The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Hacking the Electronics Supply Chain: Easier Than you Think?
October 30, 2019
If you thought that hacking into an electronic manufacturer’s component supply chain required a fab of one’s own, think again. Wired magazine recently reported on recent simulation that showed how someone using “only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online,” could implant a device the size of pinky fingernail into the motherboard of a communications firewall.
In the project, the stowaway chip was then programmed to attack as soon as the firewall booted up in a target’s data center. It poses as a security administrator accessing the firewall configurations by connecting their computer directly to that port. Once in, the chip triggers the firewall’s password recovery feature, creating a new admin account and gaining access to the firewall’s settings in a way that most IT admins wouldn’t likely notice.
Although the exercise was not intended to imply that people are already doing this, it does raise some valuable points:
- It demonstrates how easily an ill-intentioned nation state, ID thief, or IP thief can penetrate a component supply chain if they can get access to the electronics, for example, via an employee on the fab line
- Because the attack triggers on boot, embedding authentication and verification to ensure a clean boot is critical
- Component manufacturers should take measures to prevent access to the electronics through PKI encryption and authentication to access firmware
- To prevent after-the-fact access, critical firmware should be housed in physically anti-tamper enclosures
Of course, the best way to enforce these measures it to source critical components from trusted electronics manufacturers – ideally in the USA.
For more information about how Bedrock Automation enforces such criteria in its totally U.S.-based production facilities see Sam Galpin’s feature: How Locally Sourced Intrinsically Secure Components Keep the Supply Chain Secure.