Black Hat Europe 2019: Trust your vendors, but verify


If partners in your supply chain have access or information on your data or your network, their risk is your risk

Recently, Lenovo received a call from a US school district about a complaint. The newly ordered computers were suddenly showing the blue screen of death, with the number of systems bring bricked going up by tens. A detailed enquiry revealed the culprit - counterfeit spare parts.

"A partner who was delivering machines out to a school district on our behalf installed their engineering samples on our devices," said Thorsten Stremlau, global commercial CTO, Lenovo, explaining the problem of compromised supply chains at Black Hat Europe 2019.

"It was really difficult for us in the beginning because the markings on the outside of the sample looked like the actual spare part." That was not an isolated incident, he said.

"Hackers planting components on the motherboards and firmware via devices in the supply chain is a new threat that we are facing now." 

Implementing security by design across all processes -- firmware development, software development, design of the motherboard -- is a crucial step in avoiding supply-chain mishaps, Stremlau said. "Do not think of security as an afterthought."

The process is easier said than done, Stremlau explained using the experience of Lenovo, where the engineering team had to make the transition of factoring in the security principles to make sure that the company had the full security built in. 

Moreover, as a manufacturer, the company relies on a host of suppliers. The company had to put in a vetting system to counter the risks affecting that supply chain.

Security crises in any of your supply chain members have a direct impact on you, said Jason Steer, director - EMEA presale at Recorded Future.

"If you have ten partners, as part of your risk management process, you do want to know if bad things happen to them," he said during his presentation at black hat.

"We use Jira at Recorded Future. Atlassian, the manufacturer of Jira, had a couple of interesting incidents: exposed email addresses, product vulnerabilities." The company went back to Atlassian to have a clear idea of the issue, asking detailed questions on how they mitigated the risk, each time, as it had a direct impact on Recorded Future.

"Those are the type of questions that you don’t do in the surveys. Those are the types of things that you need to be asking to your new and existing vendor relationships because if they have access or information on your data or your network, that risk is your risk," said Steer. 

"If you are in the hardware development, this is the cornerstone of securing the entire supply chain: having security built in to the process rather than adding it as an afterthought," Stremlau said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews