Working to Secure the Technology Supply Chain – Nextgov
Application-based attacks like the Colonial Pipeline ransomware hack capture headlines but security pros know that cyber criminals are not stopping with application-based attacks and will continue to aim deeper into the heart of computing by targeting operating systems, firmware and hardware.
This inevitable trend has created a need for security solutions that not only focus below the OS in areas like firmware and software, but also that reach deep into the technology supply chain. Attacks early in the chain can have a profound impact on technology consumers, including government organizations that rely on technology to carry out their missions and store and transmit sensitive data.
This trend is one reason the National Institute for Standards and Technology is updating its guidance on developing cyber resilient systems. It is also a bit part of why the Biden administration emphasized cyber resilience in its recent review of supply chain issues.
The escalating nature of cybercrime is also why Intel and other industry leaders are investing in the Compute Lifecycle Assurance, or CLA, initiative. The goal is to develop and implement industry leading supply chain security solutions and to work with industry partners to implement a framework for building security into every stage of a device’s existence, from design to manufacture, from deployment to retirement.
For government organizations, CLA means the technologies they rely on should become increasingly cyber resilient. Agencies are well-advised to keep themselves informed of the advancements in supply chain transparency and traceability, and the continual protections CLA will generate to address vulnerabilities as they emerge.
Security at Every Stage
The shift in focus of cyber crime has highlighted the importance of advanced security operations, investments, training and solutions that span across every stage of the device lifecycle. Industry leaders in security have long invested, implemented and led the industry in these holistic supply chain and product lifecycle assurance investments. CLA extends that security-first mindset throughout the technology lifecycle, including:
Build: Starting at the design stage then deep integration with sourcing and manufacturing, how do you confirm the integrity of a platform and its component devices? Is it designed and built in a trusted manner? Is the platform assembled in a trusted facility, with proper controls in place to not only establish the time of manufacture, but also to ensure the necessary levels of traceability?
There’s always risk during manufacture that a vulnerability could be inadvertently built into a product. This could occur, for example, through firmware with embedded malicious code or counterfeit components that are intentionally malicious or not designed securely.
CLA provides guidelines for mitigating this risk. One approach is to implement security solutions to gather, cryptographically seal, and securely store metadata from devices as they are manufactured.
Transfer: Does the system arrive as ordered? Are there processes, controls, and technologies in place to detect tampering, modification or changes within the hardware, firmware and software? Are there mechanisms in place to establish who should, or should not have rights to modify the platform throughout distribution?
Risk can also be …….