This white paper explores the multifaceted nature of supply chain vulnerabilities, examining their causes, implications, and strategies for mitigation. By understanding and addressing these vulnerabilities proactively, organizations can fortify their supply chains against emerging threats and enhance overall operational resilience in an increasingly interconnected global economy.
In recent years, supply chain vulnerabilities have gained heightened attention due to incidents involving counterfeit components, data breaches, and even geopolitical tensions impacting trade routes. These challenges underscore the critical need for organizations to adopt robust risk management strategies that encompass supply chain resilience and security.
Supply Chain Vulnerabilities
According to the GAO-18-667T, reliance on a global supply chain introduces multiple risks to federal information systems. Supply chain threats are present during the various phases of an information system’s development life cycle and could create an unacceptable risk to federal agencies.
Malicious actors could exploit supply chain vulnerabilities. Leading to the loss of the confidentiality, integrity, or availability of federal systems and the information they contain.
When attackers target the supply chain, they typically focus on the hardware, especially when some hardware components include tampered built-in firmware. Compromises can occur at any point in the supply chain, and suppliers can deliver rogue devices to end users.
Supply chains are becoming increasingly complex which makes detecting an attack, and its origin, extremely difficult. In many aspects supply chain attacks represent the “Holly Grail” of hardware-based attacks. Additionally, implants can be microscopic and can easily go unnoticed to the human eye. Avoiding any suspicion as to the device’s true intentions. Some attack tools are present only on the network’s physical layer. They are not detected by security software solutions that have network visibility from Layer 2 and above (Network Access Control).
Supply Chain Attack Methods
Fault Attack
These attacks target a physical electronic device whereby the attacker essentially causes stress to the device through an external mean e.g. incorrect voltage, excessive temperature or signal power interference. The stress generates errors in such a way that it results in a security failure of the system.
Power Line Attack
Perpetrators can use malware to control the device’s CPU workload and, consequently, its power consumption. They measure the emissions conducted on the power cables and process the signal, decoding it back into binary information.
Wireless Implants
Computer operating systems, through the Human Interface Device (HID) protocol, allow devices to be easily accepted when plugged in, simplifying the connection of keyboards, mice, and other input devices. Attackers exploit this by using devices that act like HIDs, which the computer recognizes as genuine. These rogue devices look authentic, like charging cables or keyboards, and victims use them without questioning their intent. The device incorporates a remote access point, enabling the attacker to control the endpoint without needing physical access, thus simplifying their task.
Spy Chips
These malicious chips can access the target’s firewall configurations, allowing the attacker to change firewall settings, gain remote access to the target device, disable security features, and access the device’s connection logs. Spy chips are tiny, just slightly larger than a grain of rice, and can easily go unnoticed on a motherboard.
Supply Chain Vulnerabilities Mitigations
Automated Optical Inspection
An Automated Optical Inspection (AOI) test, originally used in assembly lines, enables fast and accurate inspections of populated PCBs to ensure correct and unmodified manufacturing. It verifies device assembly by comparing it to a golden image. An AOI solution can detect soldering changes and inconsistencies in assembled components. However, the main shortcoming of this solution is the need for a direct visual of the PCB, which requires significant effort once the devices are already deployed.
JTAG Boundary Scan
This is a method for testing interconnects on PCBs or sub-blocks inside an integrated circuit. Thus, JTAG is an essential tool for testing boards in development, production and in the field meaning it can be used to test at any time through the supply chain. Overall, JTAG provides information about the state of a board with minimal access. Direct internal access to the PCB is required, making post-deployment tests challenging.
Radio Frequency Power Detector
One should keep in mind, that as the attackers are aware of various RF geo-location sensor characteristics, they will use more “exotic” RF bands, and “bury” the signals using spread spectrum direct sequence or other concealment options.
Power Line anomaly detection
Since attackers can exfiltrate data and establish command and control connections using Power-Line Communication (PLC), where data transmits over standard power cabling, analyzing the physical layer characteristics of these power cables can detect digital data “piggybacking” on this physical channel.
X-ray
X-ray scan can be helpful for those cases where you do not want to open the unit (for various possible reasons, including voiding warranty). It can detect the existence of additional/modified modules inside the supplied unit (while comparing it to a golden image or a vast database of similar devices). Nevertheless, technology exists for detecting when someone has X-rayed a certain unit, which might allow the attacker to terminate their activity once suspicion arises.
Physical Layer Fingerprinting
Through in-depth analysis of the device’s physical layer characteristics – voltages, currents, eye-pattern of signals, PoE parameters etc. One can create a unique physical fingerprint for each device, later making this information usable for anomaly detection – through AI or ML based algorithms.
Sepio platform implements such a detection algorithm.
Supply Chain Vulnerabilities and Network Device Visibility
IT and security teams struggle in providing complete and accurate protection of their network and hardware assets. Especially in today’s extremely challenging IT/OT/IoT environment. This is because, often, there is a lack of device visibility which leads to weakened policy enforcement of hardware access. This vulnerability may result in security incidents such as ransomware attacks, data leakage, etc (Airline Supply Chain). To address this challenge, you need ultimate visibility into your hardware assets. Regardless of device characteristics and the interface used for network connection.
Moreover, malicious actors have adapted to the dynamic cybersecurity defenses deployed to block cyber-attacks by taking advantage of the “blind spots”. Mainly through USB attacks, human interface devices or Physical Layer network implants (Raspberry Pi Risks). These Rogue Devices are covert by nature and go undetected by existing security software solutions. Thereby leaving the organization networks extremely vulnerable.
Sepio’s Endpoint and Network Cybersecurity
Sepio’s platform provides a panacea to the gap in network device visibility. As the leader in Rogue Device Mitigation, Sepio’s solution identifies, detects and handles all peripherals; no device goes unmanaged. Sepio uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all network connected devices and compares them against known fingerprints. In doing so, Sepio can provide organizations with ultimate network device visibility. Detecting vulnerable devices and switches within the network infrastructure.
In addition to the deep visibility physical layer, a comprehensive policy enforcement mechanism recommends on best practice policy. Allowing the administrator to define a strict, or more granular, set of rules for the system to enforce. When a device breaches the pre-set policy, Sepio automatically instigates a mitigation process which instantly blocks unapproved or Rogue hardware.
Learn More About Supply Chain Vulnerabilities
See every known and shadow asset. Prioritize and mitigate risks.
Our experts will help you understand how to use Sepio’s patented technology to gain control of your asset risks. Schedule a Demo.