Code in supply chain a threat
Agencies that focus on national security data and programs need to do more to secure their information technology supply chains, a government watchdog said.
Agencies that focus on national security data and programs need to do more to secure their information technology supply chains, a government watchdog said.
Federal agencies are not required to track “the extent to which their telecommunications networks contain foreign-developed equipment, software or services,” the Government Accountability Office (GAO) report said, and they typically are aware only of the IT vendors nearest to them on the supply chain, not the numerous vendors downstream.
That has left IT systems at the Energy, Homeland Security and Justice departments more vulnerable to malicious or counterfeit software installed by other nations’ intelligence agencies or by nonstate actors and hackers.
U.S. enemies could use that malicious software to secretly pull information from government systems, erase or alter information on those systems, or even take control of them remotely.
The Justice Dept. identified measures to protect its supply chain but has not developed procedures to implement those measures, the report said. Energy and Homeland Security haven’t identified measures to protect their supply chains at all, according to GAO.
The watchdog agency also examined the Defense Dept., which it said had designed and effectively implemented a supply chain risk management program.
Defense has reduced its supply chain risk through a series of pilot programs and expects to have “full operational capability for supply chain risk management” by 2016, the report said. Those pilots focus on assessing the risk posed by particular vendors’ supply chains and on testing and evaluating the purchased systems for malicious components, GAO said.
The U.S. Computer Emergency Readiness Team inside DHS found about one-fourth of roughly 43,000 agency-reported security incidents during fiscal 2011 involved malicious code that could have been installed somewhere along the supply chain, GAO said.
Globally sourced IT hardware buys can prove embarrassing for agencies that deal with national security data even if there’s no malicious or counterfeit technology inside the machines.
- Related News:
Seven tips to combat counterfeit electrical equipment - 26.11.2012 11:11- Cloud computing security woes - 04.05.2012 13:00
- IT security education needed - 02.05.2012 13:00
- Security first; not in smart grid - 30.04.2012 13:00
- Plant’s safe operating limits - 06.04.2012 08:00
- New tests for safer reactors - 05.04.2012 08:00
- Nukes give a hydrogen boost - 04.04.2012 08:00
- Survey: Malicious attack costs grow - 02.04.2012 08:00
- Secure grid from turbine to toaster - 05.03.2012 09:00
- Body heat powers devices - 02.03.2012 09:00
Integrator Guide
| Search the online Automation Integrator Guide |
|
|
|
|
Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.
Case Study Database
Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.
These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.
Click here to visit the Case Study Database and upload your case study.