Changing the Conversation: Threats FROM the Supply Chain

When most people discuss the topic of supply chain the conversation mostly involves ships, trains, and trucks. These vast transportation networks move items from place to place with threats such as hurricanes, train derailments, civil unrest, or factory fires. These are all important and serious concerns, but I believe the time has come for the conversation on supply chain to change. The conversation must shift from threats TO the supply chain to threats FROM the supply chain.

With our current reliance on the Southeast Asia peninsula for Information Technology (IT) components, IT manufacturers in the United States are in the difficult position of securing a supply chain with limited visibility and even less control. These original equipment manufacturers (OEM) spend time, capital, and resources ensuring that their devices are secure, but the sheer volume and geographical constraints makes this a challenging task at best. Think about it this way; do you know whose hands have been on your IT equipment components?

In the public sector, the challenge is exacerbated by the use of Lowest Cost, Technically Acceptable (LPTA) contracts for the procurement of ‘commodity’ IT equipment. This has the desired effect of driving prices significantly lower and the unintended consequence of allowing our adversaries to introduce counterfeit or maliciously tainted hardware into our IT environments through low-cost supply chain risk management processes. The desire to award a contract to the lowest price bidder opens the door to businesses that, either knowingly or unknowingly, deliver devices that may look like the real item but could be from grey-market (counterfeit) or black-market (maliciously tainted hardware) sources. This is a real problem that all OEMs face and battle daily.

In addition, the role of the “nation state bad actor” must be accounted for in our supply chain discussions. The recent article published by Bloomberg regarding malicious hardware chips in servers shines a bright light on the threat facing our IT Supply Chain. Direct access to components serves as a powerful and low-profile attack vector for foreign entities to subvert systems they will eventually comprise. While the full extent of this threat is still being verified, there is no doubt that serious threats from the supply chain exist, and we must be ready to face them. The supply chain has been listed at the top of several Cyber Security Threat Lists inside the public and private sector.

How do we change this? We start at the beginning. The topic of threats FROM the supply chain must occur early and be part of the procurement throughout the entire supply chain cycle. The manufacturers, distributors, value added resellers, government, public, and private companies must all understand their role in keeping our hardware and software safe. Customers buying IT equipment must insist on strong supply chain security practices. They must look at IT equipment not as low-cost commodities but as potential cyber threats.

Supply chain danger can be mitigated with holistic supply chain risk management (SCRM) practices and a focus on measurable, verifiable, and auditable data. Several U.S federal agencies are already leveraging contracts specifically designed to deal with supply chain threats. All companies supplying IT equipment should be held to high supply chain security standards. We need to have widespread adoption of standards such as DMEA, ISO 28000 Supply Chain Risk Management and ISO 20243 Mitigating Maliciously Tainted and Counterfeit Products for our supply chain to keep up with the unrelenting cyber-attacks.


Practical application of supply chain assurance. Can you “trust” your data center systems?

In previous posts, I discussed supply chain assurance, it’s importance and examples for consequences of a supply chain breach.  So now, let’s look at these ideas within the scope of deploying IT systems, specifically, complex data center systems.

Creating and expanding data center infrastructure alone is a daunting and complex process.  In most cases, IT department are dealing with multiple vendors, IT service contractors and thousands of part numbers at a minimum.  The design, architecture, security hardening and deployment itself is a challenging endeavor, especially considering proliferation of open standards, software-defined automation and hybrid designs that integrate both public and private clouds.  You can understand why many companies, overwhelmed with the task of deploying and expanding data center infrastructure, overlook the equally import issue of it’s supply chain integrity.  Unfortunately, this oversight puts most companies at risk before the first data center rack is deployed.  Your risk of a cyber breach and/or premature system failure increases significantly day one with the potential for embedded malware, malicious tampering, gray-market and counterfeit components.  The reality is, this is not an area today companies can choose to overlook.  In fact, it needs to be an integrated approach to the design phase of your data center.

