Given the complexity of the information and communications technology (ICT) global supply chain and the growth of the cloud as the platform for IT service delivery, confidence can only be earned by meeting the expectations that 1) ICT equipment is what it is supposed to be (not counterfeit), and 2) that the ICT equipment will permit the communications network to do only what the authorized user(s) directs it to do (i.e., it is not tainted or secretly controlled by or transmitting data to unknown parties).
To provide assurance against counterfeit or tainted ICT products, solutions and services as well as end-to-end security practices should be addressed. Such practices should include a clear mapping of the stages of the supply chain affected, identification of key security areas of focus and an ongoing assessment and monitoring of security threats and vulnerabilities. We should also continuously drive and improve security practices and technologies through our supply chain, while also participating in and adopting, as appropriate, supply chain security international standards.
A comprehensive view of an ICT supply chain begins at the very concept of a technology solution and extends to the customer’s use, receipt of service and end of life of the ICT technology. Therefore, any supply chain security program must address security within each of these stages, ensuring that the original equipment manufacturer (OEM), participates in engineering design through the new product introduction process and considers security practices beyond the delivery stage, incorporating practices applicable to the use, service, upgrade and ultimate end-of-life management of products. Finally, an OEM should have clear, monitored security requirements for its suppliers.
Comprehensive security requires that we apply the right dimension of security at the right stage of the supply chain. First, physical security – such as camera monitoring, security checkpoints, alarms and biometrics – should be in place. Systematic, repeatable and auditable logical security processes designed to target areas of security risk and the threats of counterfeit or tainted products should be established. Examples include ensuring that data is transmitted in encrypted form, as permitted by local law, and establishing and validating adherence to scrap handling processes. Lastly, security technology should be applied to enhance counterfeit detection, terminate functionality or identify a non-authorized component or user. Examples include smart chips, data extracting test beds, tamper-resistant security labels.
An ICT OEM, together with its suppliers, should apply one or more of these security dimensions to ensure controlled manufacturing environments, using only approved components and to limit the introduction of malware and/or rogue components that could compromise the manufacturing process. By adhering to such practices, the ICT OEM can build devices, design and deliver software, and deploy processes that make it harder to produce undetectable counterfeit or tainted equipment because the opportunities throughout the entire supply chain for the manipulation of products are severely limited.
It is only by integrating security throughout the entire product lifecycle that secure solutions worthy of confidence can be delivered.