Embedded hardware, supply chain attacks, embedded system attacks: How to stay safe
Many organizations have a firm grasp of traditional patch and change management. What they often overlook, however, is the management of procurement and the vendors that provide these services.
Recently, we’ve heard a number of concerns about malicious embedded hardware and supply chain attacks. Black hat hackers, organized crime elements, and suspected nation states have all been suspected of embedding malicious components into business and consumer electronics.
Attackers accomplish this by intercepting a product and adding malicious components before it arrives at its intended destination. Attackers hope the malicious components will go undiscovered and will be connected to a victim’s network, providing a foothold for malicious activities or to intercept sensitive data.
While both types of vulnerabilities are real and illustrate the evolution and trends within the cyber security threat landscape, it’s important to put related risks into perspective.
To begin with, a key aspect of a mature governance, risk, and compliance (GRC) program is actively understanding where IT assets are coming from and what technologies are fundamental to their operation, including third-party software and hardware components. In order to manage these supply chain risks, we recommend a number of critical actions that should be part of this lifecycle:
- Know who and where you are buying your components from. Best practices require using reputable businesses that have a longstanding history of providing reliable equipment and services. Avoid using equipment that has been previously used or that comes from little-known companies.
- Carefully inspect inbound and outbound network traffic. Malicious embedded hardware and supply chain attacks still rely on the compromised system’s ability to communicate with the internet to exfiltrate data and receive commands. Firewalls that restrict and inspect outbound communications can be an effective method for detecting anomalous traffic. Intrusion detection and data loss prevention technologies are also effective at identifying anomalous traffic.
- Implement network segmentation. It’s a good practice to separate systems containing sensitive business data from user segments and other network segments that require connectivity to the internet. Systems that contain sensitive business data and intellectual property should not be able to connect to the internet. Limit user segments from direct connectivity to segments containing sensitive business data.
- Keep detection and prevention systems up to date. Technology providers are constantly evolving and updating their detection and prevention capabilities. Ensure endpoint, server, and network infrastructure security solutions are appropriately updated to utilize the latest features and capabilities. Ensure solutions are working and alerting appropriately across all environments.
- Stay abreast of the latest threats, technologies, and incidents. Implement technologies and services that provide distilled news about the latest threats, technologies, and incidents that impact your industry. Consider using threat intelligence feeds such as FireEye, CrowdStrike, or an open source provider with your perimeter controls to further enrich your known threat surface.
- Have security controls periodically assessed by an independent third party. Having a trusted partner regularly review your security controls is an effective way to determine if there are gaps within your business environment.
At the end of the day, every organization needs to actively manage their vendor/partner relationships to minimize the risk to their internal assets and critical data. By taking the steps above, you can be more certain your hardware is working for you and not someone else.
Have more questions? Contact your SHI account team today.
Brad Bowers contributed to this post.