Friday, October 19, 2012

Supply Chain Security Awareness on Upswing for Energy and Comm Sectors

10/25/12 Update: Huawei just said it is ready to have all its source code tested for security. Would other vendors be so bold?

------------------

If you don't subscribe to the online version of the Wall Street Journal, you probably don't get its daily CIO feed, which provides a nice topical tapas-sized taste of what's on folk's minds every morning.

One of those folks is me, and I've been stirred up lately by all the press (The Economist, 60 Minutes, etc.) and Capitol Hill attention Chinese communications equipment maker Huawei has been getting. Personally, I haven't have any direct contact with Huawei or its products, but I have a gut-level response when a company gets pilloried solely on where it's headquartered or the nationality of the owner(s).

This comes from my prior experience in application security and some vetting procedures that give credit to applications built by companies with US ownership. The distance between owners, whose reputation and integrity may be stellar, and the products themselves, is vast. In the the software world, rule #1 is re-use. Components written all over the world are easy to find, buy or borrow these days. And security is often not in the decision tree of the developers on either side of the equation.

Of course, owners' reputations may be less or far less than stellar, but still, the distance remains and they have  little impact on the ultimate security characteristics of their wares. All that to say, Huawai's products need to be scrutinized carefully prior to purchase and deployment. But the same level of attention needs to be paid to ALL 3rd party products, IT and OT, hardware and software, regardless of country of  origin.

Take it away Michael Hickins (from The Morning Download: Beware Your IT Supply Chain):
Good morning. A White House report leaked Thursday exonerated Huawei of spying on behalf of the Chinese government. But that doesn't mean you can rest easy. The same report found vulnerabilities in the company’s networking equipment, which put customer data at risk.
Customers are unwittingly installing computing and networking equipment and software rife with back doors created by vendors who outsource parts of their production to partners in “politically hostile” areas of the world, according to Gartner analyst Neil McDonald, who just published a study on the topic. “Attackers use weaknesses in a supply chain to get a foothold on a system rather than attack a system in production, which is hard on a well-defended system,” McDonald told CIO Journal.
CIOs can reduce the risk of introducing trap-door-riddled IT by demanding proof of an explicit chain of custody from IT suppliers covering all third-party hardware and software they use in their products. They also should require their IT system providers to periodically sample and test their products; and they should procure the same equipment used by government agencies, which in some cases employ electron microscopes and chemicals to test IT components. McDonald says the spotlight on Huawei put IT supply chain risks “on the radar screen of every CIO.” Now it’s up to every CIO to act on this information.
Nicely said Neil McDonald.