World’s Largest Chip Manufacturer Supply Chain Attacked

Following the news that the world’s largest chip manufacturer- The Taiwan Semiconductor Manufacturing Company (TSMC)- was forced to shut down production at the weekend, IT security experts commented below.

Ross Rustici, Senior Director for Intelligence at Cybereason:

“Supply chain intrusions and attacks have been a preferred method of espionage and sabotage since the start of complex manufacturing processes. The most recent headlines about Taiwan Semiconductor is only the latest in a long line of troubling reports from the global supply chain. Fundamentally, security is only as strong as its weakest link and the more dispersed the supply chain, the more vulnerable it is to these types of intrusions. Currently there is very little that businesses can do to completely defend themselves against supply chain attacks. They are as vulnerable as their smallest and most vulnerable supplier. More troubling then piggybacking on a trusted connection or trying to infect at the software level a small component of a larger system, is when hackers go directly after the firmware itself and bypass most of the good security controls that have developed over the last 20 years to deal with os-level malware. If a hacking group can affect the firmware in a supply chain, all bets are off and detections are often very hard to come by. Arguably, this is the biggest concern for chip and hardware manufacturers when it comes to supply chain attacks.

There are some contract mechanisms that allow companies to pass the blame onto an afflicted supplier, but at the end of the day that has more to do with mitigating risk from the worst-case scenario then actually making the supply chain more secure. Ultimately, most companies are in the position where they’re so concerned with trying to make their own network secure, that they can’t think about or really affect the global supply chain upon which they rely. Companies are either faced with segmenting their networks in such a way that third-party dependencies are limited to the core business functions that they interact with, and pervasive access is not given, or the much larger burden of trying to force security upon all of its vendors in such a way that it complies with its own standards. This vertical security integration is not only unfeasible given the way global supply chains work but also onerous and costly, dramatically decreasing profits for the companies and eliminating the reason why these global supply chains were created to begin with.”

Thomas Nuth, Director of Product & Solutions at Nozomi Networks:

“The issues suffered by Taiwan Semiconductor Manufacturing Co. (TSMC) reminds us that any organisation, even those working at the forefront of technology development, can fall victim to malware. While downtime can be a frustrating inconvenience for most, when it targets the manufacturing process the results can be exceptionally expensive with the loss in productivity and potentially have significant impact further down the chain.

“While details of what actually happened and to which areas of the factory were affected have not been released, one thing that is obvious is that cyber criminals will be lurking in the shadows, learning from what worked and what didn’t ready for the next time they attack.

“Having the ability to identify any changes in operational activity is imperative to prevent outbreaks, such as that experienced by TSMC. What this will also do is identify if anything else might have been the attackers mission, other than the malware infection. We’re seeing instances where the obvious incursion (aka the virus) diverts focus while the true objective goes undiscovered until it’s too late.”