• Advertise
  • Contact Us
  • About Us
  • Supplier Directory
  • SCB YouTube
  • Login
  • Subscribe
  • Logout
  • My Profile

  • CORONAVIRUS
  • LOGISTICS
    • Air Cargo
    • All Logistics
    • Express/Small Shipments
    • Facility Location Planning
    • Freight Forwarding/Customs Brokerage
    • Global Gateways
    • Global Logistics
    • Last Mile Delivery
    • Logistics Outsourcing
    • LTL/Truckload Services
    • Ocean Transportation
    • Rail & Intermodal
    • Reverse Logistics
    • Service Parts Management
    • Transportation & Distribution
  • TECHNOLOGY
    • All Technology
    • Artificial Intelligence
    • Cloud & On-Demand Systems
    • Data Management (Big Data/IoT/Blockchain)
    • ERP & Enterprise Systems
    • Forecasting & Demand Planning
    • Global Trade Management
    • Inventory Planning/ Optimization
    • Product Lifecycle Management
    • Sales & Operations Planning
    • SC Finance & Revenue Management
    • SC Planning & Optimization
    • Sourcing/Procurement/SRM
    • Supply Chain Visibility
    • Transportation Management
  • GENERAL SCM
    • Business Strategy Alignment
    • Education & Professional Development
    • Global Supply Chain Management
    • Global Trade & Economics
    • HR & Labor Management
    • Quality & Metrics
    • Regulation & Compliance
    • SC Security & Risk Mgmt
    • Supply Chains in Crisis
    • Sustainability & Corporate Social Responsibility
  • WAREHOUSING
    • All Warehouse Services
    • Conveyors & Sortation
    • Lift Trucks & AGVs
    • Order Fulfillment
    • Packaging
    • RFID, Barcode, Mobility & Voice
    • Robotics
    • Warehouse Management Systems
  • INDUSTRIES
    • Aerospace & Defense
    • Apparel
    • Automotive
    • Chemicals & Energy
    • Consumer Packaged Goods
    • E-Commerce/Omni-Channel
    • Food & Beverage
    • Healthcare
    • High-Tech/Electronics
    • Industrial Manufacturing
    • Pharmaceutical/Biotech
    • Retail
  • REGIONS
    • Asia Pacific
    • Canada
    • China
    • Europe
    • Latin America
    • Middle East/Africa
    • North America
  • THINK TANK
  • WEBINARS
    • On-Demand Webinars
    • Upcoming Webinars
  • PODCASTS
  • VIDEOS
  • WHITEPAPERS
Home » Blogs » Think Tank » The Cyber Blind Spot That Makes Every Supply Chain Vulnerable

Think Tank
Think Tank RSS FeedRSS

Regulation & Compliance / Supply Chain Security & Risk Mgmt

The Cyber Blind Spot That Makes Every Supply Chain Vulnerable

cyber crime
A person types at a keyboard. Photo: Getty Images.
June 23, 2022
Yuriy Bulygin, SCB Contributor

Recently, the U.S. departments of Commerce and Homeland Security issued a report detailing critical weaknesses in technology supply chains. The report details a number of issues requiring immediate remediation, but separately calls out two top risks: the increasing use of open-source code, and the “single point of failure” represented by device firmware.

Firmware is core — it’s instructional code that’s shipped with every device, and acts as the digital glue binding all parts of technology supply chains. Gartner Inc. has estimated that every endpoint contains 15 to 20 firmware components, and every server contains 30 or more. As these numbers increase, so too will the potential entry points for adversaries.

The One-to-Many Infection Vector

Once only associated with sophisticated attacks — such as the widely publicized SolarWinds and Colonial Pipeline cyber espionage campaigns — the supply chain has slowly grown to become one of the most overly exposed to malicious actors. A Crowdstrike study found that 45% of organizations experienced at least one supply chain attack in 2021.

