WEBVTT

1
00:00:00.000 --> 00:00:01.530
In this lesson,

2
00:00:01.530 --> 00:00:04.980
we will learn about supply chain assurance.

3
00:00:04.980 --> 00:00:08.400
Supply chain assurance ensures that all components

4
00:00:08.400 --> 00:00:11.040
and processes within the supply chain

5
00:00:11.040 --> 00:00:13.110
from vendors to delivery

6
00:00:13.110 --> 00:00:15.990
meet security and quality standards.

7
00:00:15.990 --> 00:00:19.560
This prevents the introduction of vulnerabilities

8
00:00:19.560 --> 00:00:21.720
into the final system.

9
00:00:21.720 --> 00:00:23.970
Supply chain assurance concepts

10
00:00:23.970 --> 00:00:28.830
include managing both hardware and software risk.

11
00:00:28.830 --> 00:00:31.500
Let's learn more about managing hardware

12
00:00:31.500 --> 00:00:34.350
and software supply chain risk.

13
00:00:34.350 --> 00:00:38.880
First, we have hardware supply chain risk management.

14
00:00:38.880 --> 00:00:41.400
Hardware supply chain risk management

15
00:00:41.400 --> 00:00:44.760
ensures that the physical components in a system

16
00:00:44.760 --> 00:00:47.760
are secure and free from vulnerabilities

17
00:00:47.760 --> 00:00:51.390
that could compromise the overall system's integrity.

18
00:00:51.390 --> 00:00:54.960
The goal of hardware supply chain risk management

19
00:00:54.960 --> 00:00:57.930
is to protect against risks like tampering,

20
00:00:57.930 --> 00:01:02.035
the use of counterfeit parts, and vulnerabilities introduced

21
00:01:02.035 --> 00:01:05.040
during manufacturing or distribution.

22
00:01:05.040 --> 00:01:07.740
One of the most significant concerns

23
00:01:07.740 --> 00:01:10.680
in hardware supply chains is tampering.

24
00:01:10.680 --> 00:01:13.710
For example, when a company sources hardware

25
00:01:13.710 --> 00:01:16.530
from various suppliers across the globe,

26
00:01:16.530 --> 00:01:20.550
there's a risk that someone along the supply chain modifies

27
00:01:20.550 --> 00:01:22.980
or tampers with the components.

28
00:01:22.980 --> 00:01:26.460
This tampering could introduce malicious hardware

29
00:01:26.460 --> 00:01:29.610
to create backdoors that allow attackers

30
00:01:29.610 --> 00:01:33.420
to compromise the system once it's in use.

31
00:01:33.420 --> 00:01:37.530
Another significant risk in hardware supply chains

32
00:01:37.530 --> 00:01:40.590
is the use of counterfeit components.

33
00:01:40.590 --> 00:01:43.740
These are fake or substandard parts

34
00:01:43.740 --> 00:01:48.450
that are often hard to detect and can introduce severe risks

35
00:01:48.450 --> 00:01:51.390
to system performance and security.

36
00:01:51.390 --> 00:01:55.530
Counterfeit components are typically cheaper to produce,

37
00:01:55.530 --> 00:01:57.600
but are more prone to failure,

38
00:01:57.600 --> 00:02:02.010
making systems vulnerable to breakdowns or malfunctions.

39
00:02:02.010 --> 00:02:06.510
In some cases, counterfeit hardware may even be designed

40
00:02:06.510 --> 00:02:10.650
with malicious functions to compromise systems security.

41
00:02:10.650 --> 00:02:14.730
This is why industries such as defense, aerospace,

42
00:02:14.730 --> 00:02:18.390
and financial services are especially vigilant

43
00:02:18.390 --> 00:02:21.420
about sourcing authentic parts.

44
00:02:21.420 --> 00:02:23.220
One effective strategy

45
00:02:23.220 --> 00:02:26.280
to mitigate hardware supply chain risks

46
00:02:26.280 --> 00:02:30.360
is the implementation of hardware authentication methods,

47
00:02:30.360 --> 00:02:34.440
which often involve embedding cryptographic modules

48
00:02:34.440 --> 00:02:37.800
directly into chips and components.

49
00:02:37.800 --> 00:02:41.040
These modules use cryptographic techniques

50
00:02:41.040 --> 00:02:45.690
to verify the authenticity and integrity of the hardware,

51
00:02:45.690 --> 00:02:49.380
ensuring that only genuine, untampered components

52
00:02:49.380 --> 00:02:51.360
are used in the system.

