Content directory:
1 The security situation and security risks faced by the equipment software supply chain
1.1 All links in the equipment software supply chain are at risk of cyber attacks
1.2 Western military powers threaten my country's equipment software security through technology monopoly
1.3 The wide application of open source codes is very easy to introduce new equipment software supply chain security risks
1.4 Insufficient equipment software supply chain control and safety evaluation capabilities lead to greater safety management risks
2 Network Security Countermeasures of Equipment Software Supply Chain
2.1 Improve the network security standard system of the equipment software supply chain and strengthen software security risk management
2.2 Establish a network security supervision system for the equipment software supply chain, and implement all-round software security management and control
2.3 Establish a network security assessment system for the equipment software supply chain, and strengthen the capacity building of software security assessment
2.4 Improve the network security technology system of the equipment and software supply chain, and strengthen the construction of software security protection capabilities
3 Conclusion
The so-called equipment supply chain can be understood as software and hardware products and services related to equipment, or equipment development units or production units, third-party equipment (including software and Hardware) providers or producers and end users, etc., through a network chain structure connected with upstream and downstream organizations. As an important part of equipment, software plays a key role in its function realization. The software supply chain can be understood as a system that writes software through one or more stages of design and development, and sends software from suppliers to users through software delivery channels. Regardless of whether it is self-developed software, off-the-shelf software, or custom-developed software, its supply chain life cycle usually includes four links: original components, integrated components, software products, and product operations, of which software products and product operations cover the software life cycle. Software supply chain security is the sum of all security issues in the entire process of software production, including all stages of software design and development, including coding process, tools, equipment, suppliers, and final delivery channels.
Cyber attacks against the software supply chain often use the inherent security vulnerabilities of the system or preset software backdoors to carry out attack activities, and spread the attack effect downstream to all participants in the supply chain through the network chain structure formed by the software supply chain (including end user). In recent years, cyber attacks on the software supply chain have occurred frequently, and their impact has become greater and greater. According to a survey by Accenture, more than 60% of cyber attacks in 2016 were supply chain attacks. Typical software supply chain attacks include: the "Stuxnet" virus incident that occurred in 2010, which was a cyber attack launched by the United States and Israel against Iran's nuclear facilities, which directly delayed Iran's nuclear program for several years. The virus exploits multiple vulnerabilities in the Windows system and Siemens SIMATIC WinCC system; the "Heartbleed (HeartBleed)" vulnerability incident that occurred in 2014 was due to the , SSL/TLS) software and network services widely use open source software packages with vulnerabilities, thus infecting software and service development upstream codes and modules, and causing great damage to its downstream along the software supply chain; NotPetya occurred in 2017 The ransomware incident is the same as WannaCry exploited. Hackers launched an attack on software updates containing the "EternalBlue" vulnerability, causing energy, transportation, banks, hospitals, state agencies and Multinational companies were affected, with losses amounting to tens of billions of dollars; in the "Solar Wind" incident that occurred at the end of 2020, hacker organizations exploited the security loopholes in the software update process of the data management software sold by SolarWinds, and attacked dozens of countries including the United States. Governments and non-government organizations of the country launch cyber attacks. These attacks have sounded the alarm for the security of software supply chains in various countries, and also issued a warning for the network security of my country's software supply chain.
With the in-depth development of informatization, new technologies such as big data, cloud computing and artificial intelligence are more and more widely used in equipment, and the degree of equipment informatization, networking, digitalization, and intelligence is getting higher and higher. While the combat effectiveness of equipment, it also faces a huge threat, and supply chain attack is one of the most important forms of network attack, which has seriously threatened the security of equipment network. In recent years, on the one hand, due to the new crown pneumonia epidemic, the continuous deterioration of Sino-US relations, the escalation of the conflict between Russia and Ukraine, and the continuous global economic turmoil, it has caused great damage to the global supply chain, and it has also had a serious impact on the security of the equipment supply chain; on the other hand, On the one hand, as open source codes and third-party components/software are widely used in equipment, all security vulnerabilities related to them are also symbiotic with equipment software. The possibility of cyber attacks on the equipment software supply chain is increasing, causing increasingly serious damage to equipment security. Impact. The security of the equipment software supply chain is related to national security and military security. Once a security risk occurs, it will bring major security challenges to the country and the military, and the consequences will be disastrous.
