A Proposal for Securing the IT Supply Chain
Few industries can exist nowadays without an extensive supply chain via multiple vendors or suppliers. Disruption to that supply chain can have dire consequences: Just look at the effect on Toyota from the Tohoku earthquake and tsunami. In the IT industry, trustworthiness within the supply chain is key to strong security -- but can that security ever be assured?
Supply chain integrity is designated a Top 5 research priority by the EastWest Institute (EWI) think tank and the http://www.enisa.europa.eu/ European Network and Information Security Agency (ENISA) . But the topic is a challenging one to research.
Still, a paper from Chinese sources presented at the recent EWI Cybersecurity Summit in London tackles the subject in an innovative and practical way and proposes a solution.
The authors, Xiaofeng Qiu of Beijing University and Liang Zhao of NSFocus, say existing standards for supply chain soundness fail to properly include vulnerability testing. A weakness at any point of the supply chain could result in the injection of malicious code in hardware or software before components reach their destination. Supply chain integrity is, therefore, essential for IT security.
In this study, the researchers focus in particular on the failure of vulnerability testing to properly detect covert channels, places in a supply chain where information is transferred between processes where that should not be allowed to happen.
As it stands, ISO/IEC 15408 outlines the requirements for ICT security evaluation and best-practices. In those specs, “Evaluation Assurance Levels” (EALs) are measured from 1 to 7. Where security is not considered a risk (EAL1), basic conformance testing is sufficient to guarantee security. At EAL7 (security for high-risk situations), far more concepts need to be tested for.
Somewhat unbelievably, penetration testing for covert channels only starts at EAL5, “where developers or users require a high level of independently assured security in a planned environment.”
It follows, then, that EAL1 to EAL4 systems are open to all manner of vulnerabilities -- bugs, Trojan horses, etc. -- from intruders at any point in the supply chain who could possibly be engaged in industrial espionage, blackmail, or advanced persistent threats (APTs). Also, the researchers say, testing for covert channels in recognized EAL5 to EAL7 systems is not widely implemented throughout the industry.
Other best-practices attempt to lessen the impact of supply chain vulnerabilities through the use of tamper-resistant packaging, remote tracking and monitoring, and third-party product validation and certification. But for many, the cost of replacing existing network elements may be out of the question. To help users validate that IT suppliers are operating securely in their supply chains, Qui and Zhao propose "Architectural Solution Integration" (ASI), a four-layered approach to mitigate risks in the ICT supply chain. Each of the four layers (as per the figure below) reflects a different assurance level in the supply chain:
Layer 1 (the base) represents existing supplier quality processes, i.e. ISO standards.
Layer 2 represents existing third-party functionality testing and certification, i.e. EALs.
Layer 3 is the ASI. It relies on data in a “Supplier Database” (SDB) containing information shared among public and private sectors on trustworthiness, location, suppliers, technologies, and so on. As part of the ASI, a formula is used to compute trustworthiness based on information fed from the SDB. Results identify major threats and critical information assets that need protection as well as assisting in the analysis of data flow or critical paths, thus exposing vulnerabilities.
The final Layer 4 reflects the strictest integrity requirements, including tests for distributed denial of service (DDoS), electromagneticpulse (EMP), and extreme service/application-level starving.
As part of a package of assurance measures, this four-layered approach could well be a major improvement to security and integrity within the ICT supply chain. By identifying the weak points in the link, the risks can be mitigated. In the light of recent hacks, though, it remains clear that there is a need for tougher intrusion testing.