A new day, a new threat: how do we deal with embedded chips?

by
Toby Butler, Specialist Vendor Account Manager, Viadex

china-spy-chip-super-micro1

It became evident with the recent revelations around embedded microchips, inserted at subcontractor facilities in China into servers originally assembled by Supermicro, that cyber-attack strategies have moved onto a new level. The world has now become aware of them. It is like a gathering storm; we can see it way off there on the horizon and we know it can wreak huge damage when it arrives, so now we must decide what precautions we can take to defend against the threat. The threat itself is open to limitless speculation. We simply have no idea how it could manifest itself. With the traditional liberal-mindedness we all grew up with in the free world, we incline towards believing it may never happen. Yet we know it could, we know it can, and in an increasingly wobbly world, we almost now know it will.

 

Open all hours
Let us not assume that anybody is crying ‘wolf’ over this matter. ‘All our communications could be hacked. China could switch things off, shut things down. For instance, it could suddenly stop algorithms that run train timetables; you can just see the chaos that could ensue.’ These words, this relatively doomsday-esque scenario, came from Admiral Lord West, former First Sea Lord and former security minister in Gordon Brown’s government.

If those who seek to have access for malicious purposes do in fact have that access, it could effectively mean that the UK is open all hours to a far bigger threat than simply the theft of data or the re-routing of funds.

Imagine that smart city infrastructure of the future (and in many cases, of the present) being disabled. Imagine the nation simply suddenly grinding to a halt. It would make a great movie. It would make for a catastrophic reality.

With embedded chips, and the National Cyber Security Centre (NCSC) now warning that Britain will be hit by a life-threatening ‘category 1’ cyber-emergency in the near future, the landscape of threat is being disrupted; the storm is getting closer. What we thought we know is only what we knew when we thought that. Now we need to think it through again.

The NCSC assessment… ‘comes less than a fortnight after Britain accused the GRU, the Russian military intelligence service, of being behind a campaign of cyber-attacks which targeted political institutions, businesses, media and sport’.

My colleague, Dino Cooper, discussing the embedded chips in servers revelation in his blog, said: ‘Today’s supply chains are truly global… If you trade, buy, and sell globally, and have your IT systems dispersed around the world, not only is traditional cyber-security an issue, but your exposure through your supply chain is potentially endless, definitely complex, and often not within your area of control.’

It’s a reasonable assumption that very few organisations look into whether any of the hardware they are filling their buildings with could contain potentially damaging additional (hidden) parts. They view servers and general storage as run-rate kit, and why shouldn’t they? Well, the game rules are changing fast; hackers are disrupting and every day they’re getting smarter.

 

Keep your friends close
It is funny really that we’ve always turned to the ancient Chinese for their words of wisdom. The military strategist Sun Tzu coined the phrase ‘Keep your friends close and your enemies closer’, but maybe it’s time we started to keep our enemies as far always as we can; certainly, out of our servers, out of our systems, out of our supply chains, and out of our plans for smarter futures.

How do we deal with the problem of embedded chips and similarly ingenious threats? I believe it is a case of intimately understanding your supply chain and the provenance and pedigree of the players who form the links within it, layer by layer – who supplies the organisations who supply you, and who supplies them, and so on. Of course, this is not an easy process for organisations to go through. It is enormously complicated.

The answer is to work with organisations who make it their business to ensure a secure supply chain, enabling the geo-dispersed business to operate with the confidence that it’s working with a partner it can trust. Viadex fulfil this role. We validate our claim to be able to do so by working only with manufacturers and suppliers of impeccable pedigree.

 

Keep your trusted suppliers closer
With regards to the mode of insertion of those chips into Supermicro servers, it happened (allegedly) because parts of the assembly process were sub-contracted out to organisations in the Far East. At Viadex we proudly champion Fujitsu[1] for datacentre equipment such as servers and storage, as well as for its technology in AI and IoT. Fujitsu is a Japanese company that engineers, manufactures and assembles products in Germany. It combines Japanese know-how with German engineering.

Fujitsu’s approach is highly ethical and completely transparent. This is an engineering company through-and-through that focuses on quality and delivering the right solutions for customers. Our relationship with them enables us to offer strategic development routes to our customers that will, often uniquely, address specific goals and identified futures. It is also worth noting that Fujitsu has told us that FUJITSU Servers PRIMERGY/PRIMEQUEST do not include any Supermicro mainboard.

 

Making the IT world a safer place
Trusted partners are one thing, but exposure across many other entry points into an organisation’s systems is a different issue. Viadex works closely not only with organisations that we keep close, but we also offer global implementation of IT projects from specification through to procurement, configuration, and installation.  We monitor every aspect of the project at every stage of its delivery to keep those enemies as far away as possible.

If you are looking for the next stage of your digital transformation to be undertaken by a partner with global experience, expertise, confidence, and contacts, or if you are just looking for a point solution safely delivered to any location in the world, just drop me an email at: toby.butler@viadex.com

 

[1] Viadex is a Fujitsu Select Circle Partner and were awarded 2017 Rising Star Partner of the Year and 2018 Datacentre Partner of the Year.

 

 

Leave a Comment