Domestic and foreign studies have been conducted on supply chain security in the fields of industrial Internet, Information Communications Technology (ICT), and software supply chain security, and their respective solutions have been proposed. However, due to the high requirements for confidentiality, stability, and reliability of equipment software, and the difficulty of software updates and upgrades, and the lack of research in this field in China, it is urgent to strengthen the security research of equipment software supply chains. To this end, clarifying the security situation and security risks faced by the equipment software supply chain, and on this basis, building a sound equipment software supply chain security system and formulating active and effective coping strategies are conducive to creating a good equipment software supply chain. It is of great significance to improve the ecological environment and better promote the healthy development of equipment.
1 The security situation and security risks faced by the equipment software supply chain
In recent years, because Western countries have taken advantage of technological advantages to bury backdoors in important imported software, and equipment software uses a large number of open source codes and third-party components/software that have not been fully tested for security, all links in the software supply chain can become attackers The entry point of the software supply chain is low, the return is high, and the detection is difficult. As a result, the number of network security incidents caused by the damage of the software supply chain continues to rise. The security risk of my country's equipment software supply chain has increased sharply, and the security situation it faces is abnormal. severe.
1.1 All links in the equipment software supply chain are at risk of cyber attacks
There are many roles and links involved in the security of equipment software supply chain, and the process chain is long. Taking equipment customization and development software as an example, in addition to the role of the equipment research unit as the main software supplier, there are many other third-party roles such as software developers and software suppliers (such as providing equipment simulation software) that are not controlled by the purchasing user. As a result, the potential attack surface is expanded, and each link of the software supply chain and its vulnerable points may become the entry point and target of the attacker, increasing the uncontrollable security risk of the equipment software, and burying security risks for the equipment software. It can be said that in addition to the security problems brought about by the original components and integrated components of the software supply chain to equipment software, security risks may be introduced in all links of the software life cycle such as software definition, software development, delivery and deployment, and operation and maintenance, resulting in There are security risks such as software vulnerabilities, software backdoors, malicious tampering, counterfeiting, intellectual property risks, supply interruptions, and information leakage, as shown in Figure 1.
Figure 1 Potential security risks in each link of the software life cycle
1.2 Western military powers threaten my country's equipment software security through technology monopoly
The U.S. and other military powers rely on their technological monopoly, and the government and enterprises collude to preset software backdoors, which seriously threatens my country's software security and greatly increases the cybersecurity risk of the equipment software supply chain. Although my country has vigorously promoted localization measures in the fields of national defense and military industry and achieved certain results, many high-end software and hardware equipment in the field of equipment research and development and production still rely on foreign imports, especially in the ICT field, a large number of foreign software and hardware (such as equipment simulation design software, etc.) products are used It is very easy to be buried in software backdoors, and it is very easy to introduce security risks into various equipment software designed by using unsafe simulation design software. It is difficult to control the security risks of equipment software from the source. From the security incidents that have been exposed successively in recent years (such as the "Prism Gate" incident), it can be found that the US government relies on its technology and market advantages in the IT field to strengthen cooperation with technology companies such as Cisco, Microsoft, Google, and Intel. Relevant software and hardware products developed and sold are pre-installed with backdoors to conduct all-round monitoring of China and other major countries (even their allies) and steal important political, economic, and military information in order to maintain their hegemony. For example, in the virtual private network (Virtual Private Network, VPN) tunnel communication and encryption modules of Cisco’s mainstream routers, hidden “backdoors” were discovered, allowing the U.S. government to easily obtain core sensitive data such as keys and Realize information monitoring; RSA Information Security Company of the United States has reached an agreement with the National Security Agency (NSA) to replace the double elliptic curve algorithm with the priority or default random number generation algorithm of its security software, and through the preset "back door", NSA can easily decipher all kinds of encrypted data; on February 23, 2022, Beijing Qi'an Pangu Laboratory disclosed a backdoor from the United States - "Operation Telescreen" (Bvp47), which was created by the NSA hacker organization "Equation" , can attack most Linux distributions, Solaris, SUN and other operating systems. After successful intrusion, it will be unimpeded in the network space, and can secretly control the network of the victim organization and obtain data easily.
