Shedding Light on Shadowy Supply Chain Cyberthreats
By George Wainblat
With more eyes trained to the vulnerabilities of the changing global technology supply chain, developing ways to prevent future issues has become top of mind for manufacturers especially in this turbulent trade time. High-profile hacks originating from sources along the supply chain have dominated the cybersecurity landscape over the past year, most notably with the SolarWinds breach that eventually infected up to a quarter of North American electric utilities.
A supply chain attack is when a bad actor slips a malicious piece of code or component into a trusted piece of hardware somewhere between factory and final install. This malicious code can then potentially spread or be spread to all users or networks the final product interacts with. This can potentially impact thousands of individuals and cost countless dollars in remediation, ransom, or damage. In a well-known supply chain attack from 2017, Russian hackers penetrated the Ukrainian accounting software MEDoc and used it to push out self-spreading destructive code called NotPetya that caused $10 billion in damage worldwide. It remains one of the costliest cyberattacks to date.
Supply chain threats can be nefarious and intentional, like the NotPetya attack or simply due to negligence or improper protocol. There is rarely full transparency into external vendor security posture so it is extremely difficult to monitor and protect every potential entry point of each component before it arrives. Such a tall task makes it very easy for OEMs to lose oversight and control over the path that their products take while in production. Though supply chain attacks are deadly serious, many systems have virtually zero visibility into their presence until it’s too late.
Preventing server cyberattacks from along the supply chain requires establishing a root of trust (RoT) from the very first boot process. In a recent blog we explained how the Root of Trust (RoT) is a necessary entity against which to check all layers of the stack from hardware boot to firmware load, OS runtime up until the running applications. It’s the only way to know for sure that nothing is amiss, and no unwanted passengers are present.
Kameleon’s Proactive Security Processing Unit (ProSPU) offloads the RoT to an isolated security chip that is physically separate from the CPU. This guarantees the integrity of the platform by enabling remote attestation for all motherboard components but also any peripheral device connected to the system.
Is RoT necessary if Secure Boot is Implemented?
Many companies believe that Secure Boot software protection is enough to protect their device. The problem with Secure Boot is that it is protecting the same system that it is installed on, and that system may already be compromised. That would mean the attacker could see and control the system behavior even with Secure Boot. Any administrator or root level attacker can access, subvert, and change secure boot protection protocols or simply turn them off. Secure Boot protection can be turned off at the Cloud Service Provider (CSP) site long after the machine was turned on.
Without adequate tracking, visibility, and validation, it is not protected. RoT must start on the factory floor. This blog talks about how a device can be impacted throughout the supply chain and how a RoT hardware solution that is isolated from the main CPU can solve many of these attack vectors.
The Lifecycle of a Server
Kameleon’s RoT device is born at the IC assembly site and from the very moment of inception it is given a unique, unclonable ID that is self-generated on the device and then enrolled to the secured database, which guarantees that the device assembled will be trustworthy. These RoT devices are tracked throughout the entire assembly and they are factory-locked using stored cryptographic entity so that only the customer’s code can be programmed. This protects the device once there is a tender trafficking of the devices to the unsecured OEM assembly site.
At the OEM facility, the device and the system flash memory are both cryptographically bound to Kameleon’s ProSPU, making it impossible to physically attack or replace the flash memory with a malicious card. The server is then installed in the CSP data center, performing its purpose as the secure boot for the entire platform, validating that the firmware and any peripherals are properly signed while also performing secure updates as signed by the device updater.
This is how supply chain security, one that starts at manufacturing, can be maintained throughout the device lifecycle. If you apply this to the lifecycle of a server that makes its way through a supply chain to end up working in a data center, we can see how a hacker may make multiple attempts to compromise the server first by trying to install a bootkit on the host firmware, or even by physically trying to replace the host flash firmware. If the server’s RoT solution is isolated from the CPU however, the attacker can’t access it. In other words, it remains trustworthy.
How do you know RoT is safe and the ProSPU is doing its job?
After any attack attempt the data center IT admin can run forensics to verify that the server is still working properly and perform platform attestation on demand. Platform attestation is a process that allows external verification to check the platform for integrity. The data center IT admin can view the success of the attack block in the script output. Kameleon’s ProSPU enables device attestation by providing a hardware trust anchor that can verify compliance that a processor peripheral has passed security protocols and attest the validity of the device, safeguarding the application stack at every layer.
Visibility and Attestation Are Key to Keeping Out Supply Chain Cyberthreats
Though organizations have typically had to just hope and trust that supply chain vendors were delivering safe solutions, this approach is no longer viable, as multiple high-profile hacks from supply chain sources over the past year have proven. In order to protect themselves – and their customers and clients – CSPs and Server OEMs must introduce additional visibility and attestation into their supply chain product sourcing with a hardware RoT solution.