If you have been listening to the news lately you have heard stories that originated from Bloomberg about the alleged hacking of server motherboards during the manufacturing process of American company Super Micro. To the layperson or average manufacturing company executive in the US this is scary news. To cybersecurity professionals and members of US intelligence organizations, this comes as little surprise.
I was involved in a briefing by InfraGard last month specifically warning of this threat and how real it is to the American supply chain. The unclassified briefing was conducted by FBI’s Senior National Intelligence Officer for China/East Asia Charles Lundy. And it was highly informative and helpful for me and my fellow cybersecurity professional’s work. Among other things we were told what to look for and what trends are coming out of this new development. That we are dealing with potential component level hacking at the manufacturing level.
Who Is to Blame
Of course, the Chinese and other manufacturing companies that have been compromised are to blame. But the question still exists who do you blame? If you look at this Forbes report Super Micro’s stock is down 41% almost instantly. So, it looks like the market either rightly or wrongly is going to blame the victim. And very quickly.
The point is no one is going to care if your company is a victim or not. If your company gets caught up in a supply chain scandal of this type you will be blamed. And not just the company but people inside of the company will be on the hook for this.
What To Do
I have written about this issue here on and on several other occasions. I discuss it in my book about protecting your supply chain. So are many other writers and cybersecurity experts. But the point is you need to begin with the end in mind. Most manufacturers build products as quickly and cheaply as they can and then worry about there security later. They are simply not including cybersecurity protections and detection in the original design. And this is a mistake.
Some manufacturers offer bug bounties to people in the user community to find the bugs in their own products after they are released. This is the very definition of letting the horse out of the barn. And then, of course, waiting to catch it later. Of course, these manufacturers then hope they will catch the horse and not some bad actor from China. This is too little too late.
This is not how this should be done. The attacks are becoming more sophisticated and harder to detect and your supply chain is becoming more vulnerable with every iteration. Please start locking down your supply chain today. If you have not had a security Audit in the last year, or even the last six months for companies who work with sensitive material and complex supply chains then you need to start today. Your company should have comprehensive policies on how you would deal with supply chain preventions and relationships with other companies. Don’t wait for this to happen to your company.