1.3 The wide application of open source codes is very easy to introduce new equipment software supply chain security risks
Open source codes are open, flexible, and widely used. They play a very important role in software development. They have become an important link in the software supply chain and an indispensable part of the software ecosystem. According to the 2020 "Status of Open Source Vulnerability Management" released by WhiteSource, unless corporate policies prohibit the use, 96. 8% of developers rely on open source software; in addition, according to the analysis of Qi Anxin Code Security Lab, almost all of the surveyed domestic software projects use open source code, and some projects use up to 3,878 open source software , and the amount of open source software used in the project has greatly exceeded the knowledge of software project managers and programmers themselves. In order to improve development efficiency and reduce development costs, the proportion of open source software used in equipment software is increasing year by year. For example, basic software such as domestic operating systems and databases used in equipment and a large number of application software all use open source codes. However, there are numerous security holes in the open source code. According to statistics, by the end of 2020, the Common Vulnerabilities & Exposures (CVE), the National Vulnerability Database (NVD), the China National Vulnerability Database of Information Security (CNNVD) ), China National Vulnerability Database (CNVD) and other public vulnerability databases included a total of 41,342 open source software-related vulnerabilities, of which 5,366 new vulnerabilities were added in 2020, and the largest open source project with the largest historical vulnerability The total number of Linux Kernel vulnerabilities reached 4,139. Under the requirements of the localization of software products, my country has digested and absorbed open source codes including the open source Linux kernel, released related software products and vigorously promoted them, and has also been widely used in the field of weaponry and equipment manufacturing. However, due to various reasons, it is still difficult to find hidden security loopholes or "backdoors", and it is difficult to accurately assess the security risks of these important domestic software, and the security loopholes in open source software will also continue to equipment software, seriously The safe use of threat equipment and its operational suitability.
In addition, cyberattacks against open source software have continued to rise in recent years. According to Sonatype survey, software supply chain attacks triggered by infiltrating open source code and implanting backdoors into software products have increased by nearly 430% compared with the previous year [17]. Once the open source code used in the equipment software has a security loophole, it is easy to be exploited by criminals, which will inevitably cause serious consequences for the use of the equipment.
1.4 Insufficient equipment software supply chain control and safety evaluation capabilities lead to greater safety management risks
The "Stuxnet" virus attack on Iran's nuclear facilities shows that networks and systems that are physically isolated from the Internet are not absolutely safe. Similarly, weapons and equipment networks also have similar problems. In addition to launching attacks from the inside, attackers can also attack through software. Supply chain activities penetrate the equipment network, such as software update/upgrade services, equipment software maintenance services and other activities. Hackers often use the trust mechanism established by all parties in the software supply chain to launch attacks, such as the trust relationship between users and software product providers, and the communication links between devices that are trusted by users. Once a link in the software supply chain (such as software update or maintenance) is compromised, hackers can easily attack all downstream users in this link.
Due to the high requirements on the stability and security of the equipment software, and there are few full-time network security personnel involved in the operation and use of the equipment, it is easy to introduce security risks during use and operation and maintenance. It is very necessary to conduct effective network security testing and to effectively manage and control the security risks of the equipment software supply chain. Unfortunately, most equipment purchasers (or demanders) and suppliers (such as equipment research units, suppliers, etc.) have not effectively managed and controlled the equipment software supply chain.
First, military standards for the security of the equipment software supply chain have not yet been established, and the security management and control system is not perfect. my country has successively promulgated regulations and standards such as the "Network Security Law of the People's Republic of China", "Network Security Review Measures", GB/T 36637-2018 "Information Security Technology ICT Supply Chain Security Risk Management Guidelines", and are strongly related to software supply chain security. The standard "Information Security Technology Software Supply Chain Security Requirements" will also be officially released. These standards provide effective guidance for software supply chain security management. Military regulations and standards related to network security control and risk management of the equipment software supply chain have not yet been established, software supply chain network security evaluation specifications are lacking, and a security evaluation system has not yet been formed. The management system and supervision of the software supply chain of equipment purchasers and research units The mechanism is not complete, and the continuity and durability of security control (extending from the equipment purchaser to the research unit and beyond) is not enough. In particular, there is a lack of security control measures for important links such as software delivery and updates.
