Securing the Supply Chain and Critical Infrastructure

Article By : Gail Ow, Keysight Technologies

How do you secure the technology supply chain? Find out here.

How is the electronics industry helping manufacturers in their digitalization and industrial automation journey? What’s the role of sensors in IIoT, and how can manufacturers ensure cybersecurity of their industrial control systems? This month’s In Focus looks at the challenges and progress in manufacturers’ transition to smarter factories.


Supply chain describes the entire process of producing and delivering product. One could argue that the supply chain defines the success or failure of a company and its products because, the better one manages the supply chain, the better the outcome for both consumer and producer in terms of costs, quality, delivery, safety, customer satisfaction, and revenue.

Hardware and Firmware Supply Chain

The supply chain is an easy concept to grasp in today’s global economy. For example, we understand the components built into the laptop I’m typing on are manufactured all around the world. Not just the obvious ones, like metal enclosures and keyboard caps, but all the components. The threat of tampering with hardware components somewhere along the manufacturing process isn’t unheard of. But it’s not the keyboard caps that hackers care about. It’s the firmware that controls devices like webcams, trackpads, hard drives, and network interface cards that have been proven to be hackable, that hackers seek.

We all know that firmware is a software program that’s been ‘etched’ onto the hardware. It’s what makes the device function. Unfortunately, ‘etched’ is not as permanent as it used to be. Firmware is stored on flash ROMs that can be erased, infiltrated with malware, and rewritten. The beauty of firmware hacking is that it’s difficult to detect and cumbersome to remove (return to manufacturer for repair). And it’s pretty much god power with invisibility included. So successful firmware hackers gain direct access to not just one device, but every device the manufacturer makes, sells and delivers to customers. Hacked, and you didn’t even know it!

And if firmware is hackable, how much more vulnerable are all those fun free apps that make life interesting? More importantly, in the industrial control systems/operational technologies (ICS/OT) world, how carefully managed is the software supply chain of your PLC, your HMI, and your SCADA?

Software Supply Chain

As a Product Manager, I worked with Engineering to build products that solved real world problems that customers would buy. I understand the need for a carefully managed hardware/firmware supply chain. While the concept of a supply chain in the hardware world is an easy concept, I didn’t think much about the software supply chain until I observed my college-aged son download clever new font modules to his computer. What we don’t often think about is the fact that coders around the world make extensive use of shared libraries and modules. As a result, the concept of a supply chain also applies to software, which in the grand scheme of things is a relatively new concept. New, that is, until NOBELIUM—a Russia-based hacking group best known for the SolarWinds cyberattack of December 2020.

Nobelium has in fact targeted over 150 organizations worldwide, including government agencies, think tanks, consultants, and non-governmental organizations across at least 25 countries. And then there was the cyberattack that derailed the Colonial Pipeline for over a week, impacted 45% of the U.S. East Coast region’s fuel supply, created panic at the pump and caused price hikes, which brought software supply chain hacks to the forefront. Gas shortages ensued for weeks as the pipeline shutdown all systems to contain the effects of a ransomware attack, and ultimately paid the US$4.4 million dollar ransom to regain control and access over their network and data.

Supply Chain Security and What it Means to Critical Infrastructure

As a result of the recent but ongoing attacks on our critical infrastructure in the U.S., President Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (‘NSM’) on July 28, 2021. Light on details, but more information was promised.

On August 25th, the U.S. National Institute of Standards and Technology (NIST) announced their leadership in creating a new framework to improve the security and integrity of the technology supply chain.

Technology Supply Chain

The focus of the NIST announcement is the technology supply chain as it applies to critical Infrastructure. Devices that used to be driven by the physical, like pneumatics or electro-mechanical, have been transformed into improved, digital, internet connected, and ahem—now hackable devices. Securing the supply chain is of paramount importance.

It is important to note that hackers have also noticed the internet connectedness of factories and critical infrastructure. They’ve settled into their newfound power as gods of the ICS/OT world and they’re unrelenting in their attempts to break into everything ICS/OT—but of particular interest is critical infrastructure. Because now they can not only extort money from their unwitting victims, they also have the power to poison communities, stop oil production, blow stuff up, make headline news, and destroy the economic health of entire countries. In addition to the millions of dollars they extort in the process.

Hacking the ICS/OT environment allows hackers the ability to create their own weapons of mass destruction, especially if the victim is one of 16 sectors of critical infrastructure.

Reducing Technology Supply Chain Risk is for Everyone

So, this is serious. How do we secure the technology supply chain? The sweet spot to reducing risk in the near term, is a hardware, software, and firmware bills of materials that let you know what’s inside, so you can check to make sure. With that, we can see if the manufacturer gave us exactly what we expected, and then check to see if that’s what we have. We can decide based on what’s in there; where to put it from an architecture perspective, how isolated it has to be, how to manage it, how to do incident response.

But because of the ongoing threat to the technology supply chain, nobody is excused. Everybody needs to come together—manufacturers, critical infrastructure, and consumers all have an active role to play in making our world a safer place.

 

About the Author

 

Gail Ow is senior industrial solutions manager at Keysight Technologies.

 

 

 

Subscribe to Newsletter

Join the Conversation

  1. martin hogan says:

    There have been a number of suggestions for overcoming the supply chain problems exacerbated by the covid crisis. I say exacerbated because there have been supply chain problems with the global supply chain for decades; from the Kyoto earthquake, the California earthquake, Indonesian floods, hurricanes and more but most have been relatively short lived and natural disasters, not a disease which has covered the globe and is set to remain with us and it is this that make the situation unique.

