Hart Rossman, vice president and CTO for cyber programs at SAIC says more needs to be done to secure hardware and software moving in the global supply chain. Rossman explains the threat posed by poorly manufactured, bogus parts and software. Unfortunately few technologies exist to oversee secure manufacturing and ensure electronic components and software are not knock-offs.
Read the full transcript from this video below:
Security researcher calls for greater focus on supply chain assurance
Rob Westervelt: So we're here with Hart Rossman. He's Vice President and Chief Technology Officer for Cyber Security Solutions at SAIC and I know you've done a lot of research into supply chain assurance. That was kind of the gist of your talk this morning at B-Sides here in San Francisco. If you had to sum up your talk in just a few paragraphs, what did you hope that people would take away from it?
Hart Rossman: Sure. The two things I really hope people came away with is first that this is an ecosystem kind of problem, it's not something that one particular enterprise can solve, and so it will really take a community and a collaborative effort across the supply chain to do it. And the second it's because it's not a single enterprise solution you've got to really deal with the interrelationship between system development life cycles across the supply chain.
Rob Westervelt: And does this go for both hardware and software?
Hart Rossman: It does. And so the way we view the cyber supply chain domain, its hardware and software as well as the things that connect them together. so whether that's a software development kit or a network backbone, right, it's that entire platform that drives supply chains both for the creation of information technology as well as companies that heavily utilize information technology to develop other types of products and services. For instance, the pharmaceutical industry.
Rob Westervelt: Maybe you can give a couple of example of some of the risks that are posed by counterfeit electronic parts in the supply chain. What kind of risks do they pose?
Hart Rossman: One of the most common risks is that you don't know the performance characteristic of the device if it's not authentic or genuine. So you may have a situation where a very inexpensive part, like a particular transistor or green board, may inadvertently cause the failure of a multi-million or multi-billion dollar system that people are relying on for health and safety or security. That's one example. Another is in the consumer electronic space it's becoming more prevalent unfortunately that popular consumer electronic devices from digital music players, to laptops and smartphones are shipping with malware pre-installed on them. And obviously in addition to the personal security through that and the potential loss of privacy is data could be exfiltrated. You have a real concern about brand and reputation for the consumer electronics companies that are forced to in some way to provide sort of recourse for sometimes thousands of users who receive preened equipment.
Rob Westervelt: I think one of the examples you gave in your presentation was, let's say a counterfeit electronic part that ends up in an automobile, the automobile manufacturer can recall the automobiles but if we're talking about, say the space shuttle for example, and that's not easily recalled.
Hart Rossman: That's true. So the two paradigms we see is firstly that a lot of folks who are looking at cyber supply chain challenges focus on the software side of the house where they're used to the ability to remotely upgrade or patch some sort of vulnerability that's been discovered. And so they're challenged sometimes in the hardwire environment where it's just not that easy. The second is that many of the systems that we're talking about where counterfeits could be introduced are not easily accessible physically. It could be satellites in space, they could be aircraft on an aircraft carrier out to sea for long periods of time or it could be in the theater of war. In that kind of situation access to known good parts and the ability to repair them may be difficult at best or in the case of space just non-existent.
Rob Westervelt: I know I've done a lot of reporting on radio frequency identification technology in the past, especially when I was writing about SAP and Oracle. I know Oracle does a lot of sensor-based technology in addition to RFID and we've heard some security issues with RFID, but if you're placing RFID tags on these highly sensitive items doesn't that alleviate a lot of some of the issues that you're talking about?
Hart Rossman: The RFID technology that typically used today in a conventional supply chain is used for tracking and anti-tamper and so in some cases particularly at checkpoints there's a lot of use of them that quite valid. Checkpoints aren't pervasive and they're not always, because it's a near frequency type of technology, in constant communication with some kind of monitoring station. So they have some limited utility. There are also some interoperability challenges and the RFID itself doesn't necessarily carry all of the detailed level providence and pedigree data about the components inside. So you have a lack of specificity at times, but it's a good technology. It's being used very effectively in a lot of ways it's just not the complete solution.
Rob Westervelt: You started to talk in your presentation about an analysis study that you undertook and I believe you broke it down by certain industries or you focused on a certain industry, the food and beverage manufacturers. Can you talk just briefly about what you were talking about? The food and beverage industries?
Hart Rossman: Sure. So we collaborated with the RH Smith School of Business at the University of Maryland in College Park with their supply chain management center there. What we were really seeking to do was to build a cyber assurance reference model that would provide a holistic view of risk management, providing both defense and depth as well as defense and breadth for the cyber supply chain. And what we wanted to do was look at organizations that either developed and delivered the IT - you know companies that manufacture routers or software components like operating systems - as well as companies that were heavily reliant on those to do their job.
