Working to Secure the Technology Supply Chain

Application-based attacks like the Colonial Pipeline ransomware hack capture headlines but security pros know that cyber criminals are not stopping with application-based attacks and will continue to aim deeper into the heart of computing by targeting operating systems, firmware and hardware.

This inevitable trend has created a need for security solutions that not only focus below the OS in areas like firmware and software, but also that reach deep into the technology supply chain. Attacks early in the chain can have a profound impact on technology consumers, including government organizations that rely on technology to carry out their missions and store and transmit sensitive data.

This trend is one reason the National Institute for Standards and Technology is updating its guidance on developing cyber resilient systems. It is also a bit part of why the Biden administration emphasized cyber resilience in its recent review of supply chain issues.

The escalating nature of cybercrime is also why Intel and other industry leaders are investing in the Compute Lifecycle Assurance, or CLA, initiative. The goal is to develop and implement industry leading supply chain security solutions and to work with industry partners to implement a framework for building security into every stage of a device’s existence, from design to manufacture, from deployment to retirement.

For government organizations, CLA means the technologies they rely on should become increasingly cyber resilient. Agencies are well-advised to keep themselves informed of the advancements in supply chain transparency and traceability, and the continual protections CLA will generate to address vulnerabilities as they emerge.

Security at Every Stage

The shift in focus of cyber crime has highlighted the importance of advanced security operations, investments, training and solutions that span across every stage of the device lifecycle. Industry leaders in security have long invested, implemented and led the industry in these holistic supply chain and product lifecycle assurance investments.  CLA extends that security-first mindset throughout the technology lifecycle, including:

Build: Starting at the design stage then deep integration with sourcing and manufacturing, how do you confirm the integrity of a platform and its component devices? Is it designed and built in a trusted manner? Is the platform assembled in a trusted facility, with proper controls in place to not only establish the time of manufacture, but also to ensure the necessary levels of traceability?

There’s always risk during manufacture that a vulnerability could be inadvertently built into a product. This could occur, for example, through firmware with embedded malicious code or counterfeit components that are intentionally malicious or not designed securely.

CLA provides guidelines for mitigating this risk. One approach is to implement security solutions to gather, cryptographically seal, and securely store metadata from devices as they are manufactured. 

Transfer: Does the system arrive as ordered? Are there processes, controls, and technologies in place to detect tampering, modification or changes within the hardware, firmware and software? Are there mechanisms in place to establish who should, or should not have rights to modify the platform throughout distribution?

Risk can also be introduced as devices ship and make their way through the distribution channel. Does the system arrive as ordered? Are there processes, controls, and technologies in place to detect tampering, modification or changes within the hardware, firmware and software? Are there mechanisms in place to establish who should, or should not have rights to modify the platform throughout distribution? 

CLA can reduce these risks in several ways. One is a set of standards to help all vendors that design, build or combine components to adhere to stringent security practices. Another is tamper-resistant and tamper-evident packaging to identify physical tampering. Finally, technology solutions that track and can identify changes to the system (authorized or unauthorized) and establish ownership and transfer for the device are critical to establish transparency, traceability, and tamper resistance within the distribution channel. 

Operate: Is the system operating in a known and trusted state? Have the latest functional or security updates been applied? Is the trust profile of the system enough to automate key provisioning and attestation procedures? 

Technology must remain protected as it’s implemented, used and updated. CLA provides guidelines designed to allow your organization to confirm, for example, that the technology products you procure are legitimate and secure before you deploy them. Your IT team should also be able to configure hardware to ensure, each time the device is booted up, that firmware is up-to-date and physical components haven’t changed.

Retire: Has all data that was transmitted, stored or erased been confidentially wiped from the drive and the platform? Is the status of the device understood as it enters into the secondary market?

In the past, organizations procured a device, provisioned it to an employee and, when it came time for replacement, physically destroyed sensitive components on the system such as storage. Today, consumption models such as PC as a service (PCaaS) are popular, allowing organizations to lease devices, which are eventually reprovisioned in secondary markets. Such redeployments present security risks.

CLA addresses these risks through technologies that ensure data is entirely and irretrievably wiped from devices before they’re reprovisioned or discarded. Proof-of-custody data can make sure the device that was deployed is the device that was retired, and that certificates of data destruction haven’t been faked.

Agencies Play a CLA Part

CLA doesn’t involve only the companies that design and build devices upstream in the supply chain. Consumers of technology such as government agencies also play a crucial role.

IT departments should take advantage of the transparency that’s being built into the technology supply chain. Use available tools from industry partners to retake the snapshot taken when the system first loaded the BIOS onto the CPU and ensure there’s a match. Second, keep current on BIOS updates and firmware patches that protect against vulnerabilities as they’re uncovered.

Finally, demand that all your technology providers implement the kind of supply chain visibility CLA advocates. Many CLA guidelines map directly to key regulations you need to comply with such as the Defense Federal Acquisition Regulation Supplement (DFARS), which requires organizations to have a mechanism to protect against counterfeit components.

No initiative or technology can eliminate cyberattacks and cyber risk. But by building protections into every link of the supply chain, the Compute Lifecycle Assurance initiative is making technology safer for the government organizations that depend on it.

Patrick Bohart is a senior director at Intel focusing on technology advancements in security assurance.