    This uniqueness is why those who keep talking about ‘getting back to normal’ and ‘when this is over’ need to think again. We have no grounds for thinking covid will go away any time soon and from viral research, reasons to believe that it will remain because its mutations indicate that it has longevity

    First, we have problems that are built into the global supply chain as cost saving measures. Everything costs money so the processes are pared down to reduce time in thinking, making, doing. this means one person one job with no duplication (outside any checks and mandatory quality requirements). ‘What if’ planning has been about risk management and the likelihood of a pandemic was well down the lists. Even fire, flood and earthquake destroying a factory are at best ‘make sure the product is made on two sites’ That a lower tier supplier might be wiped out is not considered.

    So a product is designed, components and materials specified, then it heads to manufacturing and the supply chain, where contracts are sorted out and finalized and a date is set for production. All runs smoothly and only small outages occur when a delivery is late or a batch is faulty, often easily covered by the second factory supply or stock at a third party.

    What are the problems with this approach?
    First, everything is done by subcontractors; sometimes the company name on the logo we see in the store can be all there is; from the design, to sourcing, supplier selection, financing, quality, fabless semiconductor design, fab houses making the ICs. Pick an industry, the same applies where a top end idea is then trickled down to other companies for various parts of the operation.

    There have been historical problems with suppliers not knowing the end customer and use, or changing something without proper authorization, this has resulted in lead in children’s toys, electronic gadgets bursting into flames, illegal or unsuitable paints in various applications. Other problems with factory mismanagement, child or slave labour have all been reported; disasters such as Bophal, Rana Plaza and the Triangle Factory fire show the problems are global.

    A big driver in the ‘globalization’ of the 1980s was to reduce costs, with outsourced factories and labour, costs could be deferred until final finished goods purchased with no outlay for factories, workers, equipment. Of course, for many companies, this saw a cut in their financial security because of the reduction in assets but the fast return on expenditure (goods bought and sold before payments to the supplier becomes due) made it worth the risks.

    It has always been a problem but over recent years, outsourcing and the process compartmentalization of manufacturing (and other) sectors has meant that the disconnect between design, supply chain and manufacturing has lead them to operate as individual entities, with insufficient crossover. Compartmentalization is not necessarily a problem while workers are close by and can exchange information and skills knowledge but when that is over several time zones, with language barriers and no physical contact, the problems grow over time and go unnoticed. With stable production runs planned from the outset, any problems are small and resolved on a one by one basis as they occur.

    Now however, things are different. This is not one component or item that is causing a problem, it is not one issue but everything so whilst it was fairly simple to correct for one component, it is more difficult to correct for everything, now we are in the position of having to relaunch products from the start. Every component has its own supply schedule, different speeds to market, different startup times, different batch sizes. Simply placing an order for everything won’t work because of everything is now out of synch and by placing an order for everything, the entire supply chain will react with its own achievable schedules, creating a mismatch on the suppliers computer system, which will bounce out a revised schedule – and so on.

    The quick answer to any component shortage is to find an alternative source but if this is specific to the product, (colour, shape, type of plastic, paint, etc), there will only be the one source (even with multiple factories, there can still be supply problems because of availability from third parties). Then there is build a new factory (see the previous sentence, plus the time and expense of building, equipping and training staff). The resolution to this is not easy but one is to ‘start again’ treat this as a new production launch not a continuation and work with all suppliers to select a date in the future when full production can commence. This slackening of immediate demands eases stress and panic and will give time to sort out some of the backlogs.

    Changes to products can’t just be made however, there is a design authority, that group of quality and design engineers that are responsible for ensuring products will perform, that they are safe, that they conform to specifications, that all functionality is there and this is an area that few companies now have the resources to staff.

    We still haven’t tackled the shipping problems. With delayed loading, unloading and inspections, all the ships are out of place and it could take years to get them where they need to be (a very complex rubics cube or sliding jigsaw). Ships and their containers hold products from many sources, making it difficult for port authorities to clear them. The major corporations can help out in two ways. First, they can offer staff to the ports to help identify their products. Second, they can work with their suppliers to consolidate shipments at the point of departure, to try and make up complete container shipments so that they can be more easily cleared at both ends of the international transit route. Governments can help out by deferring tax payments on imports and exports; if there are discrepancies, the banking system will have records of all transactions and they can be sorted at the end of the tax year instead of on a weekly or monthly basis. This compared to the lost business because of hold-ups would be small.

    Some restructuring is required.
    Whilst the current crisis has led to calls for better ‘second sourcing’ there is a lack of technical resource to do this work and the IT solutions to give ‘real time information’ will not do anything to resolve the shortages created by manufacturing failures, there needs to be more effort on updating the internal design authority processes and consolidated deliveries, with greater long term procurement objectives to help stabilize the supply chains.
    Whilst IT will give ‘real time’ data, just like roadside cameras, it will tell us where the problem is or where the crash is about to happen but it will not stop it.
    For a proper restructuring and sourcing strategy, companies will have to pay for what they have long avoided, which is the engineering resources to confirm component compatibility (size, electronic suitability, weight, chemical composition, environmental suitability etc). The cost of putting off this work are clear, so budgeting to put new systems in place can be based on the costs of known failure.