The second is that the equipment software has not been fully tested for network security before delivery, and the network security of equipment is unclear. Although the competent authority for testing has made requirements for equipment network security testing, it is still in its infancy, and there is still a lack of clear requirements for software supply chain security testing. Due to the lack of standardized software supply chain security assessment methods, equipment software is usually only tested for software before delivery, and network security assessments are not carried out, let alone security assessments for its supply chain. It is difficult to detect and eliminate potential security risks in the software as soon as possible. . While requiring the localization of equipment software, insufficient attention has been paid to the security control of open source codes, resulting in random use of open source codes without security assessment. In addition, due to insufficient software security evaluation capabilities of equipment research and development units, especially in malicious code detection, vulnerability mining analysis, protocol reverse engineering and other technical capabilities, it is difficult to conduct strict security tests on open source codes in equipment software.
Third, the security review of foreign software is not strict. Although my country has promulgated the "Measures for Security Review of Network Products and Services (Trial)", focusing on reviewing supply chain security risks in the process of software product development, testing, delivery, and technical support, the review of network security in key areas such as ICT is still in its infancy stage, and rarely involve foreign software products such as simulation design software and program development tools purchased by our military and their derivatives. The supporting standards for network security review and evaluation of foreign software supply chains need to be further improved.
2 Network Security Countermeasures of Equipment Software Supply Chain
Establishing and improving the safety standard system, safety supervision system, safety evaluation system and safety technology system of the equipment software supply chain is an effective measure to deal with network security risks in the equipment software supply chain.
2.1 Improve the network security standard system of the equipment software supply chain and strengthen software security risk management
The first is to speed up the formulation of military standards and specifications for the security management of the equipment software supply chain. Make full use of "Information Security Technology Software Supply Chain Security Requirements (Draft for Comments)", GB/T36637-2018 "Information Security Technology ICT Supply Chain Security Risk Management Guidelines", "Information Technology Product Supply Chain Security Requirements (Consultation Draft)", National and industry-related supply chain security standards such as the industry standard "Network Product Supply Chain Security Requirements", as well as relevant information security standards involving software supply chain security content, formulate equipment software supply chain security management, risk management and other standards, and standardize equipment software supply Chain organizational management (such as organization management, system management, personnel management, supplier management, intellectual property management, etc.) Each role in the supply chain, such as equipment software purchasers, research units, suppliers, and service providers, formulates security management systems and measures for the software supply chain at the same level to ensure that all links in the equipment software supply chain are safe and controllable.
The second is to establish standards and specifications for network security evaluation of equipment and software supply chains. On the basis of relevant information security evaluation standards, combined with the reality of equipment software network security, supplement and improve the equipment software supply chain security evaluation requirements and evaluation methods, and formulate corresponding software supply chain security evaluation standards and evaluation methods for different business fields and different supply chain activities. Evaluation method. Cooperate with the National Network Security Review Law and other laws and regulations to form a "combination of general and specialized" equipment software supply chain network security evaluation standard system to provide support for equipment software security evaluation.
The third is to improve the equipment safety management laws and regulations, and implement the software supply chain network security risk management. The network security of the equipment software supply chain is closely related to the personnel, tools, environment and other factors in each link, and the network security risk may be introduced by any factor in each link. Therefore, it is necessary to learn from relevant risk management standards such as GB/T 36637-2018 "Information Security Technology ICT Supply Chain Security Risk Management Guidelines", ISO 28000 "Supply Chain Security Management System" and ISO/IEC 27005 "Information Security Technology Risk Management", Formulate equipment software supply chain security management systems to supervise and control network security risks in the process of equipment procurement, development, testing, delivery, deployment, operation, and maintenance. At the same time, implement risk management for equipment and its software and hardware products, find out the security threats and vulnerabilities faced in the equipment software supply chain, and take effective countermeasures to minimize the security risks of the equipment software supply chain and make the risks controllable.
