In the middle of a human tragedy, did you notice?

During war, it seems there are no winners and losers, this is not a political article.? I have no intent on contemplating political views by posting this, but I would like us to re-visit our assumptions regarding how IT defines secure enterprises.? These opinions triangulate afer what we all witnessed, the horrific and very serious events in the Middle East.??

For many in IT or the communications industry, we paid notice of the weaponization of analog pagers and hand-held radios.? This seemed to be a turning point in escalation, but it has also made a few of us to pause and think about our own supply chain.? Modifying electronic equipment by controlling a small portion of the supply chain, evidently, can and likely has been happening.? State Agents, hackers, competitors have the capabilities of doing this with minimum experience.? Our supply chains are globalized, creating uncountable points of access for bad actors.? It’s becoming all too clear that we face a very real threat if access to the supply chain is not traceable, controlled, and supports a secure chain of custody monitored at the various stages.? In fact, security needs to begin prior to the ordering equipment and needs to be maintained until the equipment is decommissioned with its data removed and destruction prior to recycling. True end to end control of the Firmware, BIOS, Operating Systems (OS), applications AND hardware ecosystems are needed.? We should think of computer security as if it’s an unlocked front door to your business, in a neighborhood that is becoming more unsecure every day.

The marketplace has some good ideas to address portions of this problem, but it’s on each organization to implement their own multi-vendor, multi-process solution.?? i.e. there are no standards on how to confirm if the target device in any given environment is COMPLETELY PROTECTED and hasn’t been compromised.? Many organizations have focused on controlling and monitoring the software that is deployed in our enterprises thinking that this would be the likely source of a potential problem and a control point.? Most businesses, of course, attempt to control access to their enterprises with elaborate networking and authentication technologies.? The thinking is that nothing can happen if we block access to our various systems.? There are tools that will monitor your ecosystems i.e. OS, Firmware, application environments to ensure nothing changes in our IT bubbles.? But, with what we witnessed in the Middle East, what if the system platforms become the issue, what if they are deployed with chip or low-level, harmful, agents?? Check out the Bloomberg story on the topic: ?“The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies“

What if undetected payloads or hardware modifications are injected during the manufacturing process or installed in the back of the truck that delivers the equipment to a remote site?? Do you have a process or platform to mitigate this type of attack??

?For most people, discussions regarding IT security are like talking about buying life insurance. ?It’s an uncomfortable topic, unknown numbers of possible negative outcomes that are not clearly defined or desired.? It can be a substantial investment.? So, I have compiled some starter questions, thoughts and general check-list topics that should be included in your current security discussions, both internally and with your vendors:

·????? What precautions do your HW vendors provide to ensure individual sub-components are validated, verified and not changed during the product’s life.

·????? How are these changes documented, how are you alerted?

·????? How do your other vendors or contractors adhere to the same level of monitoring during their product or service lifecycle?

·????? In times of supply shortages, Continuity of Supply, (aka COS), is a real problem, price changes drive many decisions, how are component excursions reported by the vendor and sub-contractors?

·????? What mechanism is used to verify that all the components are in the system as intended and what tools are available from the vendor post deployment to maintain a vigil eye on the platform over the hardware’s life?

·????? How are you notified of sub-component HW changes, impacted drivers or BIOS??

·????? Does the vendor provide or support open-source tools to ensure interoperability with your other hardware partners to test your platforms over their deployment life?? Are their tools proprietary or ensures some level of lock-in?

·????? Is there a model to self-certify your “trusted” equipment already deployed, enabling the use of a common tool to monitor your multi-vendor hardware library?

·????? How easy is it to modify equipment previously installed, as to not cause unnecessary alarms?

·????? Can they scale the monitoring of these systems from the core to the far edge and to mobility devices?

·????? What does their supply chain look like from the time they build the device, when you order it and when it arrives?? There are obviously opportunities to tamper with the equipment, but does everyone understand where and when they happen?

"We should think of computer security as if it’s an unlocked front door to your business, in a neighborhood that is becoming more unsecure every day." - James Meeker

James H. Meeker is a consultant, writer and marketing executive.? Contact him directly ?via LinkedIn for questions re-publications rights or addition information.

?

https://www.dhirubhai.net/in/james-h-meeker/