Security Experts:

Gartner: IT Supply Chain Perils Will Impact Mainstream Enterprise IT

IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years, Gartner analysts wrote in a report examining recent incidents affecting the supply chain.

Enterprise IT supply chains will be targeted and compromised, and force IT to change how it currently manages supply chain integrity, according to Gartner's latest Maverick report released Thursday. IT supply chain integrity will be a top three security-related concern by Global 2000 IT leaders, said Gartner analysts Neil MacDonald and Ray Valdes, in the report.

Gartner Logo"IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years," said MacDonald, a research vice president and Gartner Fellow.

The IT supply chain has become more complex and globally distributed in recent years, according to Gartner. Hardware vendors are outsourcing not just manufacturing, but also design tasks to OEM suppliers and contractors abroad. Established Asian suppliers are also outsourcing to companies in other countries, introducing more opportunities to compromise the supply chain.

Gartner is far from alone in voicing concern over risks in the IT supply chain. A report from Northrop Grumman prepared earlier this year for the U.S.-China Economic and Security Review Commission warned that “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety.” 

The GAO voiced similar concerns, acknowledging that threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.

IT systems are assembled from an increasingly geographically diverse set of providers, which makes the integrity of the IT supply chain even more important, said Valdes, a research vice-president at Gartner. Businesses, governments, and individuals can no longer completely trust the integrity of the IT supply chain and the IT stack is vulnerable to compromise, he said.

"This is a complex problem, since most hardware systems are a conglomeration of components and subsystems procured from a large number of individual providers," MacDonald and Valdes noted in the report.

Protecting IT Supply Chain

Gregory Wilshusen, the GAO's director of information security issues, told lawmakers in March 2012 that with purchases being made from all over the world, government agencies need to check them for vulnerabilities that could slip in at any point between the manufacturing and shipping process. 

“The global IT supply chain introduces risks that, if realized, could jeopardize the confidentiality, integrity and availability of federal information systems," Wilshusen said at the time.

By 2018, at least one multi-billion dollar Western-aligned enterprise IT vendor will spin out a Chinese subsidiary as a wholly owned and independent entity with isolated engineering and production to help alleviate supply chain integrity concerns, the Gartner analysts wrote in the assumptions section of the report.

The lack of trust in information security offerings will fragment 50 percent of new information security market spending along geo-political lines by 2018, Gartner said. It will take a little longer for spending to fragment for operating systems and other IT system infrastructure software, according to MacDonald.

MacDonald and Valdes said that by 2018, IT procurement in at least half of the G20 countries for critical, non-military infrastructure will explicitly ban several IT systems produced by vendors in hostile, competitive, geo-political groups.

This will sound familiar to anyone that has been following the recent Congressional report concluding that China-based Huawei and ZTE couldn't be trusted to supply networking equipment and implied the two companies had connections to the Chinese military. Both Huawei and ZTE have denied any ties with the Chinese government.

Supply chain issues also don't end just because system has been delivered to the end-user, Gartner analysts noted. Users still rely on other companies for ongoing maintenance and updates. Supply chain integrity must extend to include "operational supply chain" issues such as updates, Gartner said.

IT supply chain integrity is becoming more of a concern now because attacker motivations are changing, according to the report. Attackers are moving away from "noisy" attention-getting attacks in favor of stealthier, targeted, and financially motivated attacks for political, military, or financial gain, according to Gartner.

IT supply chain attacks are not restricted to intelligence and defense targets, but can include manufacturing, financial services, and pharmaceutical sectors.

IT organizations can take a few steps to protect its supply chain, Gartner said.

Organizations should require proof of an explicit chain of custody from IT suppliers, and also proof of periodic sampling and testing of its products to ensure the chain hasn't been compromised. Organizations should strengthen their procurement processes and deal directly with IT vendors, when possible, or through trusted, certified resellers. "Explicitly ban the purchase of new or used IT hardware or software from eBay, Craigslist or similar public auction sites," Gartner suggested.

Most hardware systems include software-based elements, such as firmware and devices, and more program logic is being shifted into software stack, Gartner explained. Software-defined IT architecture running on standardized hardware will result in more transparency and make it easier to trust the supply chain, because it is easier to test the software layers, according to Valdes.

Even with software, organizations need to make sure they are using genuine versions of software, and the applications are all signed with strong digital signatures. "Just because something is digitally signed doesn't mean it can be trusted. Stolen or compromised code-signing certificates are significant risks if they are trusted blindly," the analysts warned. Organizations should augment the use of signed code with community-based certificate and file reputation services, according to the report.

It's also important to note that using open source components does not eliminate supply chain integrity concerns, as rogue or outdated libraries and frameworks can pose significant risks to the enterprise. Organizations should ensure that all frameworks and libraries used in open-source offerings are legitimate and up-to-date, and that the compiler used hasn't been compromised, Gartner recommended.

Enterprise IT departments must begin to make changes today to protect their systems and information in a world where all IT systems are suspect, MacDonald concluded.

Related: Consortium Pushes Security Standards for IT Supply Chain 

Related: The Need to Secure the Cyber Supply Chain

RelatedStudents Develop Techniques to Keep Malware Out of the Electronics Supply Chain 

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.