The electronic hardware industry is uniquely vulnerable to targeted attacks given that the products they build have complex and highly vulnerable supply chains that span the globe. In addition, they are attractive targets commercially because of their high price points which can generate significant revenue for counterfeiters. Given that these types of products are often installed in highly sensitive environments like DoD facilities, stock exchanges, hospitals, and airlines, they are also attractive targets for bad actors seeking to intercept sensitive communications. In recent years, sophisticated companies have built up in-house expertise to identify and attempt to eradicate the types of threats posed by compromised products.
For Original Equipment Manufacturers (e.g. Dell, IBM, Facebook, Google, Amazon, Juniper, HP, Dell, Cisco, etc), it is critical that they secure their supply chains from component procurement through to manufacturing facilities and finally to the end customer. If their supply chain is not secured, they have no hope of ensuring their products are not compromised and neither do their customers.
For these companies, securing their products starts with understanding who they are contracting with from component suppliers to manufacturing partners and finally distribution and logistics providers. Unfortunately, the opportunity for inserting a counterfeit or compromised component or product into any section of the supply chain is incredibly easy to do with the right level of understanding of how products are built and distributed.
There’s one incident that comes to mind that best exemplifies this problem. Imagine a truck full of blank motherboards rolling into a factory, which happened to be the right spec for a large brand owner’s products being built in that factory. Management at the factory purchased the boards as they were less expensive than the boards that were specified by the brand owner. There was no objective way to tell whether the boards were compromised in some manner, stolen, or simply counterfeit products. Luckily, my team was able to intervene and block the boards from being included in the product over the objections of local procurement.
The most troubling part of this incident is that we had no idea how long this practice had been going on.
Brand owners simply have a very limited view into what their component suppliers, manufacturing facilities, and distribution partners are actually doing on a day to day basis as there is limited oversight of the process by the customers.
Whether it’s routers & switches, or consumer electronics, having a well thought out plan to secure your supply chain and an expert team who understands manufacturing and distribution as well as how to monitor and enforce the requirements in the plan is essential to success.
Contract manufacturing facilities, where most electronic hardware is built, run on razor thin margins and have limited incentives to put rigorous protocols in place. Most manufacturing facilities will only put security protocols in place when the customer demands it, then spells out exactly what is required. However, without constant monitoring and stress testing of the requirements, the brand owner will have simply have created a paper tiger. It’s absolutely critical to understand what the manufacturer can do as opposed to what they agree to do. Manufactures will agree to most requirements, but simply don’t have the staff, expertise, or budget to ensure they are meeting your requirements.
I’ve seen counterfeit and compromised hardware enter supply chains at the component supplier, at the factory that builds the product and in transit to the end user. Securing the supply chain means physically following the build process from the companies supplying components, through the build out of the product at a manufacturing facility, all the way through the distribution chain. At each point in the supply chain, bad actors have substantial financial, or more nefarious incentives, to substitute counterfeit products or compromised components. If strict requirements are not in place at each stage and not consistently monitored, you simply cannot ensure a secure supply chain.
So how can you ensure that you are taking adequate steps to secure your supply chain?
The most critical part is to ensure you have a team that understands the entire manufacturing and distribution system and the areas of potential compromise.
Without this expertise in place, it will be impossible to adequately secure your supply chain. These teams need constant training and a deep understanding of all aspects of manufacturing and distribution as well as how to conduct a meaningful investigation. They also need to fully understand the requirements they are enforcing and what they mean in a very practical sense. It is absolutely critical to have experts that have worked in and conducted investigations in a manufacturing facility or they will simply not understand how things actually work in that environment.
For instance, knowing that conducting a cycle count for components to ensure nothing has gone missing is very different from a wall to wall cycle count. A simple cycle count can be accomplished with the manufacturing facility still operating and is very loosely controlled, where as a wall to wall cycle count requires the facility to be shut down and every component accounted for during the count. Even during a comprehensive wall to wall cycle count, I’ve seen the folks performing the count come in with pre populated worksheets that had all the fields completed and everything accounted for before they started work. Unfortunately, these practices are very common and brand owners must be aware of and anticipate these types of practices or they will simply have no idea what is happening in a facility thousands of miles from their corporate headquarters.
If a company does not have a dedicated team in place that understands the supply chain from end to end and ensures that the numerous organizations or departments involved are following best practices, you can be assured they are a paper tiger with no meaningful oversight.
If your team does not have these resources, consider retaining experts that have extensive experience in this area. Simply hoping your team will do their best is setting them and your company up for failure in securing your supply chain.
On the manufacturing side, if a manufacturer cannot provide documentation of the steps they take to ensure their own supply chain is secure, you can be assured that they have not secured their own supply chain in a meaningful way.
If the manufacturer does have documentation, you will need to ensure they actually implement their security procedures. I’ve seen requirements that a manufacturer install a security cage and a security camera to monitor a product. Unfortunately, when I asked to review the recorded footage, I was told they hadn’t actually connected the camera to a recording device. This type of disconnect between the manufacturer and the customer is more the rule than the exception. You will always receive the absolute minimum unless you set out clear, unambiguous instructions and monitor them.
Securing global supply chains, given their significant vulnerabilities, is not a simple task. It is critical that OEM's and their partners vet current processes and systems, keeping security in mind, while putting checks and balances in place to monitor deviations and anomalies. Policing the supply chain in today's world is key to the success and reputation of a company and should be a requirement of any entity purchasing products that they simply cannot gamble on.