Lessons from Huawei: Are supply chain security risks on your radar?
By Andy Bochman
If you don't subscribe to the online version of the Wall Street Journal, you probably don't get its daily CIO feed, which provides a nice, topical, tapas-sized taste of what's on folks' minds every morning.
One of those folks is me, and I've been stirred up lately by all the press (The Economist, 60 Minutes, etc.) and Capitol Hill attention Chinese communications equipment maker Huawei has been getting. Personally, I haven't had any direct contact with Huawei or its products, but I have a gut-level response when a company gets pilloried solely on where it is headquartered or the nationality of the owner(s).
This comes from my prior experience in application security and some vetting procedures that give credit to applications built by companies with U.S. ownership. The distance between owners, whose reputation and integrity may be stellar, and the products themselves, is vast. In the software world, rule #1 is re-use. Components written all over the world are easy to find, buy or borrow these days. And security is often not in the decision tree of the developers on either side of the equation.
Of course, owners' reputations may be less or far less than stellar, but still, the distance remains and they have little impact on the ultimate security characteristics of their wares. All that to say, Huawei's products need to be scrutinized carefully prior to purchase and deployment. But the same level of attention needs to be paid to ALL third-party products, IT and OT, hardware and software, regardless of country of origin.
Take it away Michael Hickins (from The Morning Download: Beware Your IT Supply Chain):
Good morning. A White House report leaked Thursday exonerated Huawei of spying on behalf of the Chinese government. But that doesn't mean you can rest easy. The same report found vulnerabilities in the companyâ€™s networking equipment, which put customer data at risk.
Customers are unwittingly installing computing and networking equipment and software rife with back doors created by vendors who outsource parts of their production to partners in â€œpolitically hostileâ€ areas of the world, according to Gartner analyst Neil McDonald, who just published a study on the topic. â€œAttackers use weaknesses in a supply chain to get a foothold on a system rather than attack a system in production, which is hard on a well-defended system,â€ McDonald told CIO Journal.
CIOs can reduce the risk of introducing trap-door-riddled IT by demanding proof of an explicit chain of custody from IT suppliers covering all third-party hardware and software they use in their products. They also should require their IT system providers to periodically sample and test their products; and they should procure the same equipment used by government agencies, which in some cases employ electron microscopes and chemicals to test IT components. McDonald says the spotlight on Huawei put IT supply chain risks "on the radar screen of every CIO." Now itâ€™s up to every CIO to act on this information.
Nicely said Neil McDonald.
Andy Bochman is author of the Smart Grid Security Blog and an Energy Security Lead for IBM's Rational division, where the focus is on securing the software that runs the smart grid. Andy is a contributor to industry and national security working groups on energy security and cyber security. He lives in Boston, is an active member of the MIT Energy Club, and is the founder of the Smart Grid Security and DOD Energy Blogs.
More on smart grid securityâ€¦