The accidental discovery of a mysterious microchip on a batch of network server circuit boards immediately derailed an acquisition deal involving two high-level technology firms and sent the IT staff of several United States government offices scrambling to take servers offline. This scenario sounds like it could be a movie plot involving covert ops and espionage. However, according to an October 2018 article in Bloomberg Businessweek, this chain of events actually happened.1
It might come as no surprise that, according to the Bloomberg article, the mysterious microchips were manufactured by a company in China. Like a high-tech version of the Trojan horse, the microchip was designed to allow stealth access to the company’s entire IT network infrastructure.
This act could be attributed as another round of suspicious activities straining trade relations between the two largest economies. Nevertheless, the possibility of hardware infiltration throws a wrench in an already challenging sector of manufacturing – the supply chain.
The Cybersecurity Threat Model Is Changing
Cybersecurity threats have put all eyes on areas like IT networks, email phishing, websites and internet of things (IoT) technology. Meanwhile, the supply chain, which remains mostly out of the spotlight, could be at risk of having numerous unchecked vulnerabilities. It would be easy to surmise that infiltrating a supply chain and implanting a spyware device on a circuit board is a lofty undertaking and out of reach for most cybercriminals. However, hardware components and circuitry are becoming smaller, faster and more complex – not to mention cheaper.2
Technology is playing a more prominent role in many industries, including health care. This means more technology-based hardware components are rolling off assembly lines bound for manufacturers of health care-related products. Consequently, medical device, biologics or pharmaceutical product supply chains could be popular targets for an infiltration attack. That said, the ability to alter devices or manufacturing equipment at the component level presents a new level of threat across the health care sector.
The Supply Chain Labyrinth
Thousands of parts are manufactured by companies all over the world. Depending on the part’s purpose or complexity, varieties of parts are assembled into intermediate components, which are then combined and/or retrofitted as needed. These component parts are eventually integrated into the final product, such as a medical device or piece of manufacturing equipment.
All the different parts are built by multiple companies, contractors, subcontractors, parts suppliers, assemblers and testers in multiple countries. Collectively, all these different companies make up a product manufacturer’s supply chain. In reality, if companies had to build all of these components in-house, they would never get a product on the market.
A typical medical device manufacturer could retain over 100 different suppliers. In addition, suppliers commonly outsource development tasks to other companies, making it difficult for sponsor organizations to sufficiently keep an eye on their entire supply chain.
“Components developed along the supply chain are not devices, they are components that could go into any device,” said Justin Heyl, cybersecurity strategies specialist, UL. “Devices must meet specific standards, which means all the components must meet the standards. Unfortunately, companies don’t always catch everything.” The urgency of getting products manufactured and out the door doesn’t make this issue any easier.
Eroding the Supply Chain Armor
Enjoying this article? You may also enjoy this White Paper:
How to Successfully Manage Your Suppliers and Ensure Product Safety and Compliance
Download Free White Paper
Numerous places along the supply chain are at risk of illicit activities, including counterfeiting, theft of intellectual property and the installation of malicious circuitry components. According to a supply chain risk management document published by the National Institute of Standards and Technology (NIST), criminals check all doors when targeting supply chains.
“There is no gap between physical and cybersecurity. Sometimes the bad guys exploit lapses in physical security in order to launch a cyberattack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities.”3
According to NIST, the most common supply chain risks include:
- Third-party service providers or vendors – from janitorial services to software engineering – with physical or virtual access to information systems, software code, or internet protocol (IP).
- Poor information security practices by lower-tier suppliers.
- Counterfeit hardware or hardware with embedded malware purchased from suppliers.
- Software security vulnerabilities in supply chain or supplier systems.
The Counterfeiting Conundrum
Sophisticated criminals have developed ways to pinpoint supply chain vulnerabilities. Then, they can easily replace the contents of containers with minimal disruption to normal manufacturing activity. Because the items and containers are tracked electronically, the heist may go undiscovered until the items end up in the hands of users – or patients – and malfunction.4
Some parts are manufactured by only a few companies that specialize in certain components or parts. This means varieties of companies by necessity rely on a few available parts manufacturers. This presents a problem with devices that have a long lifespan. When devices or manufacturing equipment does need replacement parts, such as a certain microchip, there is a risk that the replacement part is no longer produced. Companies needing the replacement parts often rely on intermediaries to locate obsolete parts – these parts often turn out to be counterfeit.
In a report published by the U.S. Department of Homeland Security, 34,143 shipments of counterfeit and pirated products were seized in 2017. Approximately 12 percent of the seizures were health-, safety- and security-related products. U.S. Immigration and Customs Enforcement (ICE) Deputy Director Thomas D. Homan expressed concern that the proliferation of counterfeit items not only threatens the economy, but also presents significant health and safety hazards to consumers.5
Supply Chain Risk Management
Supply chain security should be a higher priority for all businesses. It’s important to develop a supply chain risk management model that is not only specific to your operation and industry, but is also up to date with current supply chain risks. Supply chain risks affect every aspect of the supply chain, including sourcing, vendor management, materials management, transportation security and many other functions. One of the most critical risks is the lack of supply chain visibility.
NIST recommends basing your organization’s supply chain risk management processes on your company’s specific situation and needs. The following questions from the NIST supply chain best practice guide are a good starting point for developing a supply chain risk management model:
- What steps are taken to tamper-proof products? Are backdoors closed?
- Are physical security measures across the supply chain in place, documented and tested?
- What access controls, both cyber and physical are established? How are they documented and audited?
- What type of employee background checks are conducted and how frequently?
- What security practice expectations are set for upstream suppliers? How is adherence to these standards assessed?
- How do vendors assure security through the product life cycle – including transportation and shipping?
Manufacturing supply chains typically have an extensive geographical reach and include numerous moving parts. The NIST recommendations help establish a solid foundation for building awareness of and strengthening supply chain security. However, implementing automated supplier management technology is an ideal way to effectively set up a supply chain monitoring and security strategy customized for your specific organization.
- The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, Published by Bloomberg Businessweek, Oct. 4, 2018.
- Hardware Cyberattacks: How Worried Should You Be?, Sheridan, Kelly, DarkReading, Oct. 31, 2018.
- Best Practices in Cyber Supply Chain Risk Management, National Institute of Standards and Technology.
- Counterfeiting and Corruption in the Supply Chain, Medical Product Outsourcing (MPO), Apr. 5, 2006.
- Record Number of IPR Seizures in FY17 for CBP, ICE, Published on the Official Website of the Department of Homeland Security, Mar. 5, 2018
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.