There is no doubt that the global IT security threat landscape has evolved over the last decade, with governments and big businesses increasingly becoming the targets of cyber attackers.
It is the IT products required to operate these big businesses, governments and critical infrastructure, and the providers of these products, that represent the first line of defence in cyber security attacks.
The problem is that any IT product can include tainted or counterfeit components, which may include vulnerabilities that can leave them wide-open for cyber attacks. Vulnerabilities can be inserted intentionally or inadvertently, either during development in-house or through hardware or software components included through out-sourcing and a provider’s supply chain.
The challenges associated with assuring product integrity and securing supply chains of IT products are enormous and the importance of meeting these challenges is critical.
The evolving threat landscape
Globalisation has brought many benefits to the technology industry. Hardware and software components are sourced from all over the world to create commercial off-the-shelf (COTS) ICT, offering affordable high-quality computing and innovation necessary for operating governments, businesses and critical infrastructures around the world.
However a lack of direct control over these ICT products, including the development, manufacturing or integration processes used by each constituent in the supply chain, increases the potential for the insertion of tainted and counterfeit components. As products move through the life cycle, there is a potential for the introduction of tainted or vulnerable and counterfeit components at every stage from design, sourcing, build, fulfilment, distribution and sustainment, through to disposal.
The modern technology supply chain depends on a complex and interrelated network of constituents across a wide range of global partners. Suppliers provide components to providers or integrators that integrate the components, which can then be provided to distributors and resellers who might add additional value components or simply pack it all up for re-sale.
As a buyer purchasing hardware and software for mission critical systems, the question remains: how do you know if the providers, integrators and distributors you buy from have used secure engineering and supply chain management practices?
Concerns over product integrity
As cyber attacks increase, organisations are expressing more and more concern about the integrity of the products they are acquiring. Governments and businesses are increasingly looking at how to get more assurance that they are buying from trusted technology providers following best practices every step of the way. Technology providers have expressed similar concerns about buying from and working with trusted component suppliers and distributors.
This means not only following secure development and engineering practices in-house while developing their own software and hardware pieces, but also following best practices to secure their supply chains. After all, a supply chain is only as secure as its weakest link, and cybercriminals are well aware of this.
>See also: Blockchain technology for the supply chain
What is needed is a way of identifying trusted providers, component suppliers (hardware and software), integrators and resellers, so that customers know who is following the best practices and with whom they should partner.
Tainted products introduced into the supply chain pose significant risk to organisations because altered products bring the possibility of untracked malicious behaviour. It’s the classic Trojan Horse scenario.
Hidden risks in the supply chain
Customers, including governments, are moving away from building their own high assurance and customised systems, and moving toward the use of COTS ICT, typically because they are better, cheaper and more reliable.
But a maliciously tainted COTS ICT product, once connected or incorporated, poses a significant security threat. For example, it could allow unauthorised access to sensitive corporate data including intellectual property – or allow hackers to take control of the organisation’s network. Perhaps the most concerning element of the whole scenario is the amount of damage that tainted hardware or software could inflict on safety or mission critical systems.
Like their maliciously tainted counterparts, counterfeit products can cause significant damage to customers and suppliers resulting in failed or inferior products, revenue and brand equity loss, and disclosure of intellectual property.
Although fakes have plagued manufacturers and suppliers for many years, globalisation has greatly increased the number of outsourced components and the number of links in every supply chain, and with that comes increased risk. Consider the consequences if a counterfeit component was to fail in a government, financial or safety critical system, or if that counterfeit component was also maliciously tainted.
As more organisations move from developing their own IT systems to buying COTS ICT, what can governments, vendors, corporations and suppliers do to help assure the integrity of technology products worldwide and help protect the global supply chains from the increased threat of cyber security attacks?
IT product integrity and secure supply chains
The increase in sophistication of cyber attacks has forced technology suppliers and governments to take a more comprehensive approach to product integrity and supply chain security. Organisations are beginning to seek assurances that providers follow best practices to mitigate the risk of tainted or counterfeit components making their way into mission critical operations.
One way to raise the bar on assurance for all constituents in the supply side is to provide a global common standard of best practices that can be followed throughout the full product life cycle, by all constituents and in all parts of the world.
Though a critical first step, a standard is not enough to provide the type of assurances that governments, commercial institutions and providers that are acquiring components are looking for; they would prefer to be able to identify trusted technology partners without having to invest the time and resources to do the checks themselves.
With these challenges in mind, the Open Group Trusted Technology Forum (OTTF), a global standards initiative that includes technology companies, customers, government agencies, integrators, and third-party laboratories, has created the Open Trusted Technology Provider Standard – Mitigating Tainted and Counterfeit Products (O-TTPS) V1.1.
Being able to identify accredited organisations not only benefits commercial customers and governments, it also benefits COTS ICT providers, which can identify and choose to work with accredited component suppliers, integrators, distributors and resellers – thus enabling a holistic approach that is essential to raising the bar for all constituents in the supply chain.
This is just a first step – it is not the end. All supply chains won’t be secured tomorrow and it isn’t the only step that can be taken. But, adoption gains from technology providers and suppliers around the world, it will certainly go one step further in assuring product integrity and supply chain security.
Sourced from Sally Long, the Open Group Trusted Technology Forum