And one of the areas that we looked at was in the pharmaceutical and food space. The reason for that is that they use a lot of industrial process control systems to manufacture whether its sophisticated pharmaceuticals, beer or some other manufactured product and the risk of one of those computing systems mismanaging the production cycle in terms of their brand and reputation and risks to the customers could be significant, right, were it to be compromised or were the supply chain to be providing not genuine, not authentic components.
So you weren't sure of the quality and capability and what we've found is that in many cases they do a phenomenal job of supply chain risk management for the components and for the manufacturing of the pharmaceuticals or the food or the beverages themselves, but they don't apply those self same techniques to the actual sourcing of the IT components that go into the industrial process control systems. So that was a great opportunity to look at systems that work really, really well in another domain and see how applicable they would be into the information and technology space.
Rob Westervelt: How can you apply them? In brief terms?
Hart Rossman: Right. The short answer is there's a lot of phenomenal lessons learned there, everything from their quality management programs to their contracts they have in place with their suppliers, to their ability to validate after the fact whether or not a particular drug or food product was successfully developed within certain specifications.
Rob Westervelt: You said something that maybe you can clear up for me, and maybe I missed the entire sentence that you said, but you said, "Global supply chains are just as fragmented as physical supply chains were a decade ago." Is that right?
Hart Rossman : Something to that affect, right. When we completed this course of research in conjunction with the University of Maryland what we found was that when we compared the data we had about cyber supply chains to the data that they've been collecting for well over a decade about conventional supply chains what we discovered is that the current cyber supply chain environment and state of practice is as fragmented and has as much opacity as conventional supply chain risk management community was about 15 - 20 years ago. So it's not a direct comparison, apples to oranges. One case we might be talking about transporting tires and garments and the next case we're talking about sophisticated electronics, but the maturity of the industry and the understanding of the risks that are inherent in managing their supply chain is about the same place where the conventional guys were about 15 - 20 years ago.
Rob Westervelt: You mentioned something about structured incentives, more structured incentives are needed? Can you talk about what kind of - are there any structured incentives out there and could they be better?
Hart Rossman: So the short answer is yes, there are a lot of structured incentives.
Rob Westervelt: What is a structured incentive?
Hart Rossman: It's typically in this space a contractual arrangement that specifies how you're going to conduct business between either two organizations or multi-laterally amongst a number of organizations. And in the cyber supply chain space what we see is that there are some good best practices around IT security and conventional supply chain risk management, but not about the merging of the two in this kind of broader discipline of cyber supply chain. What we also see is that in many cases the language that's out there is really at a two-party transaction rather than addressing the entire supply chain.
So it tends to be between some large customer and their prime vendor or prime contractor and not everybody else in the supply chain and not the customers that that primary acquirer is working with. So when we say structured incentives that's really kind of a fancy term about creating the right kind of market incentives and the right contractual language and regulatory environment to support that to make security in the supply chain something that really is aspired to be done.
Rob Westervelt: What are converged security cyber supply chain solutions? I think you coined that term.
Hart Rossman: Yes, that's a term I'm trying to get out there. We've got this idea of converged security solutions which is some sort of combination of cyber and physical solutions, right? A typical example would be matching the gates and guards systems with the network-based IDS kind of thing. With cyber supply chain solutions, so now it's an idea that takes this defense and depth within an enterprise defense and breadth across the supply chain and really gives it a name that addresses both the hardware as well as the software sides of the discipline.
Rob Westervelt: Really, the bottom line from your presentation was that there are really no good technologies out there at least for the hardware side, right?
Hart Rossman: Right. So in my experience what we're finding is that there are a lot of good solutions on the software side and there are a lot of folks in government and industry focusing on the regulatory environment. We're not seeing the kind of scalable solutions on the hardware or on the converged security side for supply chains that are available today. Talked to folks who thinking about stuff, who are thinking about working on stuff, but there's really nothing consumable today in the open market and so in my talk I really advocated for folks to see if they can make some of that happen.
Rob Westervelt: You're advocating for that, but isn't the government going to drive most of this stuff? And is that what it's going to take? It's going to take, I don't know, the US military, Department of Defense to really kind of start driving some of this a little more?
Hart Rossman: I think in certain communities they certainly will, the defense industrial base, obviously they have a tremendous amount of influence. Global supply chains are just that, though, they're global in nature and they serve a variety of governments and a variety of enterprises, and have huge end user communities, so I think governments can be phenomenal advocates for the market but the market itself has to come to some agreement on what the right solution is outside of a national security defense type of environment.