53
00:02:51.360 --> 00:02:54.180
These techniques typically involve

54
00:02:54.180 --> 00:02:57.900
the public key infrastructure or PKI

55
00:02:57.900 --> 00:03:00.510
or unique digital signatures

56
00:03:00.510 --> 00:03:04.470
that are embedded in the hardware during manufacturing.

57
00:03:04.470 --> 00:03:06.900
Upon inspection, these signatures

58
00:03:06.900 --> 00:03:09.390
can be cryptographically verified,

59
00:03:09.390 --> 00:03:12.150
making it possible to detect counterfeit

60
00:03:12.150 --> 00:03:13.710
or tampered components

61
00:03:13.710 --> 00:03:17.820
before they are integrated into critical systems.

62
00:03:17.820 --> 00:03:20.070
This verification ability

63
00:03:20.070 --> 00:03:24.060
not only helps prevent the use of substandard parts,

64
00:03:24.060 --> 00:03:28.620
but also guards against potential security vulnerabilities

65
00:03:28.620 --> 00:03:31.860
that counterfeit components might introduce.

66
00:03:31.860 --> 00:03:35.190
By employing these verification technologies,

67
00:03:35.190 --> 00:03:37.890
industries can maintain tighter control

68
00:03:37.890 --> 00:03:40.200
over their hardware supply chains

69
00:03:40.200 --> 00:03:43.170
and reduce the risk of security breaches

70
00:03:43.170 --> 00:03:47.190
or system failures due to compromised hardware.

71
00:03:47.190 --> 00:03:50.400
Finally, transparency is important

72
00:03:50.400 --> 00:03:53.550
to managing hardware supply chain risk.

73
00:03:53.550 --> 00:03:56.610
Companies that deal with sensitive systems

74
00:03:56.610 --> 00:04:00.480
often maintain close relationships with their suppliers,

75
00:04:00.480 --> 00:04:03.090
requiring detailed documentation

76
00:04:03.090 --> 00:04:05.580
about where each component comes from

77
00:04:05.580 --> 00:04:07.800
and how it was produced.

78
00:04:07.800 --> 00:04:11.580
For example, Apple and Cisco are known to require

79
00:04:11.580 --> 00:04:14.520
high levels of supply chain transparency,

80
00:04:14.520 --> 00:04:17.070
including detailed records

81
00:04:17.070 --> 00:04:20.850
of where each hardware component originated from.

82
00:04:20.850 --> 00:04:25.530
This is to ensure there are no security risks pre-embedded

83
00:04:25.530 --> 00:04:27.510
within their products.

84
00:04:27.510 --> 00:04:31.590
Second, we have software supply chain risk management.

85
00:04:31.590 --> 00:04:36.210
Software supply chain risk management is all about ensuring

86
00:04:36.210 --> 00:04:40.740
that software components integrated into a system are secure

87
00:04:40.740 --> 00:04:43.170
and free from vulnerabilities.

88
00:04:43.170 --> 00:04:45.810
Today, most software applications

89
00:04:45.810 --> 00:04:50.280
rely on various third-party libraries, open-source tools,

90
00:04:50.280 --> 00:04:52.950
and frameworks to function correctly.

91
00:04:52.950 --> 00:04:57.630
While this accelerates development, it also introduces risk,

92
00:04:57.630 --> 00:05:01.560
as these components might harbor hidden vulnerabilities

93
00:05:01.560 --> 00:05:05.010
or compliance issues that can compromise the security

94
00:05:05.010 --> 00:05:06.930
of the entire system.

95
00:05:06.930 --> 00:05:10.200
One of the main challenges organizations face

96
00:05:10.200 --> 00:05:13.560
is that they might not even know the full extent

97
00:05:13.560 --> 00:05:15.810
of their software dependencies.

98
00:05:15.810 --> 00:05:18.600
For example, a financial institution

99
00:05:18.600 --> 00:05:21.300
using third-party encryption libraries

100
00:05:21.300 --> 00:05:25.230
for its trading platform might trust those libraries

101
00:05:25.230 --> 00:05:29.310
without knowing whether they contain known vulnerabilities.

102
00:05:29.310 --> 00:05:31.920
This could lead to security breaches

103
00:05:31.920 --> 00:05:35.340
originating from a weakness in third-party code.

104
00:05:35.340 --> 00:05:38.220
This is where software composition analysis

105
00:05:38.220 --> 00:05:40.710
or SCA tools are useful.