For many companies, they lack the resources and expertise to properly vet their vendors and hardware choices while they work through the design of their data center systems.  In most cases, design through deployment alone is at minimum a 9-month process.  Add to that analysis of the supply chain, integrity testing and security hardening and most companies are over a year to deploy systems.  So, what if there is a better approach, where all the design, configuration, supply chain integrity validation and security hardening is provided up front in a turnkey, ready to deploy solution?  This has been a focus for CyberCore Technologies over the past year to integrate data center design/deployment with supply chain assurance and integrity testing to enable companies and government agencies to deploy “clean” data center infrastructure with root of trust back to the component level of the system (both software and hardware).

Today, CyberCore Technologies partnered with Hewlett Packard Enterprise, Intel and Red Hat is excited to launch SecurStak, the world’s first: secure, scalable, cloud-enabled data center to your door – via secure transport, Authority-to-Operate (ATO) ready – as a turnkey, single SKU, fixed-price solution (including support). Now, companies, government agencies, systems integrators, or anyone who needs to manage on-premise infrastructure or create a Fed-ramp compliant cloud – can have a PEN-tested, scalable-to-any-size solution, in a fraction of the time of a traditional custom-built approach.  Thus, allowing them to focus less on building infrastructure and more on delivering value to THEIR end customer – in a secure, timely manner.  The result is a dramatic improvement in efficiency, time to market, and cost savings with average deployment time measured in weeks rather than months and years.

For more information on SecurStak, please visit www.SecurStak.com.


Supply chain security: The ROI of compliance

With the recent surge of data breaches, government enterprises such as the Department of Defense and the Department of Homeland Security, as well as their suppliers, have increased their focus on IT security. Their protocols did not include the tracking and tracing of your supply chain, but that’s about to change.

New regulations are going to require you to maintain greater supply chain security. With this security shift, the question is no longer if you should improve your supply chain assurance, but when. For most organizations, the public sector included, the answer to this question cannot be determined by the potential risks but by the potential return.

New regulation for increased protection

Government offices know all too well the threat that counterfeit parts can bring to a supply chain. In 2014, the Defense Department warned against the use of counterfeit parts because they may contain malicious code that could support a cyberattack. Legislation was enacted requiring government contractors to establish and document supply chain security protocols to detect counterfeit electronic parts. These compliance protocols included features such as using trusted suppliers, tracing parts to original manufacturers, and quarantining counterfeit parts so they cannot re-enter the supply chain.

ROI of securing your supply chain

Ultimately, the greatest driver for improving supply chain risk management is ROI. While mitigating risks and maintaining compliance are important, the ensured product quality protects the brand from risk, resulting in a form of competitive advantage. Valuable ROI from supply chain compliance appears in a few forms:

  • Increased supply chain visibility can result in sourcing, manpower and insurance cost reductions.
  • The reduced risk of counterfeit, poor quality or compromised products or components increases customer satisfaction.
  • Greater supply chain insight allows you to anticipate and respond to changing demands.
  • Limiting failures from defective or vulnerable components increases the profitability of your organization.

A one-size approach doesn’t fit all

With the growing risks and the new regulations, changes to supply chain risk management are happening, but not fast enough. Government enterprises have enormous supply chains that require them to proceed with caution before implementing changes to comply with the new rules. Large contractors are improving their anti-counterfeit practices, but smaller vendors  are not legally required to adhere to the new requirements.

CyberCore delivers industry-compliant supply chain security that’s ideal for any-size private sector or government agency. View the video to see a secure supply chain in action.


Buyer beware: Do you know how much supply chain assurance is enough?

Supply chain security seemed like child’s play when it consisted of a small handful of companies that operated in a paper- and pen-based world. Then, we didn’t have to worry about supply chains that spanned date lines, time zones and networks.

In today’s global marketplace, supply chains can span dozens of countries and hundreds of suppliers. As a result, supply chain structures and the strategies needed to secure them have changed dramatically. Traditional cybersecurity that’s focused on protecting supply chains from outside attacks doesn’t address 100 percent of the vulnerability. To keep your company safe, you need an end-to-end supply chain solution to guarantee a secure product purchase.

What is supply chain assurance, you ask?

