Supply Chain Security

Supply Chain Security

In the contemporary landscape, the intricate network of interlinked enterprises has inadvertently widened the scope of vulnerabilities within supply chains, emphasizing the critical importance of Supply Chain Security. According to the GAO-18-667T, the reliance on a global supply chain introduces multiple risks to federal information systems. Such risks include adversaries taking control of systems or decreasing the availability of materials needed to develop systems, underscoring the importance of robust Supply Chain Security.

Supply chain security is centered on effectively managing risks related to external suppliers, vendors, logistics, and transportation. These risks persist throughout different phases of an information system’s development life cycle. Often introduced through the exploitation of vulnerabilities that can exist at various points within the supply chain. Examples of such vulnerabilities encompass unauthorized acquisition of products or components, insufficient testing of software updates, and incomplete information about IT suppliers. Exploiting these vulnerabilities can result in the compromise of confidentiality, integrity, or availability of federal systems and the sensitive information they house.

There are various actors who might target an organization’s supply chain and, with that, comes numerous motives behind an attack. Be that an individual looking to gain financially, or a nation-state or state-sponsored actor seeking to sabotage an adversary by conducting espionage.

Supply Chain Security and Hardware-Based Attacks

Supply Chain Security is a critical concern in today’s interconnected and globalized world (airline supply chain). When attackers target the supply chain, they usually (but not always) tamper with the hardware. Especially when some hardware components include built-in firmware. Throughout the supply chain, potential compromise of devices can occur, ultimately delivering a now rogue device to the end user. Ensuring a device’s integrity (i.e., that it is what it says it is) is not a simple task. Implants can be microscopic and can easily go unnoticed to the human eye, avoiding any suspicion as to the device’s true intentions.

Further, they sit on the physical layer of the OSI model. Physical layer implants do not get detected because security software solutions do not encompass layer 1 visibility. Similarly, spoofed peripherals get authorized as a genuine HIDs thanks to physical layer manipulation. And thus do not raise any security alarms.  Moreover, as supply chains are becoming increasingly complex, detecting an attack and its origin is extremely difficult. Hence, in many aspects, the supply chain represents the “holy grail” of hardware-based attacks. Providing bad actors with access to even the most secured entities.

Supply Chain Security involves safeguarding the various components, processes, and transportation logistics that make up the supply chain. One possible way of tampering with the supply chain is through the transportation logistics. If the adversary is aware of the expected transportation route, they may find multiple entry points. Whether air or sea freight, and, given enough motivation, a quick “unboxing” and “re-boxing” is not an issue.

What is Physical Layer?

Traditional visibility tools use Layer 2 (MAC) and Layer 3 (TCP/IP) network data to discover and identify their devices. This is problematic as at Layers 2 and above. Devices without a digital existence, such as passive taps, unmanaged switches, MiTM attack tools or ‘spoofed’ devices go undetected. Hence, rather than relying on traffic monitoring, physical layer (analog) information detects and identifies devices for what they truly are. By monitoring various data signals, such as voltage, current, noise level, signal timing, and more. This approach provides continuous real-time visibility of all network and peripheral devices within the environment.

How Can Sepio Help With Supply Chain Security

Let’s consider site A wishes to send site B a hardware asset (switch, laptop, or even a simple keyboard). While the device is in site A, it is connected to Sepio’s HAC-1 Hardware Access Control, which probes and lists its physical layer fingerprint vector and Bill-Of-Material (BOM). After the asset reaches its final destination, site B, it undergoes reconnection to HAC-1 to verify that it hasn’t changed its physical layer fingerprint (and BOM).

Securing the supply chain has always been and will continue to be a never ending battle. It is up to us to make our adversaries’ life as difficult as possible, making them turn away and seek an alternative target.

See every known and shadow asset. Prioritize and mitigate risks.
Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.

July 5th, 2022