Welcome to the August blog. This month we examine supply chain security within the context of the recently updated and re-issued GSMA Supply Chain Toolbox. The new Supply Chain Toolbox uses a lifecycle model to describe a number of guidelines (‘tools’ in the ‘toolbox’). Supply chain attacks continue at pace. The classification of mobile infrastructure as critical national infrastructure in many jurisdictions and concerns about national security have increased the focus on the security posture of network equipment and the providers of it.
The mobile industry has long aimed to deliver robust security arrangements to protect its assets, customers and services. This security objective is delivered through a lifecycle approach starting even before a service goes live. The foundations of security are built through architectural design choices, choosing to adopt solutions utilising internationally recognised standards and shortlisting vendor solutions that already have a strong baseline security level built-in. To understand and strengthen supply chain arrangements, it is important to understand how products and services are developed, built, procured, operated and decommissioned.
Supply chain interventions throughout the lifecycle can:
- Inform of the strength of development processes
- Understand the adequacy of in-built security controls and assurances
- Be clear on the security of in-life security maintenance arrangements
- Improve the speed of response to mitigate new security vulnerabilities
- Ensure de-commissioning is undertaken in a controlled and secure manner
The GSMA Supply Chain Toolbox has recently been revised and refreshed. This includes different accreditation and assurance schemes and guidelines pertaining to specific areas of mobile technology. The different resources in the toolbox are organised to illustrate tools appropriate before and during procurement on services and products and during their in-life operation. The toolbox first focuses on product and service selection and finally identifies considerations for products and services in-life.
The opportunity for indirect attacks through supplier or third-party tooling and services should not be underestimated and requires vigilance about which third-party tools to use, as well as awareness of the security posture of the various third parties.
As part of supply chain assurance, GSMA Network Equipment Security Assessment Scheme exists to facilitate improvements in network equipment security levels, across the mobile industry by providing a baseline security assurance. Providing one universal and global security assurance framework that can raise confidence and trust in mobile network equipment. The purpose of the scheme is to audit and test network equipment vendors, and their products, against a security baseline, so they can demonstrate to network operators (or regulators) that they are conforming to the desired standard. The scheme has been defined by industry experts through GSMA and 3GPP. Therefore, it represents a key pillar in securing the whole eco-system, including the needs governments, mobile network operators and regulators. NESAS only plays one part of the security strategy. NESAS only tests products and processes at a point in time. It is important to guarantee that the actual deployed code is actually the same code that was tested through NESAS and that secure configurations are used. Additional layers of security are required to deliver a robust deployment for in-service use.
As architectures continue to move towards disaggregated components, leverage cloud and virtualisation architectures as well as increase in third party tools for monitoring, management and security, it is clear that the available supply chain ‘surface area’ for an attacker to exploit is becoming broader. Active and in-depth knowledge of direct, indirect and open-source supply routes are all needed.
The force multiplier effect for an attacker of a single successful attack providing access across all the target supplier’s customers makes using a compromised vendor an attractive proposition. The potential attack force-multiplier enabled through a supply chain attack means building skills, processes, tools and experience will present an enduring benefit – supply chain security will remain a key security area.