The Department of Homeland Security has identified IT supply chain security as a national imperative.
Given the extent to which agencies depend on commercial hardware and software, they cannot afford to ignore the risks posed by industry partners that do not protect against the injection of malicious code and components during the design, development and distribution of their products.
Below are six points in the supply chain at which risks might be introduced:
Design vulnerabilities, even if unintentional, eventually affect all users of the components once manufactured.
2. Development and Production
If not caught when testing prototypes, vulnerable or malicious components introduced during manufacturing and assembly can be difficult to identify down the road.
Vulnerabilities introduced while products are in route from production facilities to customers. are likely to malicious but affect only a limited number of components or customers.
4. Acquisition and Deployment
Malicious insiders can insert vulnerabilities or replace equipment with vulnerable components during acquisition or installation.
During maintenance, components are susceptible to vulnerabilities introduced through physical or network access, and from exploitation of previously unknown or unpatched vulnerabilities. Such vulnerabilities might target specific entities, but can affect many customers in the case of software updates.
Components that are improperly disposed of can contain sensitive data. Malicious actors can also attempt to refurbish components and try to resell them as new – with malware installed.
So much can go wrong with the security of a system even before you take it out of the box. And the potential for problems doesn’t end even once you dispose of it. That’s the challenge of IT supply chain security.
Download this infographic, “The 411 on IT Supply Chain Security,” for a quick visual tour of the IT supply chain and how you can protect your agency. You’ll also learn about the nine dimensions of supply chain risk, and four questions you should ask your IT suppliers.