ISF Grey Chapter Meeting, Zurich, 24/25 September 2015
Internet Service Providers (ISP) deploy and operate an array of diverse and fast changing technologies to provide cutting edge solutions to their private and business customers. Thereby they rely on a complex chain of suppliers for hardware and software. Typically the choice of supplier, for example for high performance networking or mobile equipment, is limited.
- Recent revelations brought the integrity of such equipment to the attention of the public, as it has been demonstrated that hardware and software components can be compromised and backdoored with or without the consent or knowledge of the supplier or vendor.
- The security and integrity of the supply chain is a concern with the dependence on third party components for critical functionality. While we can not prevent the potential compromise of components in the supply chain, we can test the integrity of devices upon delivery or in operation.
Swisscom is exploring the creation of a joint program to systematically test the integrity of critical infrastructure components. The purpose of the program is the systematic and continous testing of the integrity of components critical to the business of the program partners. Backdoors and hidden functionality is identified through reverse engineering of the firmware and hardware. The findings of the tests are first shared privately with the participating organizations, coordinated with the affected vendor for remediation, and ultimately made public.
- The information gained is used for a realistic risk assessment, deployment of mitigatons, purchase decisions, and correction by the vendor.
- A joint program credibly demonstrating that critical components are systematically tested for backdoors also sends a strong signal to any adversary. Adversaries can no more operate under the assumption of undetectability, and the cost (reputation, financially, legally, politically) for any party to participate in a compromise of the supply chain is increased drastically.
In this talk we present our initiative and challenge the security and integrity of the supply chain with focus on telcos and critical infrastructure providers.