We know by now that traditional security provisions do not adequately protect our networks and infrastructure from the vulnerabilities introduced by connected device supply chains. Without a complete understanding of supply chain risk, it’s difficult for security teams to take necessary measures to ensure that our embedded devices and our networks are secure and protected. As attacks on connected devices have increased, so, too, have regulations aimed at securing these supply chains, many of which have focused on provenance—in other words, where device components originate.
Why has provenance emerged as a primary factor for connected device security?
Connected devices have large attack surfaces which creates many opportunities for compromise across the supply chain. Supply chain attacks take on a range of forms including physical, software, hardware, and update server attacks. In response to growing threats, the United States Government has focused on stopping potentially bad actors by issuing blanket bans on devices manufactured by companies in adversarial nations. In order to identify threats, the U.S. analyzes intent, capability, and opportunity. This equation has unsurprisingly led them to identify Russia, China, and Iran as suspected threats to our critical systems. If it is known who will attack us, it is easy to protect our devices by preventing these actors from supplying us, right? Legally maybe, but some gaps and challenges exist in this framework.
Adversary countries appear in various parts of the supply chain which makes it hard to apply this methodology consistently. For example, Huawei, a China-based telecommunications company, has been banned under United States’ regulations. The decision on the safety of this company has been made by the United States. Finite State quantified these risks in June 2019. For decision makers, banning Huawei devices may seem like a pretty straightforward move.
Meanwhile, Siemens, a multinational company headquartered in Europe, is widely found within U.S. power grids. Even though they are headquartered in Europe, Siemens has a large research and development presence in China consisting of 21 hubs, and a R&D and engineering staff of 5,000. If we are relying on provenance to determine risk, should we be banning and extracting Siemens devices from our infrastructure?
Honeywell, a multinational company headquartered in the United States, is a critical infrastructure and defense supplier. Despite Honeywell’s reputation of being generally safe, for many years their cameras used Huawei chips, which are considered unsafe under U.S. policy. Another, perhaps more salient example, can be found with the recent supply chain attack on SolarWinds. While SolarWinds doesn’t manufacture connected devices, the same process used to compromise their software supply chain can be applied to the supply chains for connected device firmware. SolarWinds is headquartered in the U.S., yet Russian actors were able to plant a backdoor in the supply chain of their software and use it to gain access to SolarWinds’ extensive user base.
We aren’t mentioning these companies to criticize them. We are simply using them as examples to illustrate a key question when it comes to provenance: where exactly do we draw the line? In this globalized economy, it will be nearly impossible to find a device manufacturer whose supply chain will not reveal some level of connection with component manufacturers in adversary nations.
Shifting focus to a data-driven solution to supply chain security for connected devices
Solely taking the provenance approach does not protect against attacks that exist within other areas of the supply chain, and therefore, will not solve all security problems. As seen in the above examples, companies located in adversary nations can enter the supply chain in various ways making it difficult to draw a distinct line where they should not be allowed.
Instead of focusing on provenance, the criteria for evaluating risks should be restructured to consider the numerous threats on a device’s supply chain from a technical point of view. Security teams should be empowered to prevent adversary intelligence services and criminal groups from exploiting vulnerabilities and co-opting companies to assist them in this act. But in order to do that, we need to focus on identifying embedded threats and vulnerabilities rather than relying solely on geopolitical factors.
The bottom line is that we should be taking a risk-based approach, consisting of a variety of strategies, to assess each product on our networks. Third-party vendor risk assessment and access management should be used to gain an understanding of where the product is being purchased from and when vendors are accessing the network. Device penetration testing should be used to gain a deep and comprehensive understanding of the devices on the network (this form of testing is not scalable; however, when it is done periodically at random, it can improve security.) Finally, firmware and software verification and analysis should be used to look at all firmware and software images.
It is important that organizations that manufacture and deploy connected devices do not rely on trust to determine risk, but rather verify the security of their device supply chains. Firmware and software verification and analysis present a scalable solution that looks at true device risk, rather than provenance, to move beyond trust. The Finite State Platform automates this approach by allowing all firmware components to be inventoried and analyzed with its results aggregated into an actionable risk report. These risk reports give security teams for both device manufacturers and asset owners a comprehensive analysis of supply chain risks, firmware and software risks, and threats and vulnerabilities. Only by starting with ground-truth data can we truly know what vulnerabilities lie within our connected device supply chains.
