How to Secure Your Vulnerable Supply Chain from Cybersecurity Risks and Attacks

By Dr. Tat Chan

Systems Engineer

CommScope

March 10, 2021

Story

How to Secure Your Vulnerable Supply Chain from Cybersecurity Risks and Attacks
(Image courtesy of Pixabay)

The supply chain is one of the most overlooked cybersecurity threat areas for service providers – a blind spot with potentially devastating consequences.

In 2020 alone, supply chain cyberattacks increased by 78%. As recently as December 2020, a group of suspected nation-state threat attackers compromised the supply chain of SolarWinds’s software development process, inserting the SUNBURST malware into Orion products and allowing unauthorized access to networks across a wide range of government and private sectors.

Traditional supply chain security solutions have lacked the sophistication and scope to address threats like this along every layer and link in the chain, leaving a gaping vulnerability to secure supply chains from increasing cyber threats.

Leaders and providers of supply chain need to understand where their current security vulnerabilities lie, and where they need to invest in order to avoid cyberattacks, as well as potentially permanent security and reputation risks.

A weak link in the chain

The supply chain is a natural target to exploit because it encompasses so many different activities, people, entities, information, and resources. The more links in the chain, the more opportunities for attack, especially if those links remain vulnerable.

Within the last year alone, we’ve witnessed the aforementioned SolarWinds software development attack, multiple APT41 (Double Dragon) attacks to steal credentials and insert malware into manufactured products, and even a ransomware attack on Foxconn’s Mexican facilities. This involved stolen unencrypted files, compromised encrypted servers, and deleted backup data.

A supply chain with improper security is an incredibly vulnerable weak point, where software and other digital information (such as a device identity) can be compromised, replaced, or duplicated for the purpose of committing fraud, compromising user privacy, or, in some cases, even compromising national security.

Securing certificates, credentials, and code

One incredibly vulnerable area for security concern is within individual consumer electronics. Many of these products, including cell phones, tablets, cable modems, routers, IoT devices, and digital entertainment devices, come with pre-installed digital certificates used to protect private user information. All of this in addition to content and service provider information in digital transactions. However, a single compromise of any one of these certificates, even after the product is deployed, can constitute a compromise of the supply chain as a whole.

The production process of these devices is particularly vulnerable for large-scale exploitation of digital certificates and, with many supply chains thoroughly globalized, manufacturers can anticipate these attacks from multiple directions. Traditional factory environments tend to be less tightly controlled by nature and may not sufficiently protect cryptographic material.

Additionally, simple security procedures within a manufacturing process can be susceptible to attack. A common example is the copying and backing up of data and code. Whether intentional or unintentional, this can result in duplication of unique digital identities – a very serious security violation.

Credential delivery systems must ensure that security credentials are not vulnerable to network attacks and are not installed into multiple devices or applications. Managing device certificates and credentials is a critical element of supply chain security.

Prioritizing secure provisioning

In order to securely manage digital certificates and credentials, supply chain provisioning architectures must be comprehensive, involving multiple layers of encryption and integrity checks to ensure that the overall supply chain remains secure – even when a specific network node or encryption layer is compromised.

Security teams must incorporate a framework that includes extensive use of hardware security modules, cryptographic tokens, multiple layers of encryption and end-to-end anti-cloning measures that can extend to an entire global infrastructure.

Sourcing the right solution

CommScope has set up a managed solution. The system architecture for security credential provisioning, with these elements in mind, prioritize the incorporation of key-generation, PKI servers (key servers with hardware security), and integrating a software development kit (SDK) directly into the software and firmware of the manufactured devices.

The key element to note in an architecture like this is the application of multiple layers of security as part of a defense-in-depth strategy, ensuring a failsafe in the event that any one of the layers should fail. When setting up your own system, or working with a vendor, make sure the solution includes this multi-layer strategy, whether that be anti-cloning measures or the flexibility to scale to millions of new digital identities in a short period of time (or, ideally, both).

With the right awareness – as well as the right technology, managed services, and a team of experienced security experts – service providers can ensure that their inherently vulnerable supply chains do not become a victim of cybercrimes.

Dr. Tat Chan is a distinguished systems engineer at the CommScope PKI Center. Dr. Chan has been focusing on system security in the telecommunication industry for more than 20 years, and is an inventor on more than 30 issued security-related patents. His expertise covers secure credential provisioning, certificate authority and PKI operations, secure boot and code signing, feature licensing, and general security analysis for system-on-chips, embedded devices, and communication servers.

More from Dr. Tat