to access this content.