Nation-state attacks targeting physical device supply chains are a growing threat
More and more companies believe they have been victims of hardware supply chain attacks by national actors. For example, 29% of US companies believe they have been the target of cyberattacks.
Researchers from HP Wolf Security surveyed 800 IT and security decision makers (ITSDM) to investigate perceived threats targeting hardware and firmware of devices within the physical supply chain.
More than a third of respondents believed they had been targeted by a national government attempting to embed malicious hardware or firmware into devices. Half said they were concerned about not being able to verify that the hardware of the PC, laptop or printer had not been tampered with in transit.
Supply Chain Security
The organizations surveyed were overwhelmingly concerned about physical targets such as PCs, laptops and printers within the supply chain, with 91% believing nation-state actors will use malicious components to attack hardware. Uncertainty is growing, with 78% of ITSDMs saying their focus on software and hardware supply chain security will increase as attackers attempt to infect devices in transit.
Hardware and firmware attacks are particularly alarming because they are notoriously difficult to detect, remove, and remediate. Security tools reside within the operating system, so compromised devices are difficult to identify.
Once an attacker compromises a device’s hardware or firmware, they have complete control over the device and can see what the device is being used for.
“In today’s threat landscape, managing security in a distributed hybrid work environment must start with ensuring devices have not been compromised at the lower levels,” said Boris Balacheff, Chief Technologist for Security and Research Innovation at HP.
Going forward, HP recommends that organizations verify hardware and firmware configuration compliance on all devices, securely manage firmware configurations, and implement platform certification technology to verify hardware integrity.