Subscriber Discussion

Supply Chain Accountability - What Are Companies Doing To Certify That Product Have Not Been Compromised In Factory, Transit Or Otherwise?

Avatar
Brett Byrnes
Oct 19, 2018
TKS Security

Sorry if this has already been discussed, I didn't find exactly what I was looking for OR I am not sure how to search it properly, but:

Where are we as an industry (Physical Security as a whole) in holding Manufacturers, Distribution, Logistics and Our own teams accountable for the integrity of our products? I'm talking about gray market products, mostly cameras - but Alarm Systems, Access Control and just about anything is vulnerable to hacking and threats to information and life safety..

What are some companies doing to certify that these product have not been compromised in factory, transit or otherwise? I am sure it IS being done, at least at some levels and by some companies, I would love to find out more.

 

Thanks - Brett

 

JH
John Honovich
Oct 21, 2018
IPVM

Brett, great question! It has not really been discussed but the fear / concern for this has risen after the Bloomberg 'Big Hack' Story. Whether one believes or disbelieves that story specifically, intelligence officials do not dispute that generally such hacks / attacks do occur.

Some of the components to this accountability include:

  • Where is it made? China, Korea, Canada, etc.
  • What components does it use? Especially core networking / software elements like SoC (US Ambarella vs China Huawei Hisilicon, etc.).

I don't recall any video surveillance manufacturer publicly commenting in great detail about this historically. One thing we can do is ask the question to manufacturers and see what responses they can provide. We'll queue that up.

Let me know what other thoughts / questions you have. Curious to hear from other members on this as well.

 

(1)
Avatar
Brett Byrnes
Oct 21, 2018
TKS Security
In reply to John Honovich

I think this is very serious and to ignore it would be a huge mistake. We have a responsibility to our customers to provide physical security and if we turn away from the fact that the equipment could be compromised and we did nothing to at least try to prevent it, I will consider that negligence. I started thinking about it a few years ago and recently it's really been on my mind, I know Supply Chain management is taken very seriously in ootherIndustries, I would think that security should take it seriously too!

U
Undisclosed #1
Oct 21, 2018

This shouldn't be a function of the industry. This should be a function of the relevant countries security services.

If the Bloomberg story is true, then it's not the industry's fault for not inspecting the hardware. It's the US security services fault for not finding the malicious implant on hardware that is clearly a national security risk.

We can check cryptographic software signatures, we can analyze hardware to the component level all we want to. But the truth is, it's several 3-letter-acronyms responsibilities to ensure "national" security.

This is spy vs spy stuff.

JH
John Honovich
Oct 21, 2018
IPVM
In reply to Undisclosed #1

It's the US security services fault for not finding the malicious implant on hardware that is clearly a national security risk.

How do you expect 'US security services' to check all hardware coming into the US?

This shouldn't be a function of the industry.

And how can it not be at least somewhat the responsibility of individual companies to ensure the integrity of their supply chain?

(1)
U
Undisclosed #1
Oct 21, 2018
In reply to John Honovich

Mr. Honovich,

"How do you expect 'US security services' to check all hardware coming into the US?"

That's not my problem, that's theirs. I certainly can't.

"And how can it not be at least somewhat the responsibility of individual companies to ensure the integrity of their supply chain?"

There is nothing -at present- that you can do to ensure integrity of each system's PCBs while remaining in business.

We can't go to ADI, pick up 30 PIRs at $30 a piece, take them back to their lab, break them down, analyze them at the component level without a PCB diagram (something of which manufacturers won't likely provide without a NDA) to ensure they are "probably" not compromised.

If a company states, "We ensure the integrity of all equipment from the manufacturer". It's a matter of time until they are sued and that statement changes to "We try to ensure the integrity of all equipment from the manufacturer".

Unfortunately, a product has passed through dozens of hands before it winds up in the IPVM lab.

We can and probably should ask manufacturers two questions:

1) What steps do you take to ensure the integrity of your systems from the assembly line to the distributor/client.

2) Can you ensure the integrity of your systems from the assembly line to the distributor/client.

I think they are both valid questions, however at this time, there is no way possible to ensure the integrity of anything assembly line to client, that's what I'm trying to get at.

UM
Undisclosed Manufacturer #2
Oct 21, 2018

Easy; own and operate your plants outside of China. There are only a few manufacturers who do this.

U
Undisclosed #1
Oct 21, 2018
In reply to Undisclosed Manufacturer #2

How do you protect them when the are sitting on ADI's shelves?

Also, you can't defend against an attack from China. If they want to hack your Axis system, it should be assumed that they will. It's the DOD's among other 3 letter acronym's responsibility to ward off State attacks.

You guys -at times- don't seem to give Nation States enough credit. You do know that even Mexico could take down our critical infrastructure, right? It's the wild west of IT security and the security industry is light years behind and woefully unprepared. We are in a state of mutually assured destruction regarding Nations critical infrastructure.

Guys, China/US/Turkey/Russia/Israel/Mexico will hack your systems against your best efforts as these devices you use were not inherently designed to be secure in the first place.

Please name a system that those players can't hack and then ask yourself if they even need a hardware implant.

¯\_(ツ)_/¯

Avatar
Brett Byrnes
Oct 21, 2018
TKS Security
In reply to Undisclosed Manufacturer #2

That's a good place to start, but I honestly think we need to track every single part from the manufacturer all the way to our own shelves eventually. 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions