Following the news that the world’s largest chip manufacturer- The Taiwan Semiconductor Manufacturing Company (TSMC)- was forced to shut down production at the weekend, IT security experts commented below.
Ross Rustici, Senior Director for Intelligence at Cybereason:
“Supply chain intrusions and attacks have been a preferred method of espionage and sabotage since the start of complex manufacturing processes. The most recent headlines about Taiwan Semiconductor is only the latest in a long line of troubling reports from the global supply chain. Fundamentally, security is only as strong as its weakest link and the more dispersed the supply chain, the more vulnerable it is to these types of intrusions. Currently there is very little that businesses can do to completely defend themselves against supply chain attacks. They are as vulnerable as their smallest and most vulnerable supplier. More troubling then piggybacking on a trusted connection or trying to infect at the software level a small component of a larger system, is when hackers go directly after the firmware itself and bypass most of the good security controls that have developed over the last 20 years to deal with os-level malware. If a hacking group can affect the firmware in a supply chain, all bets are off and detections are often very hard to come by. Arguably, this is the biggest concern for chip and hardware manufacturers when it comes to supply chain attacks.
There are some contract mechanisms that allow companies to pass the blame onto an afflicted supplier, but at the end of the day that has more to do with mitigating risk from the worst-case scenario then actually making the supply chain more secure. Ultimately, most companies are in the position where they’re so concerned with trying to make their own network secure, that they can’t think about or really affect the global supply chain upon which they rely. Companies are either faced with segmenting their networks in such a way that third-party dependencies are limited to the core business functions that they interact with, and pervasive access is not given, or the much larger burden of trying to force security upon all of its vendors in such a way that it complies with its own standards. This vertical security integration is not only unfeasible given the way global supply chains work but also onerous and costly, dramatically decreasing profits for the companies and eliminating the reason why these global supply chains were created to begin with.”
Thomas Nuth, Director of Product & Solutions at Nozomi Networks:
“The issues suffered by Taiwan Semiconductor Manufacturing Co. (TSMC) reminds us that any organisation, even those working at the forefront of technology development, can fall victim to malware. While downtime can be a frustrating inconvenience for most, when it targets the manufacturing process the results can be exceptionally expensive with the loss in productivity and potentially have significant impact further down the chain.
“While details of what actually happened and to which areas of the factory were affected have not been released, one thing that is obvious is that cyber criminals will be lurking in the shadows, learning from what worked and what didn’t ready for the next time they attack.
“Having the ability to identify any changes in operational activity is imperative to prevent outbreaks, such as that experienced by TSMC. What this will also do is identify if anything else might have been the attackers mission, other than the malware infection. We’re seeing instances where the obvious incursion (aka the virus) diverts focus while the true objective goes undiscovered until it’s too late.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.