Why are cyber attacks on the IC supply chain difficult to prevent?
In the past, supply chain issues have focused on counterfeit parts or grey market substitutes using sub-standard boxed parts. Now, as IC architectures become more domain-specific, often including some kind of AI/ML, chipmakers are using more application-specific components such as accelerators, custom memory, and IP blocks from more vendors. As a result, supply chains have become broader and more diverse, and parts have become harder to trace. Today's supply chain covers everything from raw materials to hard and soft IP, subsystems, packaging, delivery and warehousing.
Failure to track all components at every stage opens the door to cyber attacks. In some cases, this could include hibernation code or hardware exploits. But more often, these attacks are triggered by unintentional flaws in the design that lead to security breaches, some of which may go undetected for years. Keeping track of each component and integrating those components into a larger system is a huge challenge. If something goes wrong and the system is compromised, it's not always clear what caused the problem.
“In order to have a secure IoT supply chain, trust in the data and trust in the device must be established,” said David Maidment, senior director of the Secure Device Ecosystem at Arm. “However, this presents several challenges. Supply chains are very complex, with many different devices and entities, where data, products and services have to exchange ownership without contracts. Many supply chains already exist without IoT For over 20 years, it’s built on legacy devices without security in mind. As we move to hyperconnected value chains, all devices have to be built from the ground up with security at the core.”
This requires precise traceability, which becomes increasingly difficult to achieve as designs become more complex. “High-end IP is expensive especially for larger IP companies. Many companies buy per-use licenses. The problem is that IP providers can’t regulate it. It’s legally bound and they don’t know if it’s being regulated or not. Used in more than one design," said Simon Rance, VP of Marketing at ClioSoft. "Big companies don't want to buy IP from IP providers and break these legal agreements, which can easily happen. But the designers of the company don't know if it's a one-time license. We see a lot of IP being kept on file servers. They don't have Locked down, it's unmanaged."
When any part of the supply chain is disrupted, the entire supply chain is affected. Supply chains can be long and complex, with suppliers at multiple tiers.
"Supply chains can be complex," said John Hallman, Siemens EDA product manager. "There are many suppliers that contribute to making ICs, including designers, mask makers, and the fabs themselves. Additionally, these component makers use raw materials from different parts of the world."Even if a manufacturer has proper security measures in place, there is no guarantee that its suppliers will have the same strong protection. Hackers often take advantage of manufacturers' trust in their suppliers. Suppliers with weak cyber defenses are vulnerable, and once breached, hackers can gain access to the manufacturer's enterprise systems. Often this happens without immediate detection, and in sophisticated nation-state-backed underground operations, some attacks may never be detected.
The European Union's Cyber Security Agency (ENISA) noted in its recent report that 66 percent of cyberattacks were related to a vendor's software code. It is important for an organization or end user to verify third-party software code before using it to ensure the absence of malware.
The supply chain itself could also be disrupted. Manufacturers often trust their vendors and use the vendor's software code without checking for malware. Manufacturers often have direct access to their distributors, as it allows them to obtain data on the availability of various chips, IP and electronic systems. Recently, however, as enterprise resource planning (ERP) software has become more common, manufacturers download software modules from distributors.
Manufacturers then integrate this module with their own ERP system. Malware can enter an ERP system unnoticed unless a software module goes through a malware detection process. Some cyber-attack victims don't even know how and when their systems were infected.
Ransomware is especially harmful because of its short- and long-term effects. According to an IBM report, an average ransomware attack will cost $4.62 million. After an attack, businesses must respond and clean up. Costs include escalation, notification, loss of business, and response efforts, not the ransom cost itself. On average, it takes 287 days to identify and fix a data breach. The longer it takes to resolve the problem, the higher the cost.
ENISA predicts that the number of supply chain cyberattacks will quadruple compared to last year, taking many forms. Supply chains can be attacked in a variety of ways - malware infection, social engineering, brute force attacks, exploitation of software and configuration vulnerabilities, physical attack or modification, open source intelligence and forgery.
The impact of any of these can be huge. Recent high-profile cyberattacks targeting supply chains include the Colonial oil pipeline (disruption of fuel supply, resulting in long queues and high prices), Kaseya VSA remote monitoring (affecting 1,500 downstream businesses worldwide), SolarWinds (18,000 companies globally affected, including many government agencies and Fortune 500 companies) and the Ukrainian power grid (225,000 customers were without power).
The SolarWinds attack happened in 2020. While patches are available, not all affected companies have the knowledge or awareness to implement a solution. These vulnerabilities will be exploited again and again by hackers. There were also 140 cyberattacks this year, resulting in 14 breaches in which sensitive information was leaked and stolen.
Cyberattacks on supply chains continue to increase. In the supply chain, every device endpoint is a target for cyberattacks. Nothing is immune to attack, and the problem gets worse as devices stay on the market longer. This makes sustainable, flexible, long-term defense strategies even more important. These three key elements include building trust throughout the supply chain, creating end-to-end visibility, and finally practicing continuous improvement.