The rise in supply chain attacks can be attributed to new agile environments and aggressive development cycles. With the current global shortages and supply chain disruptions, original equipment manufacturers are outsourcing to third parties without having a longstanding history or visibility into the sub-suppliers’ cybersecurity hygiene. Yet the most luring factor is the one-to-many attack multiplier the supply chain presents. A supply chain attack has potential to disrupt national economies and put lives at risk.

Supply chains come in many forms, but the most instrumental is the information and communication technology supply chain. Every piece of ICT equipment is a combination of chips and components bound together by specialized code within a chain of vendors and suppliers. Combine that with the magnitude of ICTs available today: Every organization, large or small, uses cloud computing, the internet, software and an array of hardware to operate. If compromised, firmware allows the attacker to infiltrate an individual system and access a vast number of access points, including data, applications and services, on the device. Touch points only accumulate as the number of contributing vendors increases and their own supply chains are added to the mix.

Firmware’s Crucial Connection

Firmware is the first and often most-privileged code to run on a device, and instructs subsequent operating system actions. As the DOC and DHS report notes, “Firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.”

Adversaries abuse firmware to gain initial access into an organization, either directly breaching and infecting devices running vulnerable firmware, or through an implant or backdoor to infiltrate a product prior to its ever reaching the end customer. The attack method in this instance can be a malicious code that’s simply downloaded by the user.

That said, threat actors are constantly pivoting to find new weaknesses and becoming more creative in their attack methods, to be undetectable while causing the most damage. Over the past two years, ransomware gangs have focused on breaching embedded operating systems and firmware in enterprise network devices, including VPNs, switches, firewalls, routers and a wide range of traffic concentrators, gateways and delivery controllers. These infection vectors are both powerful and unprotected. Network devices like routers, VPNs, and file transfer appliances are some of the most strategically crucial devices within an organization, making them uniquely valuable in the context of a cyberattack.

Firmware attacks also allow adversaries to recover and continue accessing a device after the initial threat is detected, even if the device is completely wiped. In recent iLOBleed attacks, adversaries repeatedly reinfected HPE servers with ransomware after the threat was identified and the infected systems reimaged. This same level of evasion is seen when security tools fail to detect threats – a common downfall given most tools lack firmware intelligence. 

Protecting Against Stealthy Infections

To mitigate these risks, organizations must secure firmware throughout all aspects of their business. Firmware security is an emerging discipline that combines new sub-OS technologies with best practices to identify, verify and fortify firmware throughout extended, remote enterprises. Essential steps include:

  • Identify. Organizations need simple, scalable yet integratable, tools that provide automated scanning across firmware components in endpoints, servers, network devices and internet of things (IoT) devices of all kinds. Due to the complexity and opacity of supply chains, organizations need the power to “see the unseeable” and create reliable inventory and bills of materials that include firmware details from all contributing vendors. 
  • Verify. Verification is instrumental for determining the integrity, provenance and correct configuration of firmware. It should take place throughout the device lifecycle, including:
    • Pre-delivery: IT security teams should analyze all devices and components for known vulnerabilities and misconfigurations as part of the selection process. A reputable vendor should ensure that their products and all underlying components do not have major security vulnerabilities, and that the devices are built and configured securely.
    • Newly acquired: All new device firmware should be scanned for vulnerabilities before they are fully introduced into the production environments. Suppliers and components can change, or devices can be tampered with or compromised in transit or even during manufacturing.
    • Continuous monitoring: Headline-level failures of vendor code-signing processes mean cybersecurity teams can’t simply “trust their vendors” anymore. Organizations must monitor operational systems for indicators of compromise (IOCs) unique to firmware, and assess changes in firmware behavior after device acquisition or following updates.
  • Fortify. Nearly 80% of firmware is never patched before the device reaches end of life. Many CIOs and operational teams fear firmware updates will unleash a domino-chain of failures that result in system downtime and lost productivity. They need reliable processes to locate the proper, original binaries, assure their integrity and, wherever possible, automate their deployment. Additionally, a critical part of the “fortify” process is being able to detect incoming threats, especially those aimed at a device’s firmware components directly. Just as in the identify and verify stages, defenders need special firmware-centric tools to “see” indicators of compromise that are running below the view of the operating system and traditional defensive applications. 

