Supply Chain Vulnerabilities

Sep 16, 2024

Take quiz

Supply Chain Security Lecture

Overview of Supply Chain

  • Involves moving a product from raw materials to consumer.
  • Security concerns exist at every step: raw materials, suppliers, manufacturers, distributors, customers, consumers.
  • Attackers can inject malicious code or gain access at any point in the supply chain.

Trust in Suppliers

  • New equipment and suppliers are often trusted without verification.
  • An exploit at any point could put data at risk.

Outsourcing and Third-Party Service Providers

  • When outsourcing, service providers handle security aspects.
  • Risks if service providers have access to sensitive data.
  • Importance of security audits with service providers.
    • Audits are often included in contracts.

Case Study: Target Corporation Breach (2013)

  • Breach involved 40 million credit cards.
  • Originated from a service provider breach (HVAC firm).
  • HVAC and cash register networks were not separated at Target.
  • Attackers accessed cash registers and installed malware.

Risks from Non-IT Service Providers

  • Access to the network by non-IT providers can be a risk.

Hardware Supply Chain Concerns

  • Example: Untrusted firewalls, switches, routers.
  • Importance of trusting vendors and having procurement procedures.
  • Example: DHS arrest of Cisco counterfeit product reseller (2022).
    • Counterfeit products posed security risks and originated from China.

Software Supply Chain Security

  • Trust in software updates is crucial.
  • Verify software digital signatures.
  • Risks of automatic software updates.
  • Open source software can also be vulnerable.

Case Study: SolarWinds Orion Breach (2020)

  • Software used by 18,000 customers, including Fortune 500 and US government.
  • Attackers inserted malicious code into SolarWinds updates.
  • Breach not detected for months, underscoring supply chain security importance.
  • Affected major organizations like Microsoft, Cisco, Intel, and government agencies.

Key Takeaways

  • Supply chain security is critical and complex.
  • Trust and verification are essential at every step.
  • Regular audits and careful selection of suppliers and service providers are important.
  • Be vigilant about hardware and software being integrated into systems.