In the physical security world, protecting the supply chain is a tangible effort of RFID tracking devices, GPS locators and titanium padlocks. But when it comes to securing sensitive information along the global supply chain, the process is extremely tenuous. Recent incidents highlight just what is at stake if global corporations fail to seal the data leaks and do their due diligence with every supplier, vendor and contractor in their network. The information an organization works so hard to secure internally can evaporate into the open global market in an instant if strict procedures are not in place.
One of the most damaging examples of supply chain infiltration occurred a couple of years ago when Chinese spies hacked into computers belonging to BAE Systems, Britain’s biggest defense company. Details about the design, performance and electronic systems of the $300 billion F-35 Joint Strike Fighter and F-22, a multinational project, were stolen and full blueprints made available to the Chinese.
The Chinese were also the culprits in another recent event where they attempted to sabotage a $40 billion acquisition of the world’s largest potash producer by an Australian mining company by hacking into the offices of a Toronto-based law firm that was brokering the deal and stealing sensitive documents.
In a report entitled, “Securing the Supply Chain,” recently released by the Information Security Forum (ISF), a global, independent information security body and a leading authority on cyber security and information risk management, organizations go to great lengths to secure intellectual property and other sensitive information internally, yet when that information is shared across the supply chain, security is only as strong as the weakest link.
“Fortune 500 and smaller mid-range companies have become much more proficient in managing risk and information internally. How they secure data on the corporate network is getting better and how they are controlling access to that data is as well. IT managers are making sure that the correct people are able to access pertinent data they need and not information that is sensitive and doesn’t apply to their jobs. This has become a priority,” says Michael de Crespigny, chief executive at ISF.
“Supply chains are inherently insecure and organizations create unintended information risk when sharing information with their suppliers,” de Crespigny adds.
“There is a black hole of undefined supply chain information risk in many organizations – they understand and manage this risk internally, but have difficulty identifying and managing this risk across their hundreds or thousands of suppliers.”
Because of the global nature of business today and the complexities of multi-faceted projects, sharing information with suppliers is an essential part of doing business. Yet as an organization spreads its global footprint, it also increases the risk that the confidentiality, integrity or availability of that shared information could be compromised. Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify and costly to address – the latter of which can be disruptive to supplier relations.
Organizations need to think about the consequences of a supplier providing accidental, but harmful access to their intellectual property, customer or employee information, commercial plans or negotiations says de Crespigny.
“Across the range of industries the array of data that is shared with suppliers includes items like intellectual property, databases and itineraries. If you are in the aerospace and defense industry, there are consortia that you rely on that are third parties providing various components. You share personal identifiable information that is subject to privacy laws in most countries if you outsource your payroll, or you have customer information that is being stored by suppliers in some way,” he continues.
There are several other types of potentially damaging data that hackers may covet according to de Crespigny. The sensitive information that resides around the logistical transaction of a company, including shipment of goods and deliveries, especially very high-value products is a concern.
Organizations that are undertaking a transaction, whether it is renegotiating a contract, setting up a subsidiary in a new country or acquiring a business, will use lawyers and other advisors to guide them. This opens another avenue for a potential breach. The information that a law firm holds about a company’s pending negotiations is a data thief’s crown jewel.
Finally, there is also commercial and management information that can provide details related to a company’s financial performance, which if you’re a publically traded company, you wouldn’t want leaked to the wrong party as it could adversely affect share prices.
To help organizations manage their supply chain information risk, the ISF has created the Supply Chain Information Risk Assurance Process (SCIRAP), an approach for larger organizations to manage this risk across their thousands or tens of thousands of suppliers. This focuses on identifying information shared in the supply chain and focusing attention on the contracts that create the highest risk. It also provides a scalable way to manage contracts so that efforts are proportionate to the risk.
But de Crespigny admits there are no magic bullets to ensuring a secure data supply chain, although common sense approaches can prevent major brand damage.
“The first step is to force full disclosure from your global suppliers and then require that they put into place the same controls and gain the same assurances that you’re insisting on from them. In high-risk circumstances you can ask your supplier to provide you with an audit report signed by one of the (major) accounting firms registered under the AICPA that conforms to the association’s standards. This policy is costly, but in situations where it is imperative to ensure privacy of information, it is crucial.
“Any procurement activity can lead to sharing of sensitive information with a supplier. We have developed an outline of several key questions any procurement team should ask itself to identify if this is high risk situation. In very high risk situations you’d want management to involve information security people to help define the terms of any request for information or RFPs or in any evaluations. Bottom line is you want to make sure your suppliers have the same controls in place you insist on,” concludes de Crespigny.