As supply chain breaches continue to reverberate through the industry, and ransomware’s vector-of-choice pivots to firmware, organizations will need to embrace firmware security to protect their supply chains. NIST, alongside Eclypsium, Dell, Intel and HP, hope to illuminate current blindspots and make defense easier through a recently released practice guide. It details ways that practitioners can validate not only the integrity of the devices in their complex supply chains, but the previously invisible firmware holding these chains together as well. 

Yuriy Bulygin is co-founder and CEO of Eclypsium.

RELATED CONTENT

RELATED VIDEOS

Wake up to live
“Supply Chains in Crisis”
updates and the latest Supply Chain News!

Subscribe to our Daily Newsletter

Timely, incisive articles delivered directly to your inbox.

Popular Stories

  • coworkers collaborate

    Podcast | Linking Planning and Execution for Real-Time Decision-Making

    Sales & Operations Planning
  • FedEx

    FedEx Faces Big Changes as New Boss Confronts Higher Costs, Angry Contractors

    Last Mile Delivery
  • cyber crime

    The Cyber Blind Spot That Makes Every Supply Chain Vulnerable

    Regulation & Compliance
  • 0627_Guitars.png

    Sweetwater Responds to the ‘New Face of Agility’ in Supply Chain and Merchandising

    Inventory Planning/ Optimization
  • Port of Long Beach

    Supply Issues Account for Half of Surge in U.S. Inflation, Study Says

    Global Supply Chain Management

Digital Edition

Scb may 2022 sm

2022 Supply Chain ESG Guide

VIEW THE LATEST ISSUE

Case Studies

  • 3PL Doubles Productivity With Robots to Fulfill Medical Supply Orders

  • E-Commerce Company Cuts Order Fulfillment Time by 40%

  • Fashion Retailer Halves Fulfillment Time With Omichannel Automation

  • Distributor Scales Business by Integrating Warehouse Automaton Software

  • Fast-Growing Fashion Brand Scales E-Commerce Fulfillment With Whiplash

Visit Our Sponsors

Yang Ming Alithya Barcoding
Blue Yonder BNSF Logistics Generix
GEP GreyOrange Here
Honeywell Intelligrated IFM Inmar
Keelvar Kinaxis Korber
Liberty SBF Locus Robotics Logility
Lucas Systems Nvidia Old Dominion
ORTEC Parsyl QIMA
Redwood Logistics Saddle Creek Logistics Schneider Dedicated
Setlog Holding AG Ship4WD Shipwell
Tecsys TGW Systems Thomson Reuters
Tive Trailer Bridge Vecna Robotics
Verity
  • More From SCB
    • Featured Content
    • Video Library
    • Think Tank Blog
    • SupplyChainBrain Podcast
    • Whitepapers
    • On-Demand Webinars
    • Upcoming Webinars
  • Digital Offerings
    • Digital Issue
    • Subscribe
    • Manage Your Subscription
    • Newsletters
  • Resources
    • Events Calendar
    • SCB's Great Supply Chain Partners
    • Supplier Directory
    • Case Study Showcase
    • Supply Chain Innovation Awards
    • 100 Great Partners Form
  • SCB Corporate
    • Advertise on SCB.COM
    • About Us
    • Privacy Policy
    • Contact Us
    • Data Sharing Opt-Out

All content copyright ©2022 Keller International Publishing Corp All rights reserved. No reproduction, transmission or display is permitted without the written permissions of Keller International Publishing Corp

Design, CMS, Hosting & Web Development :: ePublishing