A recent Bloomberg article provides a deep dive into just how serious a supply chain attack can be for your business. According to the article, Chinese spies used a tiny microchip on server boards to gain access to more than 30 American companies, including Amazon and Apple.
Though Amazon and Apple deny that supply chain security was an issue in this case, this incident brings to light a core concern for any company creating products and systems. For many, this concern is only growing.
While the China incident is a hardware supply chain attack, software supply chain attacks are also an issue. The only difference in this type of attack is that compromised software is used in the supply chain rather than hardware or firmware. A recent survey found that nearly 80 percent of senior IT professionals believe that software supply chain attacks are likely to become one of the biggest cyber threats over the next several years.
Businesses must make supply chain security a top priority. This is easier said than done, but we have some tips for you to make sure you’re doing all you can to implement proper cyber security supply chain risk management.
The China supply chain attack
A supply chain attack is a cyber attack that infiltrates your network by exploiting a less-secure point in your supply chain. The Bloomberg article states the that the China attack began back in 2015, when Amazon began exploring an acquisition of Elemental Technologies to expand its streaming video service.
Being the behemoth that it is, Amazon did some serious due diligence and hired a third party to perform in-depth security checks on Elemental. Issues were uncovered that caused Amazon to look more closely at the servers used by the company. It turned out the servers were manufactured by Super Micro Computer, Inc. (Supermicro).
Further testing discovered tiny microchips on the servers’ motherboards that were not included in the original design. Amazon reported the finding to the proper authorities. It is important to note here that Elemental’s servers were being used throughout various government agencies at the time, making this finding even more alarming.
The investigation is still open, but it was discovered that the microchips provided the attackers access into any network using the machines. It was also uncovered that the chips were inserted in China, where subcontracting work was being done for Supermicro.
Additional details of the attack and the investigation are available in the Bloomberg article, but it has been described as “the most significant supply chain attack known to have been carried out against American companies.” While some of the details still need to be verified, it absolutely points to the importance of supply chain security.
Supply chain cyber security best practices
This incident should raise a red flag for all businesses, regardless of size or location. Supply chain threats must be taken very seriously, as the consequences can be severe.
If an attack occurs, you have to deal with more than a data breach. You need to find new avenues for resourcing the infected hardware. You need to replace all infected machines. You need to determine all areas of the network(s) that have been infiltrated. All of this requires time and money.
The other important item to remember is that these kinds of attacks are extremely difficult to detect. The China microchip was about the size of a grain of rice. Amazon had the means to pay an external security firm to perform comprehensive checks. The average company is unable to afford these extreme measures of caution.
So, what can you do?
Of course, one alternative is to stop buying parts from regions such as China that may offer cheaper pricing but may also jeopardize security. But many companies are not willing to cough up the extra money to manufacture elsewhere. When you need to manufacture products in high volume, the less costly option usually wins. If you can afford to manufacture the chips from a supplier that highly values security, that can provide an extra layer of protection.
There is also a bit of “security through obscurity” for smaller companies. Supermicro knew these servers were being used by large American companies and governmental organizations. They had an incentive to try to infiltrate these larger networks, because they knew they contained highly valuable data. Smaller companies are much less likely to be targeted since an infiltration is not going to deliver the same kind of high-value data. But you cannot rely on probability. To get straight to the point: you cannot be complacent.
We recommend rigorous quality control. Take a sampling of the items manufactured and inspect them to verify that every piece of hardware that is present is supposed to be there.
If you’re an IoT device manufacturer, you need to ensure the integrity of the parts you’re designing. Developers need to account for every chip on the board and make sure that each piece has a purpose—and, more importantly, that they are all supposed to be there.
If you’re working with an IoT device manufacturer on a project, you need to ask questions to make sure these extra security steps are being taken. How is the supply chain monitored and secured? Only work with qualified professionals who take security seriously.
The China supply chain attack began years ago, but we are still uncovering details and learning more about how deeply this infiltration penetrated. Learning from the mistakes of the past can help improve security measures as we look ahead.