The looming security threat posed by the cyber ‘supply chain’

September 29, 2021

Complex information and communication systems are often made up of hundreds of hardware and software components from a hodgepodge of manufacturers. UM-Dearborn’s Junaid Farooq says that makes them a cyber-physical battleground.

 A collage graphic showing a network of connected hardware, including laptops, cell phones, and security cameras.
A collage graphic showing a network of connected hardware, including laptops, cell phones, and security cameras.

Cyberattacks usually involve an attacker exploiting some type of weakness in the target's system, and typically we think of that as being a software thing. This is why it’s important to update your antivirus protection, operating system or web browser often, so you can take advantage of manufacturer patches for known threats. The relative invisibility of this to the end user can make cybersecurity feel abstract. But there’s also a very concrete side to cyber risk, according to UM-Dearborn Assistant Professor Junaid Farooq. That’s because our information and communication networks are still made of actual physical electronic components. In a complex system, there might be hundreds or even thousands of individual devices from dozens of different manufacturers. And Farooq says what suppliers you’re choosing — and what you’re choosing their devices to do — matters more and more in an era of globalized manufacturing and frequent cyberattacks.

A headshot of Assistant Professor Junaid Farooq
A headshot of Assistant Professor Junaid Farooq

“With non-cyber systems, you might have components from a few suppliers that you purchase, and after you receive the materials, your supplier is no longer involved,” Farooq explains. “But with ICT [information and communications technology] systems, you may have dozens of devices on your network, and each device may have backdoor functionalities that you’re unaware of and that the supplier may still have access to.” Such concerns aren’t just hypothetical either. Back in 2019, they were what motivated the U.S. and other countries to ban companies from using Huawei components in their 5G networks. At the time, it was alleged that Huawei was purposely embedding its tech with security holes that the Chinese government could exploit for espionage or theft of intellectual property.

Needless to say, assessing the so-called “supply chain risk” of complex networks can be daunting. In reality, ICT systems are often a patchwork of dozens of technologies installed at different times by different people. And the challenge can be multiplied for smaller companies or government entities, which may not have inhouse staff with the relevant expertise. Farooq, however, is working to simplify the process of risk analysis. Through a project funded by the Department of Homeland Security, he and his colleagues have built a prototype cyber supply chain risk assessment engine that can deeply analyze networks and score them for risk. Notably, their tool factors in both the supplier-based risk posed by each individual component and the importance of each component to the network. In the real world, that might mean certain components from higher-risk manufacturers could still be OK to use if they weren’t mission critical. But Farooq says you wouldn’t want to make any compromises on, say, technology crucial to your firewall.

Such an assessment tool could have widespread applications. This semester, Farooq’s team plans to do a pilot ICT risk analysis with the New York City Metropolitan Transportation Authority, whose busses, subways and commuter trains move millions of people every day. And the “decision engine” feature of their tool could be used to guide selection of components for new networks, including future applications in vehicle-to-vehicle (V2V) and smart electricity grid infrastructure. Farooq says their risk scores could even be the basis for the rates you pay for cyber insurance — a now niche product that could quickly become common in a world reshaped by the constant threat of cyberattacks.

###

Story by Lou Blouin. Farooq’s work was done in collaboration with researchers from the NYU Tandon School of Engineering and funded by the Critical Infrastructure Resilience Institute (CIRI), a Department of Homeland Security Center of Excellence. If you’re a member of the media and would like to talk with Assistant Professor Junaid Farooq about this topic, drop us a line at [email protected] and we’ll put you in touch.