Defence Online

Securing the supply chain is essential for a robust defence ecosystem

Land September 9, 2021

Writing for Defence Online,  Dennis Mattoon and Michael Mattoli, Co-chairs of the Supply Chain Security Work Group at Trusted Computing Group (TCG), examine the critical role of the defence supply chain.

The nature of threats facing the defense industry have changed considerably over the past decade. As innovation continues to deliver new technologies, the sophistication of attacks has grown, leaving the defence industry worldwide susceptible to attack, particularly within the supply chain.

In fact, a recent report by the US Government suggested the defence industry is increasingly struggling to meet the unprecedented challenges it faces, with industrial security scoring low within their assessment. Within defence, it is particularly important for systems and equipment to be protected at all times, due to the nature of their operations. Here, supply chain attacks can have devastating consequences and so it is imperative that security is tightened to create the most robust defence ecosystem.

No easy feat

Securing the hardware supply chain is essential. It is an area that cannot afford to be overlooked, where one organisation with an inadequate approach to security can open the door for an attack that compromises the entire chain. As such, and especially within the defence sector, it is imperative governments and businesses make supply chain security a priority, to keep mission critical communications and operations safe from espionage or attack. However, this is far from. With so many different elements, and no single entity responsible, it requires the whole industry to come together to implement, define and uphold security measures.

An added twist: to stay competitive, many defence and critical systems leverage commodity hardware. These components often contain vulnerabilities, which are often left unaddressed, in a bid to keep costs low and maintain already thin margins. In a sector where the lowest bidder with the lowest cost often wins contracts for building infrastructure or developing components and equipment, it is important a security agenda is created and followed to ensure a safe and secure defence ecosystem.

To make it more complex, the existing security safeguards in place within the supply chain today are mainly subjective and rely on human intervention. These include the alignment or placement of labels, size, or shape of markings, verifying the authenticity of serial numbers and the use of x-ray imaging. All of these tend to be rather time-consuming and expensive and often do not scale. It has also proven quite difficult to enforce security within this area since the supply chain is increasingly disaggregated and global.

A huge impact

With cybercrime costs worldwide expected to grow by 15 percent per year over the next five years, according to Cybersecurity Ventures, it is imperative steps are taken to safeguard the defence industry and its supply chain. The nature of attacks is changing, costing businesses millions of dollars each year and the loss of priceless information. With increasing dependency on the internet and technology by militaries worldwide, the frequency of sophisticated and organized cyber-attacks is on the rise. When it comes to the defense sector, this cannot become the norm as there is simply too much at stake, especially when state-sanctioned cyber-attacks occur within the supply chain.

The impact of supply chain attacks is well demonstrated by the recent Quanta Computer attack. The Apple supplier was hit by a US$50 million ransomware attack from REvil which caused some disruption, as hackers demanded money in return for not revealing Apple blueprints. As ransomware attacks have become increasingly disruptive and brazen, we cannot allow the defence sector to be subject to such dangerous risks when sensitive information is on the table.

While the Continental Pipeline case shows exactly how important it is to protect critical infrastructure. All pipeline operations had to stop and IT systems had to be frozen as a result of a cyber-attack involving ransomware. Supplying 45 percent of the East Coast’s fuel in the US, it is one of the country’s largest pipeline operators as it transports over 100 million gallons of fuel daily from Texas to New York. It caused several fluctuations in the price of fuel as result of supplies becoming partially affected. This demonstrates exactly how bad it could be if defence systems were left open to attack within the supply chain.

Making a difference

For a robust defence sector, it is crucial supply chain security is prioritised. To address all the challenges faced in this area, Trusted Computing Group (TCG) has recently launched a new Supply Chain Security Work Group to lead the charge in developing and creating new security standards and measures for end-to-end solutions. Working with other organisations as well as TCG’s wide range of member companies, the group will aim to define and develop new technologies and safeguards which will enhance the security of the supply chain worldwide.  This is in addition to leveraging existing TCG technologies in this space.

TCG has already released a number of specifications and created innovations that, once applied, make a huge difference to the security of the entire supply chain. The Cyber Resilience technology from TCG is just one example, which enables a device to remain protected throughout its lifecycle. Not only does Cyber Resilience allow for the prevention and detection of malware, but it means a device can be recovered following an attack. This is great for protecting, for example, Internet of Things (IoT) devices or Industrial Control Systems (ICS) which are often used within defense applications. These devices are often difficult to keep updated or maintained and may even be physically inaccessible during its operational lifetime.  Having built-in Cyber Resilience through the supply chain, particularly when being fitted into a larger system or with a long service life, means they remain protected at all times.

Meanwhile, the PC Client Firmware Integrity Measurement (FIM) and PC Client Resource Integrity Manifest (RIM) specifications enable the security status of enterprise systems to be verified and confirmed. It provides guidelines for products that can determine the integrity of a platform within the manufacturing stage and provides a baseline measurement that means security comparisons can be made throughout its lifecycle. This is ideal for the defence sector supply chain as equipment can be evaluated at any time to verify its authenticity and check its security status.

Another example of TCG’s impact on security of the supply chain is its Secure Update Guidelines, which make sure manufacturers and IT administrators can continue to provide safe and secure updates to systems. A common attack vector used by hackers is to infiltrate communication networks or devices through update channels. By making sure this is kept secure, it eliminates this as a potential way in and further protects the supply chain.

Enabling change

However, to truly manifest change, it is important as many groups as possible come together to formulate a security framework to keep the supply chain safe from harm. TCG hopes with its new Supply Chain Security Work Group, to secure industry backing and work collaboratively with other international organizations to lead the way forward for supply chain security. With this in place, it will be possible for actors within the supply chain to demonstrate compliance and security will become enforceable. This will only help to increase security in defence and help ensure that organisations working within the sector do not suffer compromises due to weaknesses in the supply chain or in commodity hardware.

If you would like to join our community and read more articles like this then please click here

defence ecosystem Trusted Computing Group

Post written by: Matt Brown