Supply Chain Attacks Back on the Agenda

Introduction

The world learned last week about the alleged existence of a malicious microchip or hardware modifications, introduced in data centre server’s motherboards from a well-known US vendor, presenting an alleged malicious behaviour. The investigation, conducted by a US news media corporation, traced back the original manufacturer from the vendor’ supply chain process, identifying a sub-contractor located in China. The disclosure takes place in the realm of a global trade storm with the US and China in the epicenter and after a long period of mutual accusations of industrial espionage. Adding to this episode, the growing concerns from the EU over alarming levels of cyber espionage against European industry, revealed by a recent study, with an official position expected any time soon.

In this particular episode, there is more to know about this microchip and its alleged malicious capabilities. For now, there is no report of an incident resulting from the hardware implant. All parties involved - including the vendor and its ca. 30 customers – are denying its existence and the UK’s DHS and GCHQ questioning the conclusions of the report. Aside from all the political and diplomatic discussions, the lesson learned from this episode is to revive the urgency to mitigate the risks associated with hardware vulnerabilities and supply chain attacks.

This Info Note reviews the finding of an investigation to a suspicious microchip found in the motherboard of a major server systems vendor and the risks associated with the exploit of hardware vulnerabilities and supply chain attacks.

Contextual Information

The Semiconductor Industry

The Electronic Components and Systems Industry, that includes the manufacturing of semiconductors, plays a critical role in the digital transformation currently ongoing. During the last decade, the US remained the market leader in this industry with other countries, including China, demonstrating a serious commitment in expanding this sector. Europe semiconductor industry, representing a pale ca. 9% of the global market in 2017, is a minor player, compared with the leading countries US, China, South Korea and Taiwan.

While the demand for consumer electronic products continues to increase, is not predictable that this situation will reverse any time soon. Vendors will continue manufacturing and sourcing components from Asian suppliers, mainly looking for cheaper productions costs.

The alleged malicious microchip

The microchip, firstly noticed in 2015 during a third-party security audit to the US vendor, was reportedly not in the original motherboard design but later introduce by a Chinese subcontractor. This fact raised suspicions about the real intentions in altering the blueprints and placing this component into the motherboards. According to the researcher, the microchip was “… placed electrically between the baseboard management controller (BMC) and its SPI flash or serial EEPROM storage containing the BMC's firmware.”

The BMC is part of a computer server Intelligent Platform Management Interface (IPMI), a crucial component in the motherboard, responsible for managing the interface between the system-management software and hardware. It allows administrators to remotely monitor and maintain machines, typically over a network without having to physically locating the server in a data centre. Typical capabilities of the BMC firmware includes to force the server power-cycle, reinstall or modify the host operating system, mount additional storage, access a virtual keyboard and terminal connected to the computer, among others. By reaching the BMC software from a malicious motherboard microchip, an adversary can have control over any given server. It constitutes one of the best places to implement unauthorised access to a server. The controller has access to the server's main memory, allowing it to create a backdoor into the host operating system kernel, download and execute second-stage malware.

The threat with Supply Chain attacks

Supply chain attacks constitute worst case scenario for all kind of companies and due to its high mitigation costs, one for which such organisations are least prepared to deal with. As there is no good fix if the supply chain is being attacked, the impact of such attack may be nefarious and unpredictable.

In 2016, ENISA published a detailed study on “Hardware Threat Landscape and Good Practice Guide”, proving a deeper analysis into aspects of hardware threats, vulnerabilities but also mitigation by means of good practices. The major hardware non-physical and malicious threats identified by the study:

• Firmware Modification, e.g. of CPU, internal/external Controllers (e.g. hard drive/USB media), chipsets, smart chargers, smart batteries, co-processors, NICs.
• Remote firmware attacks, e.g. in network interface cards.
• Attack Persistence.
• Information Access.
• Traffic sniffing at the network, internal Bus or memory level.
• Surveillance of location, audio, visual data and behaviour.
• Data tampering, spoofing of location and behaviour.

Under this light and having in mind internal market issues in the European Union, manufacturers and consumers alike have reasons to be concerned by supply chain vulnerabilities as cybersecurity issues are exacerbated unless control is retained from A to Z in a supply chain. While a possible mitigation measure for instance is to design and manufacture own products, such an approach can be affordable to few large consumers that enjoy high market share margins. All other market actors – and in particular SMEs - might find this approach to be far beyond their financial capabilities. Even in cases of trusted hardware design, it may be the case that actual manufacturing takes place in overseas plants managed under scant principal control. That might give rise to a host of issues, let alone poor manufacturing practices, that can give way to vulnerable soft or hard components (and firmware) to contaminate otherwise well designed systems.

Recommendations

ENISA published a study in 2015 titled “Supply Chain Integrity” reviewing the ISO/IEC 15288, an engineering standard covering systems processes and lifecycle including Supply Chain Integrity and resilience functions.

Besides recommendations made in the quoted ENISA Report on Supply Chain integrity, ENISA recommends:

• Maintain a small supplier base allowing a vendor to have tighter control over its suppliers.
• Security built into the design to detect any previous unauthorized access to the production environment.
• Stringent vendor controls in order to abide by lists of approved protocol.
• Conduct occasional site audits at supplier locations and having personnel visiting the sites on a regular basis for greater control.
• Strict adherence to reporting requirements mandated in the EU regulatory framework (e.g. NISD, GDPR, eIDAS)
• Close cooperation with investigating authorities in case of an incident carrying criminal law implications

Closing Remarks

The inevitability of the risks associated with industrial globalization require from vendors a systemic and detailed approach in Supply Chain processes. The risk of an adversary implanting a vulnerability in the supply chain is not new, and its mitigation proven extremely difficult regardless if conducted internally, from inside the company or externally from a third country supplier. A thorough definition of security requirements and adherence to best security-by-design practices should be the industry focus when mitigating these risks. As there is no specific protection available for consumers, monitoring for suspicious activity in networks and servers remains the best advice possible, to defend from this type of threat.