2.2 Establish a network security supervision system for the equipment software supply chain, and implement all-round software security management and control
The first is to establish a safety supervision system and mechanism for the equipment software supply chain to supervise all parties. In the process of equipment development or procurement, equipment purchasers need to conduct full research, review and supervision of equipment research units, suppliers and other related suppliers. In terms of qualification requirements, the equipment researcher should have security and confidentiality qualifications, etc. For suppliers in the software supply chain, they need to provide enterprise-level qualifications to prove their software security development capabilities, and require them to be involved in the process management and quality management of software security development. , configuration management, personnel capabilities and other aspects to prove its ability to integrate security into the whole process of software development. In terms of quality management and safety development standards and specifications, research units, participating units or suppliers are required to provide quality management system certification certificates. For suppliers in the software supply chain, it is necessary to review their internal software safety development standards and specifications. Different application scenarios, different architecture designs, and different development languages for developing software are constrained and referenced. In addition, establish a black and white list for equipment procurement and implement a reward and punishment mechanism. For suppliers or software and hardware products with good reputation, few network security problems, and fast after-sales service response, whitelist them; for suppliers or software and hardware products with poor reputation, many network security problems, and slow after-sales service response, white list them blacklisted. Regularly update the blacklist and whitelist, and publish the blacklist and whitelist to the whole organization.
The second is to implement the main responsibilities of all parties in the equipment and software supply chain. According to the actual situation of equipment software development or procurement, determine the supply chain process of software product development, procurement, and use, analyze the network security risk activities in each link and restrict them, and strictly require equipment software research units, suppliers and service providers Strengthen its own security development, integration, operation and maintenance capabilities, and implement the main responsibility for supply chain security. For equipment software purchasers, network security personnel should be included in the procurement team, participate in the entire process of equipment procurement review, and be responsible for equipment software network security. Network security personnel should be familiar with relevant standards and specifications such as equipment software supply chain security requirements. When purchasing equipment software, they need to fully understand all supplier/developer information, product information (version, license, update/upgrade methods, etc.), maintenance Unit and personnel information, as well as other information related to network security, establish equipment software supply chain network security files, provide technical support for equipment software security risk management, and provide support for software supply chain security evaluation in equipment acceptance testing.
2.3 Establish a network security assessment system for the equipment software supply chain, and strengthen the capacity building of software security assessment
The first is to build a security assessment mechanism for the entire process equipment software supply chain. Establish a full-process software supply chain security assessment mechanism that integrates regulations, policies, management and technology, covering software life cycle links such as software definition, design and development, delivery deployment, operation and maintenance, and open source software used in equipment software Code and other original components and integrated components are tested and evaluated to comprehensively assess the security risks of all links in the equipment software supply chain. Continuously improve the equipment software security assessment system, strengthen the research on software supply chain security assessment technology and the development of related security assessment tools, form a systematic and standardized software supply chain security solution, and continuously promote the implementation of equipment software supply chain security assessment work.
The second is to strengthen the capacity building of equipment software supply chain security assessment. Adopt the method of "military-civilian integration, geographical distribution, and logical integration" to carry out the construction of equipment software safety evaluation conditions, and form an equipment software safety evaluation capability system. Build software security evaluation environments in third-party testing institutions and equipment development units, and carry out equipment software supply chain security evaluation work. Military testing institutions can use the capabilities of local superior security assessment and security review institutions to provide security assessment and security review services for the equipment software supply chain. In terms of open source code security assessment, actively promote security assessment institutions and security companies to carry out open source code security testing services, and require open source code used in equipment software to pass security assessment in order to effectively manage and control equipment software security risks.
The third is to actively carry out software supply chain security evaluation while promoting equipment network security testing. In order to avoid and eliminate security loopholes in equipment software, reduce security risks as much as possible, and ensure equipment software supply chain network security, it is necessary to carry out comprehensive supply chain security assessments in software security assessment activities, and strive to eliminate security risks before equipment delivery. Minimize, and continue to carry out network security testing activities in all aspects of the equipment software life cycle. In the software development process, the software security development life cycle process method is adopted, and security testing is carried out using security development tools based on static application security testing, interactive application security testing and fuzz testing technologies. In terms of software use, operation and maintenance, etc., implement security risk management activities in accordance with information security-related standards and specifications. For third-party components and open source codes used in equipment software, it is necessary to fully verify and test their network security, and take necessary technical and management measures to ensure the security of the third-party components and open source codes used.
2.4 Improve the network security technology system of the equipment and software supply chain, and strengthen the construction of software security protection capabilities
While strengthening the capacity building of equipment software supply chain standards, management and control, and evaluation systems, it is also necessary to prevent supply chain security risks from the technical level. In particular, it is necessary to pay attention to basic capabilities such as equipment software supply chain security management knowledge graphs, and the depth security of the entire software supply chain. Capacity building in defense capabilities, security audits, and emergency response capabilities.