Securing this chain is crucial
Some people don’t understand how critical it is to secure their supply chain. After all, for most companies it’s not as if lives will be put on the line if their competitors get unauthorized access to the supply chain, right?
But securing your supply chain is critical. If you don’t, a competitor can exploit weaknesses and steal some of your customers. Just ask yourself, what would happen if one of your competitors were able to access your prices by using one of your customers’ systems. They could set their prices lower than yours and grab part of your market. Companies need to secure their own systems and ensure their trading partners are doing so as well. Before you roll-out RFID throughout your supply chain, you need to understand the potential security risks and how to reduce vulnerabilities. After all, your confidential information is only as secure as the weakest link.
In a complete RFID solution, there are multiple layers and each layer needs to be secured individually. The secured layers work together to further secure the entire system. Let’s examine the layers.
At the top, you’ll find the server-layer that stores the supply chain data. Most companies already have these systems in place and they’re fairly well locked down. If you’re using the new servers on the block that are part of the EPC Information Services (EPCIS) to link consumers to companies, make sure to properly secure them as well. The object name server (ONS) part of the EPCIS sits on the Internet and may provide product information to consumers. Your trading partners, which can include retailers, third party logistics companies, and transportation companies, may need to access the ONS for additional, non-consumer-related information such as authorized dealerships and service history. Both users and servers should be using SSL certificates for authentication purposes. If you’re not familiar with SSL certificates, it’s an Internet standard that helps ensure you are who you say you are.
The next layer is the RFID reader layer. RFID readers are network devices and like all other devices on your corporate network, they need to be secured. Substitute the word “reader” for “router” and you get the idea. Would you want an unsecured wireless router on your network? Readers provide critical information about corporate assets. Companies need to ensure that the readers on the network really are theirs and not “rogue readers,” which are unauthorized readers connected to their corporate network or that exist within their facilities. These may be physical devices or even software reader emulators that report false information. Virtual readers could simulate the behavior of a physical reader and add false information to your network. The primary solution is to use embedded certificates on reader devices the same way that servers use SSL certificates.
The lowest layer is the RFID tags. Beware of a couple of possible weak spots that may be exploited by your enemies. The first is the RF conversation between tag and reader. The conversations between reader and tag may occur via open or secure conversations. Most of the passive and active RFID tags on the market today do not communicate through secured conversations. That means a listening device within range tuned to the proper frequency can record the conversation between tags and readers.
All of the signal information would have to deciphered, which would be extremely complex in environments with numerous readers and tags. Although this scenario is not likely, it is a serious concern for some and must be addressed. Gen II tags have a 32-bit access password. If this password is set, then the reader must have the valid password before the tag will engage in a secured data exchange. This password also prevents unauthorized people from scanning an area to see what products are there. For example, someone might scan the tagged contents of a wooden trailer to see if it’s worth breaking into.
It’s also important to restrict unauthorized access to tag memory on applied tags. You don’t want someone to reprogram your RFID tags after they’ve been applied. Some of the most secure RFID tags on the market meet the ISO 14443 standard. The tag memory contents may be divided up into segments. Each segment can require a different password to access. Gen II tag contents may be locked. The ‘lock’ command allows a reader to lock individual passwords or individual memory banks. For manufacturers that want to ensure certain information remains on the tag for the life of the product, a “permalock” feature makes it impossible to alter the contents.
How the secured layers work together
Once secured, all of these parts work together: A serialized RFID tag on products makes every item unique. An authenticated user accessing an authenticated server permits the user to retrieve information to the specific product in hand. Date of manufacture, expiration date, product instructions, etc. all can be retrieved from the manufacturer’s EPCIS server. This process nearly eliminates the possibility of tag forgery and counterfeit products. The manufacturer’s EPCIS server can even tell you if you’re purchasing a product from the company authorized to sell it to you.
Here’s how these security measures can improve business. Manufacturers that resell through only authorized dealers are very concerned about their products showing up on the “gray-market”. This occurs when an authorized dealer purchases higher quantities than they really need in order to obtain greater discounts. The surplus product is resold to non-authorized retailers. People we spoke to at one company were distressed, because they had no way to know how pallets of their high-end, contractor-grade power drills turned up at a local club store. There’s no agreement in place with the club store and the units were being sold at a prices lower than their authorized dealers. With serialized RFID tags, the manufacturer can purchase one of the drills from the club store and trace the unit to the dealer that first purchased it. The manufacturer can then ask questions about how the product found its way to the unauthorized retailer.