 Supply chain security ensures that the product you order is the one you receive. It provides transparency into supply chain operations and tracks a product through the lifecycle of its development, mitigating the risk of tampering, theft or delivery disruption. The result is a protected and secured environment that delivers a higher level of confidence in product quality. Consider what could happen if you connected a maliciously corrupted PC to your mission-critical enterprise systems. In the worst case, your main system could be hacked and business continuity could be interrupted. If this were to happen, your customers could be impacted and your business put at risk for lawsuits and costly fines.

So how exactly does it work?

Supply chain assurance involves discovering and mitigating vulnerabilities in hardware and software in order to uncover backdoors that can allow an attacker to change how your systems work. To limit these vulnerabilities, you and your suppliers need to discover potential threats as early in the supply chain as possible. Supply chain assurance programs are increasing the flexibility and automation of risk mitigation and helping to satisfy compliance mandates for some regulated industries. The National Institute of Standards and Technology (NIST), for example, has established risk management best practices for federal information supply chains. In addition, the International Organization for Standardization (ISO) has standardized specifications for secure management of supply chain systems.

How much is enough?

The question of supply chain assurance doesn’t necessarily relate as much to the amount of assurance but rather to how widely you are covering the risks associated with your supply chain. A multi-tiered approach that protects facilities, operations and systems is considered a best practice across the board. Protocols should be in place to identify, assess, respond and monitor supply chain risks and penetrations. Risk assessment and risk management processes throughout all phases of your supply chain can reduce the threat of an attacker tampering with devices or introducing counterfeit products.

CyberCore is an HP Platinum Partner that can provide supply chain assurance for your business by thoroughly inspecting each link in the supply chain. Our supply chain approach ensures every component maintains the highest levels of security to satisfy NIST and ISO requirements. Download the brochure to see how we can protect your IT purchase from risk.


Hacked! Five things that happen when supply chains are breached

Sony, Target, Staples, Home Depot and JPMorgan Chase all know a thing or two about the negative fallout of a cyberattack. These companies were all hacked in 2015, leaving the intellectual property compromised and their customers’ sensitive information at risk.

Many of these companies were hacked through exposures within their supply chains. So what are the consequences to supply chain failure that can leave your company vulnerable to hackers looking to steal your vital information?

Financial exposure

If your provider’s supply chain is breached due to a lack of security, your customer data and sensitive product and corporate information can be stolen, leading to massive legal and financial expenses that could cost you millions of dollars. Your company can be sued by customers and employees for damages if their personal information was compromised. There are also fines that can be imposed for mishandling financial and health-care records.

Loss of intellectual property

Your suppliers have access to your intellectual property. A gap in security protocols could expose your competitive secrets to the world. Customer lists, business plans, financial records, marketing initiatives and email records are all mission-critical. Losing that data, having it corrupted or having it slip into the hands of a competitor could cripple your organization.

Brand and reputation corruption

A hacker who gets hold of your sensitive information can wreak havoc on your brand by taking down websites, posting false information and emailing your customer base with phishing scams, to name a few. Customer trust takes time to build and a breach can cause a major setback that results in lost costumers who never return, costing you long-term revenue losses and reduced market share.

Lost stakeholder confidence

Investors, partners and shareholders have all staked a claim in your success. A hack that leaves your business vulnerable or puts these high-level influencers at risk can cause these partners to pull up stakes if they don’t think you have a secure approach to your operations.

Interruption of business operations

A supply chain hack that leads to product tampering poses the risk that that product will fail to deliver the reliability expected. If the computers you ordered are tampered with, they can fail at any time, leaving your business without the systems it needs to perform work. Computers infected with Trojan horses, spyware or other malicious code can cause networks and mission-critical operations to go down, with business as usual being suspended until repairs can be made.

Supply chain risk management that protects you from hackers begins and ends with a strong and secure chain of custody. Learn more and discover how CyberCore delivers computers, workstations and laptops with a secure supply chain that protects your business from a risky purchase.


Strong supply chain security: Three top reasons you need it now

There’s no doubt about it—today’s globalized, Internet-driven supply chains are built for cost efficiency and optimized for speed. Yet while modern supply chain proficiencies improve product cost and quality, they also can put your IT purchase at risk if your provider has weak supply chain protocols.

So what are the three biggest supply chain threats that could put your IT purchase at risk?

