So here’s the story on this supply chain cybersecurity challenge. Excepted from “Two Top Experts on Supply Chain Cybersecurity” with the CEO of Finite State, Matt Wyckhouse:
“When you look at any device, anything from a PLC that’s going to wind up in a utility, to a transformer, to your iPhone, all modern devices are manufactured through complex global supply chains.
By global, it almost always means it’s going to transit a country that the United States might not have the greatest relationship with or might not have complete trust in. In every step of the supply chain, given the work with the intelligence community, we know every time there’s a link in that supply chain, it’s an opportunity for foreign intelligence to sabotage, or implant some capability that will allow them to later collect intelligence or cause a disruption.
You realize every device is global, there’s the hardware device, and the individual components that go on that board, and those are sourced through the global supply chain, but so is the software.
The software is more complex than the hardware in most of these devices. It’s millions of lines of code that are contributed by development teams all over the world. Sometimes open-source projects that could have anyone contributing code to it, those get pulled in, multiple layers, multiple vendors coming together to provide a hardware and software combination that runs that product in your network.
We know there are many opportunities for supply chain compromise, either intentionally by a malicious actor, maybe an insider in the company, a foreign intelligence service, or something that’s introduced due to the laws of the country.
Look at the laws in China as an example of where there could be problems with us being able to trust them, or alternatively, something that’s unintentional, like a new vulnerability that was introduced somewhere in the supply chain and found later.”