A supply chain is a complex system of interconnected components, data, processes and players. The chain is only as strong as the weakest link, and the threat often comes at you sideways.
Attack vectors into the supply chain include, but are not limited to: physically tampering, hardware implants, modifications to electronics, chipsets or mechanisms, remotely installing malware into systems, modifying software or data manipulation and information shaping through dis-information. Supply chain security and cyber mission assurance are closely linked.
Threat actors also target fundamental research, investment and ownership for access, control and influence. These organizational weaknesses in the chain are as critical as hardware and software.
EXAMPLES
Nation states have dedicated divisions assigned to breaking and shaping supply chains:
From 1970-1993, Operation Rubicon, a secret operation by the West German Federal Intelligence Service (BND) and the U.S. Central Intelligence Agency (CIA), exploited the communications of a number of foreign governments by covertly owning and shaping encryption technology (CX-52) from Swiss-based Crypto AG.
In 1982, a ruptured Russian Gas pipeline set off the largest conventional explosion in history. It has been reported that the CIA coopted a Canadian company to shape industrial control software that was later acquired by the Russians.
In 2020, a hostile intelligence service managed to penetrated thousands of organizations globally through Solar Winds Orion IT Management and observability software, hence acquiring super-user access to highly-privileged access to a large number of infrastructures. Microsoft President Brad Smith said that it was "the largest and most sophisticated attack the world has ever seen".
Years earlier, a shaping of the esoteric Abstract Syntax Notation One (ASN.1) standard interface description language had allowed attackers to execute their own malicious code on telecommunications, routers, switches, mobile radio and cryptographic systems at a foundational level. The code was buried so deep was that it took many years before anyone discovered it.
In 2010, the Stuxnet rootkit was specifically developed to physical destroy the uranium enrichment machinery of Iran’s nuclear weapons program. Stuxnet was introduced into the supply chain through a USB flash drive by persons with physical access to the system. The operation was immensely complex.
Closer to home, we witnessed the systematic long-term compromise and shaping of Canada’s ICT supply chain by a foreign government through acquisition, espionage, influence, hacking and planting electronic eavesdropping devices. Threats to Canada’s foreign-sourced next-generation mobile infrastructure are only now being fully appreciated and mitigated.
Today, we still see foreign ownership, control, influence, deliberate interference and shaping of our critical national supply chains through a wide variety of vectors.
CONSIDERATIONS
Here are a number of things to consider when securing a supply chain:
Start with an asset inventory. There is an old adage “you can’t manage what you don't measure.” This ought to include a detailed investigation into the providence of and access to each component and subcomponent of the system comprising people, processes and technology. The work forms part of an integrated risk management and cyber mission assurance plan.
Arrange for an external attack surface analysis to identify exposures and hidden dependencies across the organization or program - appreciating that risk is conducted through critical interdependencies often outside your enterprise and field of view. Note that data and information integrity forms an important part of the supply chain - it is not just about the hardware and software.
We recommend a Foreign Ownership, Control or Influence (FOCI) evaluation to assess the nature and extent of authority, ownership, control or influence that foreign interests may have. Ownership can change through acquisitions and adversaries frequently use a shell game of front companies to obfuscate their means of control.
The insider threat is real - either through accidental breaches, manipulation, elicitation or deliberately using agents of influence, saboteurs or spies. Vet your employees, partners, suppliers, contractors and sub-contractors or have a trusted third party do this for you as matter of due diligence. Know who you are dong business with.
Understanding the adversary their capabilities, motivations and intentions is critical for assessing active exposures to the supply chain. Consider subscribing to tailored threat intelligence-as-a-service. Similarly, the detection of deep-shaping of technology requires intelligence, threat hunting and due diligence through rigorous professional investigation. Open and Commercial Source Intelligence (OSINT/CSINT) is absolutely essential for a valid assessment.
A good supply chain security analysis feeds into an integrated risk management framework, cyber mission assurance plan, a competitive business strategy, the application of effective countermeasures and proactive defence-in-depth. Doing a traditional compliance base threat risk assessment (TRA) or Security Assessment and Authorization (SA&A) of individual components in isolation is of limited value for complex systems-of-systems with extensive supply chains. Security intelligence assessments of these complex systems and platforms needs to be a continuous process of overwatch surveillance, intelligence and active defence.
Finally, consider in advance what action will be taken upon learning of a potential exposure to, a real attack on, or compromise of the supply chain.
SOVEREIGN FIRST STRATEGY
A trusted sovereign Canadian supply chain is necessary for national critical infrastructure and high value platforms. Foreign-sourced Information Communication Technology (ICT) components represent a particularly high-risk as is relying on foreign data and intelligence to power these systems.
BEST PRACTICE REFERENCES
Supply chain security is a matter of best practice:
Canada’s obligations and commitments to conduct FOCI evaluations are outlined in North Atlantic Treaty Organization (NATO) Security Policy and various international bilateral security instruments between Canada and its international partners.
CSE technology supply chain guidelines (TSCG-01/F) 2010 – stipulates measures to mitigate exposures to vulnerable or shaped technologies through planning in the contracting phase.
https://cyber.gc.ca/sites/default/files/cyber/publications/tscg-ccat01g-eng_4.pdf
Cybersecurity Maturity Model Certification (CMMC) assessment framework and assessor certification program is designed to increase the trust in systems used by the military.
AUTHOR
Dave McMahon is the Chief Intelligence Officer of Sapper Labs Group – a Canadian veteran-owned intelligence and cyber defence company.