GUEST ESSAY: The many ways your supply chain is exposing your company to a cyber attack

By Josel Lorenzo

It’s a scenario executives know too well.

Related: Third-party audits can hold valuable intel

You and your cybersecurity team do everything correctly to safeguard your infrastructure, yet the frightening alert still arrives that you’ve suffered a data breach.

It’s a maddening situation that occurs far more often than it should.

One of the main culprits for these incredibly frustrating attacks has not so much to do with how a team functions or the protocols a company employs, but instead, it’s a procurement issue that results from supply-chain shortcomings and the hard-to-detect vulnerabilities layered into a particular device.

“The same technologies that make supply chains faster and more effective also threaten their cybersecurity,” writes David Lukic, a privacy, security, and compliance consultant. “Supply chains have vulnerabilities at touchpoints with manufacturers, suppliers, and other service providers.”

The inherent complexity of the supply chain for modern technology is a reason why so many cybercrime attempts have been successful. Before a device reaches the end user, multiple stakeholders have contributed to it or handled it. CPUs, GPUs, drives, network controllers, and peripherals can each originate at a different supplier.

Then there are firmware developers, transport agencies, testing facilities, and security evaluation agencies that handle the device before it is sent to the corporate client. From there, likely operations staff, audit staff, and IT department personnel handle the device before it finally makes its way into the hands of the intended operator.

This complexity can be compounded by the effects of world events like COVID-19 or a war, resulting in manufacturing slowdowns and lockdowns. Such events have led to parts shortages that force the use of older and less-secure replacement parts to meet schedules, which emphasizes the need for innovation and for additional suppliers.

Lorenzo

As the European Union Agency for Cybersecurity (ENISA) puts it: “The chain reaction triggered by one attack on a single supplier can compromise a network of providers.” ENISA found that 66 percent of cyberattacks focus on the supplier’s code.

The susceptibility laden throughout the device’s product journey leads to an increased risk. Cybersecurity experts like Lukic and the researchers at ENISA recommend that organizations limit the number of suppliers they contract, develop a minimum standard for those with whom they engage, and verify a supplier’s code and security protocols before finalizing terms. But these tactics go only modestly far in protecting you, while the core problem remains.

There is the potential for a reliable solution that can bring some peace of mind however. The Trusted Control/Compute Unit, or TCU, built by Axiado introduces an enhanced zero-trust model to the market.

This artificial intelligence-driven, chip-scale innovation offers multiple and hierarchical trust relationships for complex ownership structures and transitions. It provides an answer to the most common and dangerous forms of cybercrime:

•Security at the root.  With its proactive platform root-of-trust design, the TCU eliminates fragmentation and establishes safeguards for pre-boot, at-boot, and runtime stages of critical device components and functions.

•Anti-counterfeit, anti-theft, and anti-tampering features.  A ground-up solution, the TCU addresses the risks in supply-chain management through its hierarchical infrastructure that has multiple stakeholders and its use of transition management between those stakeholders. TCU’s capabilities encompass a depth and breadth of systems analysis and cutting-edge security management that locates and contains attacks.

•Threat detection.  The TCU deploys AI-based runtime threat-detection surveillance and remediation for enhanced tamper

Traceability and accountability.  With the TCU, networks have advanced forensic abilities to track digital activity and maintain system integrity.

The features of the TCU can greatly help to resolve the four most pressing concerns that can impact any company’s cybersecurity initiatives. The first major problem the TCU solves is in the area of data loss, modification, or exfiltration. These measures, enabled by security at the root and AI, protect users, devices, and network data.

A second problem area that the TCU addresses is failures or loss of system availability. The benefit of security at the root is it protects systems from crippling firmware attacks that can severely compromise and even disable systems.

Third, the TCU solves the issue of a reduction in the availability of components. Control and management of system security can be offloaded from the main CPU and related processors to a TCU.

This allows flexibility to use older components in times of supply shortages as we’ve experienced during COVID-19 and other world events. The TCU offsets the security shortcomings in these alternative devices.

Finally, the TCU safeguards against reputation risk. A TCU-based solution preserves a company’s reputation by stopping unauthorized alterations or implants throughout a product’s lifecycle.  Maintaining a sterling reputation with vendors and suppliers is crucial to long-term success for individual companies and the ecosystems in which they operate.

The good news for executives and in-house cybersecurity experts is that there is finally a way to confidentially mitigate the relentless supply-chain attacks. Axiado’s single-chip solution lessens complex integration of multiple parts while adding new layers of protection. The TCU addresses the supply-chain risks from counterfeits, substitutions, tampering, theft, and implants while adding accountability to the ownership process.

About the essayist: Josel Lorenzo, is vice president of products, at Axiado, which supplies advanced technologies to secure the hardware root of trust.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone