Application and data security start in the supply chain
Most advice on security relates to how you use the products you have. It presumes that the products come to you in a secure and uncompromised state. But that's not always the case. Not only is it possible for a supplier's products to be compromised before you receive them, but such supply chain compromises have happened.
An increasing appreciation for this problem, and a lessening of trust in certain governments, led the U.S. Congress to pass the National Defense Authorization Act (NDAA) of 2019, requiring federal agencies to demonstrate that they are not purchasing specific classes of product from certain companies based in China.
China is not the only nation receiving such scrutiny, and the federal government is not alone in harboring doubts as to the trustworthiness of vendors based in countries where cyberattacks on the supply chain are initiated. As a result, some manufacturers are adjusting supply chains to accommodate customers that do not want products sourced from China or other foreign entities. Some are even providing products sourced in the U.S. specifically. Executed correctly, this realignment will introduce resiliency and competition into supply chains.
Supply chain problems are real
Supply chain problems are probably as old as trade itself. Items might spoil or be stolen in transit. An international shipment of one item might be used to smuggle another. A supplier might cheat on the quality or quantity of an input. These concerns are hundreds of years old.
In the modern world of electronics, the really insidious threats are invisible to the naked eye, such as in software that has been modified to include malicious functions, or hidden in plain sight in the complexity of the electronics. An example of that is a so-called chip clip, which is malicious circuitry that is attached to the product in order to change its behavior.
After a recent example of the latter form of attack, Apple terminated its relationship with the manufacturer Supermicro when it discovered that Supermicro-manufactured servers in Apple's development labs had malicious code in their BIOS, installed by a chip clip. There is no evidence that Apple's customers were affected, but the potential for harm was profound.
Many examples of attacks on software in the supply chain exist. Many years ago, attackers gained access to the development network at Adobe and to the source code for many of its most popular products. That the thieves also took a significant amount of confidential customer information overshadowed coverage of the threat to the supply chain. Still, the episode led Adobe to strengthen its protections for the development network and mechanisms by which customers can validate the integrity of products.
Broadly speaking, the more control a vendor has of the supply chain, the more the vendor can secure it. The more security that is activated in the supply chain, and the less the customer must do on its own to protect the system, the more automatically the customer is protected.
In a product as complex as a modern server, it's impractical for anyone to build every component, down to the last cable, screw, and molded plastic button. But these are not the components that could be compromised to any effect.
Technical measures are available and increasingly in use by the most sophisticated vendors (including Hewlett Packard Enterprise, Intel, and Microsoft) to prove that the configuration of a system as received by the customer is unmodified from that shipped by the vendor. It's hazardous to claim that any such measures prove 100 percent integrity, but these and other measures can make the possibility that a compromise gets into the supply chain, into the finished product, and goes undetected by the vendor or the customer exceedingly small.
At the factory, a digital manifest of the components and firmware in the system is recorded and protected by a password or other means. On HPE systems, this process is called Server Configuration Lock.
When the system arrives and is powered up by the customer, it rechecks the system configuration and checks it against the saved one. If the booted configuration matches the one created before transport, all is good and the system continues to boot. If the configurations don't match, the errors are reported to the operator.
Roots of Trust
Because of the extreme risks that would result from a compromise of the pre-boot environment, the most secure vendors implement multiple measures to protect it from attack, even after the system exits the supply chain and enters the customer's data center. A good example is the Root of Trust, such as HPE's Silicon Root of Trust. Roots of Trust are also the subject of important open standards from the National Institute of Standards and Technology (NIST). The Root of Trust is a known value stored immutably in the system.
Sophisticated firmware uses the Root of Trust to confirm that the state of the key firmware and circuitry have not been modified. This process is repeated periodically to make sure the configuration hasn't changed in an unauthorized way. Even though the supply chain is no longer involved, the same high level of security can protect the organization from many malicious attacks.
There are other measures, some based on standards, to protect the system from compromise. Bob Moore, director of server software and security products at HPE, describes UEFI Secure Boot as, "a crucial security feature that ensures that an authentic operating system is booted when a service is initiated."
Moore further explains, "Antivirus software actually runs in the operating system of a server but cannot detect hackers or an intrusion until the OS is fully running, and it's well known that some astute bad actors try to compromise the OS before its antivirus tools have a chance to start. UEFI Secure Boot from HPE ensures that does not happen. Each component launched during the boot process is digitally signed, and that signature is validated against a set of trusted certificates embedded in the UEFI BIOS."
Software in the supply chain
Similar to the cryptographic checks of the saved configuration, code signing is a method used to protect software. Before executing a program, the operating system calculates digital signatures of the program files and checks them against the ones provided by the software's creators, after first using the creator's public key to validate the signature included with the program. Both in the case of code signing and system configuration protection, it is one thing to confirm that the calculated signature of the files matches the one saved with the system or programs; it is another to confirm that the issuer is the one you expected—that is, that the operating system files were signed by Microsoft or Red Hat and not by the People's Liberation Army.