106
00:05:40.710 --> 00:05:44.910
Tools like the Open Web Application Security Project,

107
00:05:44.910 --> 00:05:47.610
or OWASP Dependency-Check tool,

108
00:05:47.610 --> 00:05:50.610
and the OWASP Dependency-Track tool

109
00:05:50.610 --> 00:05:53.670
can automatically scan software projects

110
00:05:53.670 --> 00:05:56.850
to detect outdated or vulnerable components,

111
00:05:56.850 --> 00:06:00.210
ensuring that any third-party software used

112
00:06:00.210 --> 00:06:02.910
is up to date and secure.

113
00:06:02.910 --> 00:06:06.780
A well-known example of a software supply chain attack

114
00:06:06.780 --> 00:06:08.730
is the SolarWinds' breach.

115
00:06:08.730 --> 00:06:12.810
In this case, attackers inserted malicious code

116
00:06:12.810 --> 00:06:15.210
into a trusted software update

117
00:06:15.210 --> 00:06:17.940
for the SolarWinds' Orion platform.

118
00:06:17.940 --> 00:06:21.660
Once customers, including major government agencies

119
00:06:21.660 --> 00:06:24.510
and corporations, downloaded the update,

120
00:06:24.510 --> 00:06:27.390
the malicious code gave attackers access

121
00:06:27.390 --> 00:06:29.580
to highly sensitive systems.

122
00:06:29.580 --> 00:06:32.190
This incident highlighted the importance

123
00:06:32.190 --> 00:06:34.950
of a vetting all software components,

124
00:06:34.950 --> 00:06:37.170
even those from trusted vendors,

125
00:06:37.170 --> 00:06:41.760
and maintaining constant vigilance over supply chain risks.

126
00:06:41.760 --> 00:06:45.300
To manage software supply chain risks effectively,

127
00:06:45.300 --> 00:06:49.470
companies need to regularly assess third-party software

128
00:06:49.470 --> 00:06:52.380
for vulnerabilities, licensing issues,

129
00:06:52.380 --> 00:06:55.350
and compliance with security standards.

130
00:06:55.350 --> 00:06:59.910
This is done by conducting audits, using SCA tools,

131
00:06:59.910 --> 00:07:02.190
and ensuring that software libraries

132
00:07:02.190 --> 00:07:04.890
and frameworks are frequently updated.

133
00:07:04.890 --> 00:07:08.340
Another layer of protection that may be employed

134
00:07:08.340 --> 00:07:10.710
involves using digital signatures

135
00:07:10.710 --> 00:07:14.250
or certificates to verify the authenticity

136
00:07:14.250 --> 00:07:16.680
and integrity of software updates,

137
00:07:16.680 --> 00:07:20.430
helping to prevent malicious code from being introduced

138
00:07:20.430 --> 00:07:23.370
during the software delivery process.

139
00:07:23.370 --> 00:07:26.790
In practice, companies often set policies

140
00:07:26.790 --> 00:07:30.390
requiring developers to use only approved,

141
00:07:30.390 --> 00:07:35.130
vetted software libraries, and to regularly patch systems

142
00:07:35.130 --> 00:07:37.740
when vulnerabilities are discovered.

143
00:07:37.740 --> 00:07:41.400
So remember, supply chain assurance

144
00:07:41.400 --> 00:07:45.960
focuses on securing every aspect of the supply chain,

145
00:07:45.960 --> 00:07:50.250
ensuring that everything from vendors to final delivery

146
00:07:50.250 --> 00:07:54.270
meet necessary security and quality standards.

147
00:07:54.270 --> 00:07:57.120
This includes managing both hardware

148
00:07:57.120 --> 00:07:59.700
and software supply chain risks,

149
00:07:59.700 --> 00:08:03.780
where hardware supply chain risk management prevents issues

150
00:08:03.780 --> 00:08:06.030
like tampering and counterfeit parts,

151
00:08:06.030 --> 00:08:08.070
which can introduce vulnerabilities

152
00:08:08.070 --> 00:08:09.930
into physical components,

153
00:08:09.930 --> 00:08:12.480
and software supply chain risk management

154
00:08:12.480 --> 00:08:15.300
involves ensuring third-party libraries

155
00:08:15.300 --> 00:08:19.470
and tools used in systems are free from vulnerabilities.

156
00:08:19.470 --> 00:08:22.470
Both hardware and software assurance

157
00:08:22.470 --> 00:08:25.470
emphasize transparency, authenticity,

158
00:08:25.470 --> 00:08:29.583
and regular assessments to mitigate potential threats.