Do you know what was in the food you had for dinner last night? Even if you cooked the food yourself, chances are you did not pay too much attention to the ingredients list of the items you used, let alone where exactly they came from or how they got to your kitchen. Some people may choose only organic or single-source ingredients, basing what they cook on ingredients they can trace. But even then, it can be hard to know all the details.
What if during the process — as those ingredients are grown, produced, packaged, distributed, sold, even cooked — what if someone could change one of those items, just ever so subtly, which caused your meal to make you sick. Maybe it caused everyone who used those ingredients to be sick.
Welcome to the challenges of supply chain security.
This is the risk that many Internet of things (IoT)/operational yechnology (OT) product manufacturers face when integrating various software and hardware subcomponents into the ever-increasing complexity of their supply chain. Most products these days integrate code and hardware sub-assemblies from many different sources. They have integrated circuits, and other components, which run the software and provide it with interfaces to the physical world.
How can you be confident that each and every one of these is genuine, secure, and suitable for use? What are the common issues made when trying to secure the supply chain?
The hard part about software
It would be hard to imagine any connected product these days that does not include some form of software obtained from the Internet at large, such as open-source software or even third-party code obtained from their website. As the complexity of our systems has increased, the ability to select and include pre-existing software modules — open-source or otherwise — has made it possible to keep up with customer demands for new functionality, connectivity, and internal complexity. This ability has also helped increase the level of security that systems can offer, with many thousands of eyes and experts working on finding and removing vulnerabilities and coding errors.
However, this also means there are equally many thousands of people who could make changes that adversely affect your systems. These risks are not some imaginary threat either, attacks through open-source code are very real, and getting more troublesome.
However, the most difficult part about securing any supply chain is in understanding it. Many companies do not have a clear outline of the software they directly integrate into their products — a software bill of materials, which is literally the ingredient list for your systems. This is essential, but it is only a first step. The more difficult part is ensuring that you have similar visibility into the software that is used in the various sub-assemblies you integrate into your systems.
Integrated complexity
Of course, it’s not just software that’s a risk. Hardware components, from the very smallest parts through to major sub-assemblies, can be modified or counterfeit as well. The U.S. Department of Defense has seen an increase in counterfeit integrated circuits used in its systems, so it’s unlikely that anyone is immune to such issues. Do you know and trust the companies that supply your integrated circuit components? What about the components that are used in the sub-assemblies of your systems?
We’ve seen some questionable reports about hardware supply chain security as well, where the evidence does not seem to stack up, but we can’t let that distract us from the fact that the risks are very real. You may not be concerned about your systems being used as spy tools for nation states, but you should certainly be concerned about low quality or fake components resulting in increased returns or risk of accidents.
Measuring Security
The physicist turned management consultant, Eliyahu M. Goldratt, is often quoted as saying, “Tell me how you measure me, and I will tell you how I will behave,” and perhaps the biggest mistake companies make these days is building supply chains where the only measurement used is cost. Specifically, reducing cost wherever possible.
Given the risk and complexity supply chains face today, this must change.
Companies must understand the risks they are integrating into their systems through the use of third party-suppliers and come to an understanding of what is acceptable for them. It is not reasonable to expect consumer IoT companies to have the same level of risk mitigation as the U.S. Department of Defense, but it is reasonable that such companies understand what level of risk is acceptable to them and take steps to measure and manage to this level.
Goldratt also said, “My system does not make sense at all, but by God it’s working.” This is where we are with supply chain management today. But how much longer will it continue to work?
— Andrew Jamieson is director security and technology, UL. Jamieson is active in helping to create standards to drive the adoption of IoT security and secure hardware and software around the world.
Recent Comments