Securing Hardware Supply Chains

You might recall Bloomberg’s claim that the Chinese Government had been involved in manipulation of hardware motherboards from San Jose-based Supermicro. The goal of the attack, according to the report from Jordan Robertson and Michael Riley, was to enable cyber exploits against the eventual end-users of these servers – which included Apple and Amazon. Their work caused stir in our industry, and I blogged my thoughts on the matter.

It was therefore both intriguing and irresistible this past week to meet with Yossi Appleboum, from Gaithersburg-based Sepio Systems. According to Bloomberg, it was Mr. Appleboum’s research, informed by a career in Israeli intelligence, that contributed to the Supermicro report. As a believer in the importance of a secure hardware supply chain, I was keen to learn more about how these types of exploits might be addressed.

“What we do at Sepio Systems involves the detection and mitigation of rogue devices implanted onto hardware infrastructure by insiders or other malicious actors,” Appleboum explained. “Our customer base involves any organization with responsibility for trustworthy hardware, and this includes banks, power companies, and telecommunications firms, as well as government agencies.”

The way the Sepio Systems technology works is clever: An off-line virtual server is embedded into the IT ecosystem to support secure polling of devices to determine if their so-called fingerprints belong to rogue hardware devices. What’s unique here, however, is that these fingerprints are based on physical layer attributes such as timing, voltage, impedance, and other low-level electrical characteristics of how the device communicates on a network.

Appleboum showed me two use-cases for the Sepio Systems technology in action: First, we examined the fingerprinting process for network switching hardware. The polling process pushes data to the Sepio server from interrogated switches, and then uses machine learning-based algorithms to discover and block any detected anomalies. The resulting mitigation can include real-time changes in the switch fabric to avoid exploitation.

Second, we examined how the polling and fingerprint processing can be performed for endpoints. This prompted me to question how this differs from the MAC-based endpoint processing commonly found in enterprises for hardware validation prior to admission control. Appleboum explained that the Sepio solution complements this type of approach – but does so from the underlying physical layer which cannot interpret MACs.

Throughout the discussion with Appleboum, my enthusiasm for continuous hardware verification sweeping was tempered by thoughts of use-cases that might not be handled. For instance, I wondered aloud to Appleboum about how to stop more application-level exploits – only to be reminded appropriately that Sepio does not replace higher-level security solutions. Rather, it complements them at the physical layer.

After our review, I had a separate discussion about Sepio with Katie Teitler, a new senior analyst at TAG Cyber, and she agreed that this looks like a winning solution for data center and other infrastructure managers. But Katie also agreed that a headwind exists for any type of security control focused on hardware. Many enterprise teams are reducing their hardware footprint, choosing to centralize management into cloud-based infrastructure.

To that end, we’d discussed with Appleboum the possibility of a “Sepio-inside” designation for anyone serving up software, infrastructure, or bare metal from any virtualized data center, including in the cloud. “We have been working exactly this direction,” he explained, “so that enterprise security teams can specifically request or require that their hardware provider include this type of physical later protection in their operation.

If you manage hardware systems, especially in public or private data centers, then it would seem sensible to listen to the Sepio Systems story. The idea that physical layer fingerprinting might help detect rogue devices is both exciting and necessary. I would imagine that once compliance managers get hold of this concept, it is likely to find its way into the popular frameworks. So, you might as well start down the path now.

By the way, regarding Supermicro, it was interesting to hear Appleboum’s commentary. Despite some heat directed toward the Bloomberg reporters for perhaps going too far in their story, Appleboum had the opposite reaction – citing the issue as even more large-scale than intimated in the Bloomberg article. So, if you’d like to sleep more soundly, perhaps you might set up time to learn more about this physical layer control.