Headlines about cybersecurity threats to the IT supply chain rekindles fears of the government being exposed to unacceptable risk through the very technologies U.S. federal agencies depend on. Given the sheer size of global supply chains, it is easy to focus on the “what-ifs.” In reality, commercial and government organizations alike have already been handling the fallout from well-documented, high-profile supply chain dangers, such as the “Meltdown” and “Spectre” chip vulnerabilities in 2018, and learning a great deal in the process.
Entering the new year, it is clear that government organizations cannot realistically cordon-off supply chain risk exposure with blacklists or procurement policies. Agencies must instead plan for the supply chains they have, not the supply chains they want. They must seek to limit the amount of compromised hardware and software incorporated into networks – while still planning for compromise. They must seek ways to operate without interruption or degradation in spite of attacks. Agencies can increase their resilience in the face of supply chain risk by implementing confidence building measures, including continuous and complete visibility of all devices as the foundational element.
Every jarring supply chain suspicion hits on concerns that infiltrating our technology can harm the missions of the Department of Defense (DoD) and Department of Homeland Security (DHS), as well as law enforcement and safety agencies such as the Federal Bureau of Investigation (FBI) or Federal Aviation Administration (FAA). Countless critical infrastructure operators across energy, transportation, finance and healthcare are also mindful of this threat.
We cannot undo the third-party supply of essential tech hardware. Our dependence on components from constantly shifting suppliers across the globe is not likely to decline. Nor is it feasible to disassemble or test every commercial device in search of “something” malicious; such an approach simply won’t scale. What will help is refocusing on complete, continuous visibility into every IP-addressable device that connects to a network. Without foundational visibility of what is on the network and the dynamic flow of “things” coming and going, network defenders have a hard time seeing anomalous device behavior.
Known vulnerabilities require proactive, continuous risk management, including identifying your most critical systems and devices, identifying threats to the supply chain, evaluating the likelihood of those threats being exploited, and assessing the potential impact to affected technology. Fixing those weak links requires knowing where the involved devices are located. This sounds straightforward, but has been very challenging for organizations to attain, in practice.
First, agencies continually purchase computing equipment, leaving them subject to potential vulnerabilities occurring (intentionally or unintentionally) at the manufacturing phase. As networks grow and change, it can be difficult to keep track of assets; particularly devices that are transient in nature (think handhelds, medical monitors). Assets that are not tracked cannot be defended.
Second, almost all agencies have mission partners, contractors and sub-contractors going in and out of the network, connecting additional devices used in the performance of services. This makes anything short of real-time visibility much less useful.
Consider, for example, smart dishwashers that are even in places like the Pentagon. Procured by knowledgeable acquisition teams, smart devices are sometimes the only commercial equipment available, or fulfill important government requirements for high uptime and lower maintenance costs. Yet, without visibility into what they do on the network, you cannot measure these benefits against security and ask key questions, such as: “What is the likelihood of attack? Is the device segmented from other higher value networked assets? If it’s compromised or exploited, what is the potential impact? Would you even know if an exploit occurred?”
Helpfully, a couple of keystone federal cybersecurity initiatives can help checkmate supply chain threats with visibility.
The DHS’ Continuous Diagnostics and Mitigation (CDM) Program for civilian agencies deploys sensors conducting ongoing, automated searches for flaws in all connected endpoint devices. These sensors are programmed to know the intended behavior of a device and immediately identify anything anomalous. Consider the example of a hospital infusion pump that exists solely to dispense medication and report vital signs, machine-to-machine, back to a dedicated server. If that pump starts looking at financial data accessible on the same network, sensors will identify the anomaly so immediate remedial action can be taken. CDM leverages that principle so that cybersecurity teams can monitor and prioritize real-time alerts, then immediately respond to the most urgent risks. As CDM matures, the ideal state is for remediation of found problems to be done automatically, without human intervention. Finding suspicious traffic or hardware behavior consistent with tampering or unpatched vulnerabilities in real time means defenders can more rapidly isolate, study and remediate devices – slashing adversaries’ dwell time or exposure windows.
The DoD’s “Comply-to-Connect” (C2C) implements continuous monitoring in a slightly different way, by designating “state of asset security compliance” as a requirement to be and stay connected to a network. An ideal C2C framework includes comprehensive visibility, discovery and classification of devices, combining network integration and analytical techniques as part of the oversight and assessment process.
In the CDM and C2C programs, government organizations gain the ability to detect and take remediating actions on compromised assets, including those that may be on a procurement blacklist but somehow made it onto the networks anyway. While both of these initiatives begin with fundamental visibility, they end with real-time remediation and real-time enforcement of department policies.
The principles of CDM and C2C offer hope for managing security across the growing web of complex, nested supply chains. The smart dishwasher’s manufacturer is likely not building the appliance’s Wi-Fi radio embedded within. Today we have suppliers to suppliers, compounding the breadth of components and sub-components that make up this new connected environment.
The scale and rapid shift of supply chain threats is alarming, but consistent with well-known cybersecurity truths: There is no perfect fix and technology is fluid. Instead of physical tear-downs or reflexively trying to shun products based on where their assembly lines are located at any given time, defenders’ best bet is to shine a light on all devices and their true behavior to dispel “what-if” uncertainty and gain data necessary for real-time risk-based decisions.
Ellen Sundra leads the Americas system engineering team for ForeScout Technologies, where she supports large commercial and public sector organizations.