Strengthening the weakest link

Stuart Constable

Friday 15 February 2019

You’re only as secure as your weakest link and for many companies the biggest risk is their supply chain. You need solutions with security built-in at every point, with the assurance that your security supply chain is protected and compliant from end-to-end. Stuart Constable looks for the weakest link.

A little trust goes a long way in a secure supply chain.

You can have all the contracts you need, with every box ticked. But a supply chain can only work if it’s founded on that most human of concepts, trust. The more complex it is, the further that trust has to reach.

A supplier at one end may never know every provider involved in the design, development, manufacture, assembly, dispatch, delivery and maintenance of a product or solution. Each individual relationship rests on the trust between the contracting parties, which includes the assumption (or, in some cases, proof) that all the other relationships are equally well-founded.

The technology of supply chains has a particular challenge, because it can be attacked from anywhere with relative ease. The physical components – warehouses, factories, vehicles and so on – are discrete; if a depot is robbed or vandalised, there may be disruption but the other facilities can all still function. But if the infrastructure and applications connecting the individual providers in the chain are compromised at any point, then the whole of the line of supply could be materially affected. All without the attacker ever having to leave their room.

When that supply chain is itself concerned with the provision of secure technology, then the challenges get even more complex. If you’re equipping your team with all the devices they need to work wherever they need to work, you need to know that every device is built to your precise specification and security standard.

Any endpoint could provide a backdoor for malware or targeted attacks. The problem is that there is a healthy black market for costly components and they can be swapped for low-grade counterfeits at any point along the supply chain. The device might leave the factory having been built to the correct standard, but arrive with critical parts replaced and its integrity and security seriously compromised. And you will never know until it’s too late.

This is why Lenovo has made its Transparent Supply Chain a fundamental part of our customer relationships. We build security into our products from the components up, with system-level and component-level traceability. Every supplier of intelligent components is vetted and security-cleared and our products are supplied in secure packaging that quickly shows whether there has been any tampering along the line of supply.

It is characteristic of cybercrime that it changes at deliberately bewildering speed. The next major ransomware attack may only be a click away, while DDoS attacks are beginning to exploit the vulnerabilities of IoT, potentially at a large scale. At the same time, device security remains a critical issue as users increasingly choose to work with combinations of personal and company-owned devices.

As well as the Transparent Supply Chain, Lenovo’s product security management system is set up to drive security throughout the product life cycle, from development and manufacturing, to customer support. We strive to ensure security is built into the heart of our products, not simply bolted on.

Product security oversight, or governance, is integrated into this process to help ensure product development is following proper, secure processes, especially in the areas of BIOS and firmware creation and distribution.

Throughout the development and test process, Lenovo’s ethical hacking program provides insight into potential customer issues so they can be fixed before shipment. We also invest in ongoing training programs to help ensure that key personnel are up to date on critical security issues.

Crime and mischief-making are limited only by the human imagination. Which is why security has to be approached with equally imaginative solutions, starting with those most human of attributes: trust and human vulnerability. Any link in the security chain, whether it is a supplier, a software update or a careless user, must be considered a potential weakness.

We’ve made this holistic approach a founding principle of our manufacturing and supply chain strategy. It means that the trust invested in us as suppliers is backed with demonstrable, robust best practice that keeps risk to a minimum for our customers, from the drawing board to the luggage rack.

 

Building the next-gen data centre

Where traditional and web-scale apps co-exist