  1. Physical security of warehouse and integration sites, transportation, internal personnel and third-party subcontractors
  2. Operational security, including procurement, system configuration, software loading, verification, transportation and delivery
  3. Logical security of hardware, software, network components and devices


Facility breaches threaten product quality

The physical security of supplier facilities can be an easy entry point for product tampering, theft or cyberattack. It’s also difficult to manage because the facilities are populated with personnel and contractors who are invited in. These individuals can easily gain access to your hardware and software components at the integration level. Your IT supplier should have a policy of physical security to safeguard facility entry and workspaces. This should include monitored building security, exterior cameras, interior cameras, motion sensors, alarmed doors, 24/7 security details, and zoned access with badge readers that limit access to sensitive integration areas based on roles.


Operational disruptions derail product confidence

Chances are many of your components are imported from overseas suppliers that may or may not have supply chain security. This expansive operational network opens the door to malicious corruption, counterfeit components, gray-market products and potential delivery disruption. Business continuity and secure operations must be established throughout this expanded operational framework and  accommodations must be made for region-specific risk. For confidence in your product purchase, choose a supplier that has a tightly integrated security approach that audits and documents the chain of custody from inception to disposal. Transportation disruptions can result in damaged, compromised or counterfeit product outcomes, but shipment tracking, tracing, event logs and time stamps from dock to door can mitigate risk along the way.


IT failures compromise product reliability

Logical security secures computers, software, networks and mobile devices that are used for supply chain collaboration, communication and production. Vulnerability points can include caching issues, data leakage, JavaScript vulnerabilities, and verifying the security of software applications that manage critical information, from product designs to price lists. Your supply chain partners should have strong logical security protocols to stop breaches and hacks from compromising your devices. This includes firewalls, intrusion detection and monitoring, along with scanning of all drives, software and media before they’re loaded into the system.

CyberCore has over 15 years of experience securing supply chains for quality, confidence and reliability, with an ISO 28000-certified framework that mitigates purchase risk for your organization.

Download the CyberCore Risk Infographic to learn how we mitigate more risk in more places.


Strong Supply Chain Security

Three top reasons you need strong Supply Chain Security now

There’s no doubt about it—today’s globalized, Internet-driven supply chains are built for cost efficiency and optimized for speed. Yet while modern supply chain proficiencies improve product cost and quality, they also can put your IT purchase at risk if your provider has weak supply chain protocols.

So what are the three biggest supply chain threats that could put your IT purchase at risk?

  1. Physical security of warehouse and integration sites, transportation, internal personnel and third-party subcontractors
  2. Operational security, including procurement, system configuration, software loading, verification, transportation and delivery
  3. Logical security of hardware, software, network components and devices

Facility breaches threaten product quality

The physical security of supplier facilities can be an easy entry point for product tampering, theft or cyberattack. It’s also difficult to manage because the facilities are populated with personnel and contractors who are invited in. These individuals can easily gain access to your hardware and software components at the integration level. Your IT supplier should have a policy of physical security to safeguard facility entry and workspaces. This should include monitored building security, exterior cameras, interior cameras, motion sensors, alarmed doors, 24/7 security details, and zoned access with badge readers that limit access to sensitive integration areas based on roles.

Operational disruptions derail product confidence

Chances are many of your components are imported from overseas suppliers that may or may not have supply chain security. This expansive operational network opens the door to malicious corruption, counterfeit components, gray-market products and potential delivery disruption. Business continuity and secure operations must be established throughout this expanded operational framework and  accommodations must be made for region-specific risk. For confidence in your product purchase, choose a supplier that has a tightly integrated security approach that audits and documents the chain of custody from inception to disposal. Transportation disruptions can result in damaged, compromised or counterfeit product outcomes, but shipment tracking, tracing, event logs and time stamps from dock to door can mitigate risk along the way.

IT failures compromise product reliability

Logical security secures computers, software, networks and mobile devices that are used for supply chain collaboration, communication and production. Vulnerability points can include caching issues, data leakage, JavaScript vulnerabilities, and verifying the security of software applications that manage critical information, from product designs to price lists. Your supply chain partners should have strong logical security protocols to stop breaches and hacks from compromising your devices. This includes firewalls, intrusion detection and monitoring, along with scanning of all drives, software and media before they’re loaded into the system.

