Supply Chain Security: The Cyber Risk Perspective

Supply chains need to be more robust. Over the last 20 years these have been run to maximize efficiency throughout the global manufacturing industry, however they have also become a source of vulnerability. The nature of the vulnerability depends on your perspective. Often the issue is security of delivery of a scarce resource. For example, semiconductor shortages are causing automobile manufacturers to idle production lines, and vaccine delivery to many parts of the world is problematic.  

However, there is growing concern on supply chain security from the cyber risk perspective. The recent Solar Winds breach is an example of a ‘supply chain’ malware delivery system where the exploit package is injected into some generic software update, and subsequently gets a free piggy back ride directly into the enterprise. Tighter control on authorization credentials and the process of who can assemble, submit and digitally sign software updates is required to help mitigate this attack vector.

The more general case of cyber risk becoming apparent with IoT. Semiconductors are designed, built, and integrated into subsystems that perhaps have 5G connectivity built in, packaged and software loaded up, and then shipped out. These might be standalone components or elements that go up the manufacturing chain for further integration. Ultimately, they get powered up, configured, and live out some operational life.  

The hard problems are many. How do you trust this device? Is the design secure? Was it manufactured according to the design? Did something change along the way, maybe after a compliance and certification test? How can you verify all this?

Digital signatures and verification on all IoT elements will provide the largest contribution to mitigating these issues. This is a fundamental building block to gaining trust. When IoT devices are powered up and undergo initial configuration and provisioning, the digital signature on the software load can be verified.   There is a ‘trust anchor’ involved in this step, as electronic trust starts and stops from known points.

The start point is the digital certificate baked into the device at manufacture. This certificate needs to be trusted by all downstream verifiers. In critical infrastructure and other safety related applications, government regulations and compliance will form a major part of the trust mechanism by requiring verification to be completed before a particular device can deployed. This can work during provisioning where the electronic credentials (serial number included) of the device is verified against a list of known and approved devices for a particular jurisdiction or application.  Only when the validation passes will provisioning be complete and operations can begin. The device will be known to be trustworthy, and verification proves that it was not modified in transit.

To continue to trust the IoT device the supply chain of software updates must be managed. Being able to verify who can deliver and update that software, and that it is being delivered as intended, is fundamental to maintaining this trust. Public key cryptography provides the tools for this, and a caution here as well – the implementation must be able to withstand quantum attacks that are expected to emerge in the near future.

Trust is not easy, but it is essential. At the end of the day, cryptography is the backbone of digital trust, and should be viewed as critical infrastructure. Managing all cryptographic assets – including certificates, libraries and encryption – is becoming increasingly critical to maintaining security. And with ever-increasing profileration of IoT and connected devices, managing cryptography continuously through a crypto-agile approach will be the most efficient, practical path going forward.

Brian O’Higgins, ISG Advisor, Cryptography & Security; Co-Founder & Former CTO, Entrust
July 6, 2021