Code in supply chain a threat

Agencies that focus on national security data and programs need to do more to secure their information technology supply chains, a government watchdog said.


ISS SourceAgencies that focus on national security data and programs need to do more to secure their information technology supply chains, a government watchdog said.

Federal agencies are not required to track “the extent to which their telecommunications networks contain foreign-developed equipment, software or services,” the Government Accountability Office (GAO) report said, and they typically are aware only of the IT vendors nearest to them on the supply chain, not the numerous vendors downstream.

That has left IT systems at the Energy, Homeland Security and Justice departments more vulnerable to malicious or counterfeit software installed by other nations’ intelligence agencies or by nonstate actors and hackers.

U.S. enemies could use that malicious software to secretly pull information from government systems, erase or alter information on those systems, or even take control of them remotely.

The Justice Dept. identified measures to protect its supply chain but has not developed procedures to implement those measures, the report said. Energy and Homeland Security haven’t identified measures to protect their supply chains at all, according to GAO.

The watchdog agency also examined the Defense Dept., which it said had designed and effectively implemented a supply chain risk management program.

Defense has reduced its supply chain risk through a series of pilot programs and expects to have “full operational capability for supply chain risk management” by 2016, the report said. Those pilots focus on assessing the risk posed by particular vendors’ supply chains and on testing and evaluating the purchased systems for malicious components, GAO said.

The U.S. Computer Emergency Readiness Team inside DHS found about one-fourth of roughly 43,000 agency-reported security incidents during fiscal 2011 involved malicious code that could have been installed somewhere along the supply chain, GAO said.

Globally sourced IT hardware buys can prove embarrassing for agencies that deal with national security data even if there’s no malicious or counterfeit technology inside the machines.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Choosing controllers: PLCs, PACs, IPCs, DCS? What's best for your application?; Wireless trends; Design, integration; Manufacturing Day; Product Exclusive
Variable speed drives: Smooth, efficient, electrically quite motion control; Process control upgrades; Mobile intelligence; Product finalists: Vote now; Product Exclusives
Machine design tips: Pneumatic or electric; Software upgrades; Ethernet advantages; Additive manufacturing; Engineering Leaders; Product exclusives: PLC, HMI, IO
This article collection contains the 5 most referenced articles on improving the use of PID.
Learn how Industry 4.0 adds supply chain efficiency, optimizes pricing, improves quality, and more.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security