CyberCore has 17 years of experience securing supply chains for quality, confidence and reliability, with an ISO 28000-compliant framework that mitigates purchase risk for your organization.

Download the CyberCore Risk Infographic to learn how we mitigate more risk in more places


What is cSCRM and Why Should I Care?

Welcome to CyberCore’s New Blog: Cyber, Before the 1s and 0s!

My name is Brett Bennett and I am the Director of Cyber Supply Chain Security at CyberCore Technologies (CyberCore). I’m a self-proclaimed process “geek” who has over 20+ years of experience leveraging technology to drive operational efficiencies. The primary goal is to deliver a product or service with the greatest efficiency, at the lowest possible cost, and ensuring standards compliance without compromise. Throughout my career I have had the opportunity to work in all stages within the supply chain, from procurement to delivery and currently manage CyberCore’s alliance partner network comprised of hundreds of suppliers and manufacturers.

So who is CyberCore and where does Cyber Supply Chain Risk Management (cSCRM) fit into the equation?

Founded in 2000, CyberCore Technologies is the leading provider of Secure Supply Chain Management and Cyber Solutions focused on protecting our customer’s environment from external and internal threats.  Leveraging ISO 28000 and ISO 20243 certified supply chain security processes, CyberCore provides Value Added, Managed, and Professional Services to ensure all end-user services are secure and trusted.

Throughout the product acquisition lifecycle, CyberCore provides value added services including asset tagging, testing, smart-boxing, secure packaging, and secure delivery of IT equipment and rack-based systems leveraging ISO certified processes and procedures to reduce the likelihood of delivering counterfeit or tainted products to a customer. CyberCore’s Managed Services optimizes your infrastructure, provides proactive device management, and optimizes business processes to save you money and reduce waste. CyberCore’s professional services is comprised of over 300 cleared personnel with concentrations in many technical disciplines including engineering and operations, networking, software engineering, and cyber security. CyberCore has delivered over $ 2 B of IT product and 700+ system builds for core mission IT infrastructure for government and commercial clients.

As the industry has evolved, CyberCore’s focus on security in the supply chain has evolved with it. Supply Chain Risk Management (SCRM), primarily referred to resiliency within your supply chain, ensures delivery of products and services at competitive cost without disruption or compromise. Over the last decade however, SCRM within the IT industry, has evolved dramatically. The rapid growth and adoption of technology has led to increasing amounts of product outsourcing and innovation to develop technology at increasingly competitive cost points.  While this diversity enables technology innovation at lower cost, it also increases vulnerability to malicious influence.  In today’s world, the Internet of Things (IoT) opens a potential pathway for attackers to touch all aspects of our life including personal data, financial & healthcare industries, and even national security. The risk is growing exponentially from an ever-increasing web of global suppliers and manufacturers. While statistics vary,  as many as 40% of cyber-attacks have originated through infiltration of the supply chain. As a result, system integrators, value added resellers, and equipment manufacturers must address Cyber Security throughout the supply chain. With over 17 years of experience in IT supply chain, ISO 28000 (Secure Supply Chain Risk Management) and ISO 20243 (Mitigating Maliciously Tainted and Counterfeit Products) certifications, CyberCore has a mature Cyber Supply Chain Security program to focus on this mounting risk.

Processes, standards, legislation, and opinions published since 2002 on supply chain risk management and security are broad and at times difficult to navigate. One of the goals of this blog is to bridge the gap between boring boiler plate content and something that is more engaging.

Depending on your role within the supply chain, priorities and your ability to control influences will vary greatly. Forming a common opinion or standard supply chain risk management program from all available data and viewpoints is a significant challenge. Using this blog as the vehicle, I look forward to sharing information I come across as it relates to the IT industry, supply chain risk management and cyber supply chain security. I will share what it takes to implement supply chain risk management standards, how will they affect your business’ ability to control cost and still meet Service Level Agreements (SLA), how it will make a difference, and discuss different implementation strategies.

Please don’t be shy to share ideas on topics you would like to see discussed on CyberCore’s social media platforms linked below!

All the best…Brett