SAN FRANCISCO -- A supply chain management expert studying ways companies can crack down on cheaply made imitation parts and software is urging software makers and manufacturers of electronic devices to develop
There are some ways to address supply chain risk management. But few technologies exist to guard against the manufacturing of phony microchips and other components that could end up in a myriad of devices, including smartphones, automobiles or worse: the space shuttle. Speaking at the Security B-Sides conference in San Francisco, Monday, Hart Rossman, vice president and CTO for cyber programs at McLean, Va.-based Science Applications International Corp. (SAIC), cited an internal study conducted by NASA, which found that a number of counterfeit electronics that it aboard the space shuttle into outer space.
where a very inexpensive
multibillion dollar system.
Vice president and CTOSAIC
"If you ship a component that is counterfeit and it goes into an automobile, it can be recalled, but what if you ship a counterfeit component that goes into a space shuttle?" Rossman asked. "It can be very difficult to determine if something is genuine or an unauthorized copy."
The lack of focus on supply chain security is flooding the market with fraudulent parts and devices. The problem is a growing threat to the consumer electronics industry, which is concerned that malware can be placed on digital music players, laptops and smartphones at some point in the supply chain. While it poses major privacy issues for consumers and a serious security risk if the malware steals data, it also can be costly to consumer electronics companies that have to deal with the fall out by providing recourse -- either a new device or compensation -- to potentially thousands of customers.
The cyber supply chain is made up of a mixture of hardware and software vendors that are connected via software development kits or some kind of network backbone, Rossman said. It is made up of businesses that create devices like smartphones and computer systems as well as companies that heavily use information technology for products and services, such as the pharmaceutical industry.
Fraudulent parts can cause catastrophic damage, but even pose significant monetary damage to businesses, Rossman said. The problem stems from a lack of dialogue between manufacturers and their partners because much of the information contains proprietary data, highly safeguarded by companies and the manufacturers they deal with. "Record keeping is nonexistent or incongruous at best," Rossman said.
"One of the most common risks is that you don't know the performance characteristic of the device if it's not authentic or genuine," Rossman said. "You may have a situation where a very inexpensive part, like a transistor or green board, inadvertently causes the failure of a multibillion dollar system that people are relying on for health and safety or security."
Rossman said the problem isn't going to be solved by a single enterprise, but rather will need a collaborative effort across the supply chain. A study of industrial process control systems that are used in the food and beverage industry and the pharmaceutical industry found that the control systems themselves are secure, but many companies were taking on significant risk by not being able to check if replacement parts were genuine.
The same security techniques fail to be applied to the actual sourcing of IT components that go into industrial process control systems, Rossman said. Organizations need to focus on creating better quality management programs, stronger contractual language with suppliers and improve their ability to validate after the fact, regardless if an item is developed to certain specifications.
"Global supply chains are just as fragmented as physical supply chains were more than a decade ago," Rossman said. "The maturity of the cyber supply chain and the industry's understanding of the risks that are inherent in managing their supply chain is about the same place where the conventional guys were about 15 or 20 years ago."