The success of a business is undoubtedly linked to its supply chain. Yet, because of this, an organization is only as strong as its weakest link. According to the GAO-18-667T, reliance on a global supply chain introduces multiple risks to federal information systems. Supply chain threats are present during the various phases of an information system’s development life cycle and could create an unacceptable risk to federal agencies. These threats can have a range of impacts, including allowing adversaries to take control of systems or decreasing the availability of materials needed to develop systems. These threats can be introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain.
Examples of such vulnerabilities include the acquisition of products or parts from unauthorized distributors; inadequate testing of software updates and patches; and incomplete information on IT suppliers. Malicious actors could exploit these vulnerabilities, leading to the loss of the confidentiality, integrity, or availability of federal systems and the information they contain. Today, organizations have a greater choice of suppliers and have become more reliant on third parties. This, however, also means that the supply chain has become a more complex web of interdependent companies who might not even be aware that they are connected. As a result, it is impossible to cover the entire supply chain. Additionally, technology is becoming an essential tool in the supply chain for all operations. These factors – on their own, but even more so when combined – have precipitated an inadvertent expansion of vulnerabilities within supply chains, especially in regard to cyberattacks.
There are various actors who might target an organization’s supply chain and, with that, comes numerous motives behind an attack; be that an individual looking to gain financial benefits, or a nation-state or state-sponsored actor seeking to sabotage an adversary by conducting espionage. When attacking the supply chain, it is typically the hardware (but not limited to) especially when some hardware components include built-in firmware) that is tampered with. Devices can be compromised at any point throughout the supply chain and the Rogue Device can be delivered by a supplier to the end user. Moreover, due to the interconnectedness of the involved organizations, suppliers often have access to a target’s sensitive information.
When the target is highly secured and gaining an onsite presence is almost impossible for an attacker, such as a government agency, it is more attainable to attack a third party with fewer security measures in place as confidential data can still likely be accessed. As mentioned, supply chains are becoming increasingly complex which makes detecting an attack, and its origin, extremely difficult and in many aspects supply chain attacks represent the “Holy Grail” of hardware based attacks. Additionally, implants can be microscopic and can easily go unnoticed to the human eye, avoiding any suspicion as to the device’s true intentions. Sitting on the Physical Layer – Layer 1 – implants are not detected by security software solutions either. Furthermore, Spoofed Peripherals might be authorized as a genuine HID thereby not raising any security alarms. Ultimately, there are plentiful benefits that make attacking the supply chain favorable for bad actors.Download e-Book