Concern about software supply chain security and the potential insertion of malware backdoors is at the forefront of cyber security challenges, but the problem has been around for decades and governments and industry are just getting around to addressing it now.
You might question my assertion that this has been a concern for decades, so I’ll give you just one example. Back in 1997, I was doing work in Japan for a large Japanese computer company and was given a 3.5-inch floppy drive under the company label to try some software they were selling to provide terminal emulation so I could telnet to Unix systems. I inserted the floppy and my virus scanner immediately found a virus on the 3.5-inch floppy. The person I was working with was embarrassed so he went and got me a shrink wrapped new one, and same issue. So the company was distributing software worldwide with a virus. I don’t know if someone paid the price for this error or not, but it makes my point: supply chain security has been a problem for decades, likely since the dawn of distributed software.
Consider all the storage, servers, PCs, mobile devices, drives and other software and hardware that ship today and you can begin to grasp the enormity of the problem.
Supply chain standards
With supply chain standards from both ISO (the International Organization for Standardization) and the U.S., and now a new set of regulations from the U.S. government, supply chain security is quickly becoming a big issue around the world.
The ISO standards body defines a secure supply chain and the required certification in ISO Secure Supply Chain (ISO 28001 Certified
The standard states that:
- ISO 28000:2007 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
- establish, implement, maintain and improve a security management system;
- assure conformance with stated security management policy;
- demonstrate such conformance to others;
- seek certification/registration of its security management system by an Accredited third party Certification Body; or
- make a self-determination and self-declaration of conformance with ISO 28000:2007.
This standard is applicable to Information Technology and is called the Open Trusted Technology Provider Standard (O-TTPS) and addresses mitigating maliciously tainted and counterfeit products. O-TTPS consists of two main components, with the intent of ensuring “integrity in technology deployment and to prevent maliciously tainted and counterfeit products from entering the supply chain.” When IT vendors use the standard in this context, the ultimate objective is to ensure that the critical group of component suppliers to that vendor comply with O-TTPS requirements so that storage products are authentic and minimize supply chain cybersecurity risks. This multi-phased approach to O-TTPS supplier compliance is underway at Seagate and other critical electrical component suppliers.
ISO/IEC 15408 Common Criteria
Common Criteria (CC) is an internationally recognized standard for assessing security functionality of information assurance (IA) and IA-enabled products. Though not specifically supply chain-related, a Common Criteria designation is generally done for released products so that the IA is tested against a set of known expectations. If the supply chain was compromised, it is very likely that the testing would find the compromise and that the product would not achieve CC certification.
U.S. Government and DoD
The U.S. Government standards arm is the National Institute of Standards and Technology (NIST). NIST dictates many standards for IA and supply chain that are then used by both civilian and Department of Defense (DoD) procurements. Standards for non-DoD procurements are called FAR (Federal Acquisition Regulations), and DoD extensions are called DFAR (Defense FAR). Although NIST regulations are not federal requirements for vendors, they are becoming requirements for those who do business with the U.S. Government and those covered by HIPAA and SEC regulations.
NIST has a number of relevant publications. Some of the more pertinent include:
- NIST 800-53rev 4 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) Security and Privacy Controls for Federal Information Systems and Organizations
- NIST 800-171 rev 1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST 800-161 rev 1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf) Supply Chain Risk Management Practices for Federal Information Systems and Organizations
Each of these documents addresses how federal entities and their contractors should address the risks within the supply chain. There is a new directive to address external system service providers: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. A provider of external system services provides services to an organization through a variety of consumer-producer relationships, such as: joint ventures; business partnerships; outsourcing arrangements (contracts, interagency agreements, lines of business arrangements); licensing agreements; or supply chain exchanges (for example, some that process records for the Veterans Administration).
The following regs are from the DFARS – Defense Federal Acquisition Regulation Supplement, a supplement to the FAR that provides DoD-specific acquisition regulations that DoD government acquisition officials and those contractors doing business with DoD must follow in the procurement process for goods:
- DFAR Subpart 239.73 – Requirements for Information Relating to Supply Chain Risk (http://www.acq.osd.mil/dpap/dars/dfars/html/current/239_73.htm)
As part of the standard acquisition of systems, the DoD wants to ensure a secure supply chain to protect critical systems.
So what does this all mean?
It is pretty clear by the actions of ISO, NIST and the Common Criteria (which has 15 Certificate Consumer countries – Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, Norway, South Korea, Spain, Sweden, Turkey, the United Kingdom, and the United States, and 11 Certificate Producer countries – Austria, Czech Republic, Denmark, Finland, Greece, Hungary, India, Israel, Malaysia, Pakistan, and Singapore) that a secure supply chain is important to national interests and citizens around the globe. Securing the supply chain is not a panacea that will solve all malware, cyber-attacks and counterfeit problems, but protecting the supply chain is one of many things that needs to be done to protect systems during the distribution process. Determining if the various hardware, firmware and software components are authentic is just part of what is needed. Ask vendors what they are doing to secure their supply chain, such as following the O-TTPS process and having external auditing of that process rather than just internal validation.
Having a secure supply chain does not guarantee a secure system, but it does give you a higher probability that the starting point for a system when you take it out of the box is secure and not compromised by malware, and if Common Criteria certified, has some resiliency against attack and malware. There is no panacea in the area of cyber security. It is a global arms race, but having a secure supply for chain for your hardware, software and firmware is a good starting point.