Video Screencast Help
Cyber Readiness and Response

Covering All Your Bases – Part 1

Created: 07 Nov 2012
SecurityHill's picture
0 0 Votes
Login to vote
In the public wave of attention to Stuxnet, we have seen the capability of how physical systems are impacted by malicious threats.  But threats to hardware are not limited to Industrial Controls Systems (ICS); other potential targets are networking equipment, computing hardware and telecom.  When protecting our organizations, we should always make sure we are covering all of our bases.  Sometimes this means protecting and auditing the hardware itself that is responsible for our communications and processing.  In recent years we have seen other examples of compromised hardware resulting from process or personnel within a supply chain.  Examples include; computing hardware being shipped with malware stored in nonvolatile memory.  Hardware that has covert secondary channels or devices to communicate or store confidential data or a device may contain something as simple as a backdoor login.  All of these examples are possibilities that can be introduced into the Supply Chain during the manufacture, assembly or shipping of equipment.  This is just a small glimpse of what is possible when dealing with threats that can be embedded in hardware.
This exposes several possible risks:
  • the possibility of interrupted operations
  • the intercepting and collection of information
  • and the possible tampering or corruption of information

Because of these risks this is why Enterprises should consider having a Supply Chain Risk Management (SCRM) process.  Obviously enterprises that are responsible for Critical Infrastructure, Financial Institutions, Medical and Media have a higher bar to cross and should consider a broader scope for their SCRM process.
Some basic measures that are considered in any SCRM process include:

  • Supplier Selection
    • e.g. how they procure subcomponents and assemble these components
  • Protection of supply chain
  • e.g. physical and logical tamper protection
  • e.g. auditing of new hardware to protect against embedded malicious code, eavesdropping potential, traffic redirection, etc.
  • And Third party testing of acquired hardware to list a few

In Part 2, managing and dealing with your supply chain and reducing your organizations exposure to risk will be discussed.

 

Blog Entry Filed Under: