Supply Chain Risk Management (SCRM): The Next Major Crisis

Connect--But, be very careful

Excellent article just appeared (Oct 4, 2018) in Bloomberg Businessweek:  

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

A must-read of the Chinese infiltration into the US commercial supply chain–of our biggest and most pervasive companies


SCRM is a relatively new concern within the federal government.  It is part of securing IT products within businesses and the federal government. This is the “current” crisis, but it has been known for several years. There are no real surprises of the dangers posed by especially the Chinese since they have such a ubiquitous presence in our commercial buying lives. The problem is pervasive.  Like so many issues in cybersecurity, it is not important until the next major crisis.

Here are some of the basic questions that should be considered:

  • Is this product produced by the US or by an Ally? (Who is truly a reliable Ally?)
  • Could counterfeit IT items be purchased from less-than reputable entities?
  • Is this IT product from an approved hardware/software product listing?

Users trust software developers to provide secure updates for their software applications and products that would add new functionalities or fix security vulnerabilities.  They would not expect updates to be infected with malicious scripts, codes or programming.  Most users have no mechanisms (or no concerns) about defending against seemingly legitimate software that is, for example, properly coming from a “https” site or properly signed by the correct hash signature.  Unfortunately, software unwittingly accessed by users and tainted by either nation-state actors or general cyber-criminals on the Internet pose a growing risk to the global IT supply chain.

The use of varied supply chain attacks by cyber attackers to access corporate software development infrastructures have been major vectors of concerns for the government as well as private sector.  These attacks typically include targeting publicly connected software build, test, update servers, and other portions of a software company’s software development environment.  Nation-state agents can then inject malware into software updates and releases have far-ranging impacts to the IT supply chain; the challenge continues to grow.[1]

SCRM: NIST 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

Users become infected through official software distribution channels that are trusted.  Attackers can add their malware to the development infrastructure of software vendors before they are compiled[2], hence, the malware is signed with the digital identity of a legitimate software vendor.  This exploit bypasses typical “whitelisting” security measures making it difficult to identify the intrusion.  This has contributed to a high degree of success by malicious cyber threat actors.

Some example recent intrusions include:

  • In July 2017, Chinese cyber espionage operatives changed the software packages of a legitimate software vendor, NetSarang Computer (https://www.netsarang.com/).  These changes allowed access to a broad range of industries and institutions that included retail locations, financial services, transportation, telecommunications, energy, media, and academic.

  • In August 2017, hackers inserted a backdoor into updates of the computer “cleanup” program, CCleaner while it was in its software development phases.

  • In June 2017, suspected Russian actors deployed the PETYA ransomware to a wide-range of European targets by compromising a targeted Ukrainian software vendor

While this should not be about creating panic, it should be about awareness and planning. The problem continues to be the apathy from federal and corporate leadership…until it is too late.

For further information see NIST 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.                            (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf ).


Notes:

[1] Other less-protected portions of the supply chain include, for example, Field Programmable Gate Arrays (FPGA) and Application-Specific Integrated Circuit (ASIC) chips found on most major US weapons and satellite systems.

[2] Before they are converted as an executable (.exe) that are injected at the programming level where quality control mechanisms are often less-than adequate in secure development processes


A favorite book on how the Chinese, Russians, and Iranians are the most pervasive threats in cyberspace. 
(Image takes you to Amazon for purchase)