"Every connected endpoint is a potential entry point for bad actors, so every connected endpoint must be protected," said Jared Weiner, senior analyst for industry, automation and sensors at VDC Research. "A comprehensive, disaggregated approach to cybersecurity The layered approach is critical. While specific requirements vary for individual devices, organizations managing supply chains should consider security considerations when certifying hardware devices and software (i.e. devices with embedded secure hardware or software), and Through asset management, endpoint protection, and network visibility solutions.”
Trust is critical in supply chain security
Building trust is always important in any application. But for supply chains, trust is more important because there are so many parties involved. Tier 1 and Tier 2 suppliers may have been doing business with OEMs for years, but that doesn't mean they can be trusted when it comes to supply chain management. Today, any of these vendors or their subcontractors could unknowingly have malware code embedded in their systems.
"Remote monitoring and connectivity itself has become a critical part of the supply chain," Arm's Maidement said. “The ability to monitor the location and condition of goods in transit is critical, and any disruption to monitoring services has a huge cost impact. Companies are completely reliant on high-quality, reliable insights, so trusted devices are needed to deliver this at scale. Surveillance. Any unsecured equipment, such as poorly designed or legacy equipment, opens the door for adversaries.”
A “zero trust” approach is particularly important here. No device or software outside the organization can be trusted.
"During the system development process, in the chip development cycle, product manufacturing and system development, there are many times when malicious code can be introduced through backdoors," said Andy Jaros, vice president of IP sales and marketing at Flex Logix. The reasons for adopting a zero-trust philosophy in system development. Zero trust includes monitoring system activity for anomalous behavior, circuit obfuscation to reduce the risk of side-channel attacks, and methods to control the function of a chip or circuit.”
End-to-end supply chain visibility
Visibility and endpoint protection across the supply chain requires that the flow of information from any supplier to manufacturer must be clearly identified and trusted. Securing the supply chain network in this way helps prevent contamination by unknown malware through backdoor attacks.
"The end-product manufacturer or system integrator takes responsibility for the entire supply chain and oversees the entire process," OneSpin's Hallman said. “Do they have an end-to-end view and flow of information at hand to understand where everything comes from? This includes RoHS management and counterfeit parts detection. It’s important to understand what has been transferred.”
Adding a degree of flexibility to the supply chain is also a good idea given the constant changes in the supply chain, including new technologies that could render previous security obsolete, and chip shortages that may require suppliers to use multiple sources. In effect, the supply chain needs to keep up with the technology flowing through it.
"Embedded FPGA IP can be used to address these vulnerabilities through CPU boot image authentication, system activity monitoring, random exchange of different bitstreams with the same functionality, or programming of critical or highly proprietary circuits after system manufacture or deployment," Flex Logix's Jaros said.
keep improve
The National Institute of Standards and Technology (NIST) points out that when the software supply chain is under attack, cyber threat actors infiltrate the supplier's network. Malicious code would then be sent to the customer and further damage the customer's data, just like the attack on SolarWinds. The agency proposes a solution called Cyber Supply Chain Risk Management (C-SCRM), a process of identifying, assessing and mitigating risks associated with the distribution and interconnection of IT/OT products and services.
In its most recent report, NIST identified eight key practices for achieving high-quality supply chain management and continuous improvement:
Integrate C-SCRM across your organization.
Establish a formal C-SCRM plan.
Understand and manage key suppliers.
Understand your organization's supply chain.
Work closely with key suppliers.
Engage key suppliers in resiliency and improvement activities.
Evaluate and monitor the entire supplier relationship.
Plan the entire life cycle.
"A secure supply chain requires ongoing verification and certification," Holman said. "In the case of the SolarWinds vulnerability, the attacker used a software update to enable a 'backdoor'. To minimize the risk of a cyber attack, at least basic security hygiene must be practiced, including rigorous validation, applying security best practices such as "transactions" Do you have the correct checksum? Or use regression testing? You'd be surprised how many organizations don't practice the basics. "
There are other supply chain standards and resources available. They include Blockchain, SEMIE142, IPC, GS1, AS6171 and Trusted Computing Group platforms.
in conclusion
Cyberattacks on supply chains are on the rise. As Arm's Maidment put it, "To protect the business, risk from hackers must be assessed and managed. First, establish a chain of trust from data and devices out to the cloud, based on each device's hardware root of trust. This ensures that data is in the hands of trusted people and helps provide valuable business insights. Second, proactively source certified security equipment to protect the network. Even with the most secure network, insecure equipment can Will leave a hole in the system for hackers to exploit. A device certified by a reputable certification body such as PSA Certified provides an extra layer of assurance. Finally, design your product with security in mind. When something goes wrong, just be reactive Reacting is not enough. Instead, security is built in from design with components that use a certified hardware root of trust. Pre-validated components (such as silicon chips or system software) can also be sourced to ensure that the trusted foundation build equipment.”