The first is to establish a knowledge base for equipment safety management and build a knowledge map of equipment software supply chain safety. Establish a basic library for equipment management, extensively collect asset information related to network security such as software, hardware, database, middleware, components/firmware, controllers, and data buses in equipment, as well as various software development, operation, and compilation environment information. Establish an equipment supply chain management library to collect information in each link of the supply chain such as equipment software and its components, development tools, and design software, such as developers, participants, third-party component/software suppliers, service providers, and open source codes used etc., requiring equipment and its hardware and software supply chain information to be traceable. Establish a network security vulnerability database for equipment, and collect security vulnerabilities from CVE, NVD, CNNVD and other vulnerability sources. Establish an equipment threat intelligence library to help security personnel clarify the security status of the company's important assets, and carry out related vulnerability repair and risk management according to the importance and impact of the company's own assets. Based on various equipment security management databases, using knowledge graph technology to build a network security knowledge graph of equipment software supply chain, it can enable security managers to understand potential loopholes or defects in the software supply chain in advance, accurately assess their security risks, and take timely actions. Effective security measures avoid or reduce security risks, so as to control the overall security situation of the equipment software supply chain from a global perspective.
The second is to fully use network security technologies and means, establish a defense-in-depth system, and improve the network security defense capabilities of the equipment and software supply chain. Every link of the equipment software supply chain may become a potential attack surface, so it is necessary to conduct a comprehensive analysis of the key assets, existing security vulnerabilities, and security threats faced by each link of the software supply chain, and adopt targeted network security technical means to defend , Detect and respond to supply chain attacks. In the software development process, use technologies such as software security evaluation, vulnerability scanning, vulnerability mining, penetration testing, and malicious code identification for open source codes and third-party software used in the project to discover possible security vulnerabilities or malicious software, and Develop corresponding patches for security hardening or removal of malicious codes. In the delivery and update process, technologies such as network hijacking detection and security prevention, encryption verification, etc. can be used to prevent hijacking in the delivery and update process. In the process of software deployment, use and operation, the zero-trust architecture and endogenous security thinking can be used to design the security protection system for the equipment system, and technologies such as security situation awareness, access control, trusted passwords, and mimic defense can be used for active defense.
The third is to attach importance to safety audit and emergency response capacity building. Network security audit helps system administrators to discover network system intrusion or potential system loopholes and hidden dangers in time, and plays a very important role in system network security. The "Solar Wind" attack was discovered by FireEye auditors when reviewing its internal security logs, and finally revealed the whole picture of the entire ransomware incident. On the one hand, it is necessary to strengthen safety audit and emergency response technology research and system construction, put forward safety audit and emergency response capability requirements for each link of the equipment software supply chain, deploy a safety audit system, and form a full-chain integrated safety audit and emergency response linkage system. On the other hand, it is necessary to pay attention to the construction of security audit and emergency response personnel, strengthen the training and introduction of network security personnel, and improve the business capabilities of various network security personnel such as security audit, reverse engineering, and vulnerability mining and analysis.
3 Conclusion
With the improvement of equipment informatization, digitalization, and intelligence, its combat capability is increasingly dependent on the realization of its functions by software, and the network security of equipment systems depends to a large extent on the security of software used in the system , software supply chain security is an important part of software security. In order to ensure the network security of the equipment software supply chain, a security standard system, a security supervision system, a security evaluation system, and a security technology system that are compatible with the development of our military's equipment software supply chain should be established as soon as possible. important work.
Citation format : Guo Ronghua, Xu Shiping, Liu Zhe, et al. Network Security Risk Analysis and Countermeasures of Equipment Software Supply Chain [J]. Information Security and Communication Confidentiality, 2023(3):103-112.
About the author >>>
Guo Ronghua , male, doctor, senior engineer, the main research direction is information security and software engineering;
Xu Shiping , male, master, engineer, the main research direction is information security;
Liu Zhe , male, master, engineer, the main research direction is information security;
Wang Peng , male, bachelor, engineer, the main research direction is information security and vulnerability mining;
Zhao Yaxin , male, master, engineer, main research direction is information security and vulnerability mining.
Selected from "Information Security and Communication Confidentiality" Issue 3, 2023 (for the convenience of typesetting, the references in the original text have been omitted)