The technology of supply chain security can be impressive, but security often fails due to mistakes in activities necessarily performed by people. Supply chain protection, therefore, requires attention to the details of procedures in the process of creating a product and getting it to the customer.
Many of these procedures were described by John Grosso, vice president of global operations engineering, global supply chain, at HPE, in a May 2020 article in Forbes: "…the average 1U or 2U ProLiant rack server has between 3,500–4,000 components. That is, 3,500–4,000 components that have to be tracked across hundreds of suppliers around the world—checked for security and for quality purposes."
Grosso explains "roving cyber-validation" procedures, in which HPE embeds employees with suppliers to perform audits and informal spot checks on their work for HPE. HPE randomly X-rays these components before they are assembled into products.
At their assembly facilities, all vendors must ensure that only authentic components are used. The assembled server must be tested to verify security and authenticity. If the sale is through a reseller, measures must be taken to ensure that the server is not tampered with in any way. When the customer receives the system, it must boot up with the same components that were installed at the factory.
Other lower-tech but effective measures protect the server in transit. Factory seals on the box in various locations must be broken in order to use the system. Holograms and other techniques make counterfeiting of the seals difficult.
Securing the supply chain is the law
Concerns for the security of the technology supply chain have been aired for many years. Then, in 2019, the U.S. Congress added new provisions to the NDAA to begin to address them. Section 889, entitled "Prohibition on certain telecommunications and video surveillance services or equipment," prohibits executive agencies from purchasing products or services that use technology from certain foreign entities.
Use of the word telecommunications shouldn't be read too narrowly, as the equipment and technology used in both general-purpose computing and telecommunications have been converging. Telecommunications networks are increasingly composed of clouds built on conventional compute servers, and conventional computer networks are increasingly used for telecommunications services.
Vendors offering such products and services to the federal government must attest annually whether their offerings are in compliance with section 889. Note that this rule prohibits the purchase of services from providers who use the relevant Chinese products and services in their own networks.
The Creating Helpful Incentives for Producing Semiconductors (CHIPS) for America Act, which is being considered in committees in the U.S. House of Representatives, would add government financial incentives for all states of the manufacture of semiconductors in the U.S. There are also sections in the act that mandate efforts to secure the U.S. defense supply chains and develop standard methods to develop "measurably" secure microelectronics.
It is often the case that rules set by the federal government set a standard that other parties, such as state and local governments or private actors, can follow to get the same protections.
It is possible to leave China out?
Companies operating in China are involved in the supply chains for our electronics to a huge degree, in terms of the value of the items and their variety. There may be subcontractors that are difficult to identify. Items may be manufactured in China, exported, and reimported for a different stage of manufacture.
But the demand for integrity in the supply chain is such that some large and capable companies are working to be able to do so. The chair of Taiwan-based Foxconn, a manufacturer of well-known consumer electronics, recently told an investors conference in Taipei that nearly one-third of its production capacity is outside of China, and that fraction will grow due to the "inevitable" decoupling of Chinese and American supply chains. Foxconn has manufacturing facilities the world over, including Mexico, Brazil, Vietnam, and India. But it also invested in a facility in Wisconsin in 2018.
The manufacturer of the upcoming 5G BlackBerry phone wants it to be "the most American-made phone out there," with the objective being the ability to demonstrate to customers the security and integrity of their supply chain. How close it will ultimately get to all-American is unclear.
Flexibility in supply
Many would like to bring the entire manufacturing supply chain for complex products like servers back to the U.S. This is an extreme remedy to a problem that can be addressed effectively with much less disruption to international commerce. What customers and manufacturers need are rigorous security procedures for all components of a system and to have options for the national sourcing of components.
In the past, this level of scrutiny might have been considered necessary only for sensitive government applications, but for any organization, servers contain and process the most critical data. If hostile actors were to gain control of the server, they could not only gain access to that critical data, but they could modify the organization's operations. Certainly, governments must mitigate such risks to the greatest degree possible, but why should private organizations take the matter any less seriously?
The new requirements in the NDAA are a wake-up call for vendors, governments, and other policymakers to reconsider their security priorities in sourcing. Customers should also follow the federal government's lead in asking vendors where systems and their components are made, and whether they can be made in the U.S.
Security in the supply chain: Lessons for leaders
- All security starts with hardware security. Not all hardware is provably secure.
- It's impossible for customers to know the full provenance of a complex item like a computer server.
- Vendors are working to get national flexibility in their component sourcing. This may matter to you.
In the modern world of electronics, the really insidious threats are invisible to the naked eye or hidden in plain sight in the complexity of the electronics.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.