Threats to supply chains have evolved. As a manufacturer with a widespread supply chain network across Asia Pacific, Lenovo finds itself in the middle of security transformation.

Thanks to increasingly widespread digitalization and rapid innovation, supply chains in Asia are more efficient than ever, witnessing great improvements in sustainability and transparency, and building capacity in developing markets.

However, these increasing interconnections – especially across borders – also increase potential risks.

How can businesses and governments continue to reap the benefits of digitalized supply chains, while ensuring they stay secure, transparent and compliant – particularly amidst today’s diverse manufacturing and logistics systems and ever-evolving regulatory landscape?

Thorsten Stremlau, Chief Technology Officer, Lenovo sheds some light on the matter in this interview with CybersecAsia.

What are the new and often-overlooked cyber risks impacting supply chains in the region?

Threats to supply chains have evolved. A decade ago, supply chains primarily faced risks from supplier failures, commodity price volatility or component shortages. Today, supply chain vulnerabilities transcend both hardware and software.

One of the main risks is the modification of software while devices are in transit. As more software components are outsourced, there are more opportunities for third-party tempering and the likelihood of malware or coding vulnerabilities being inserted.  

At Lenovo, for example, we go the extra mile to deliver cleaner PCs and improve security by making devices that only include the necessary operating systems, applications and security software.

Furthermore, our top-notch security protocols mean we are constantly testing and improving software at every stage to keep up with the latest threats, and anticipate them even before they develop into an attack.

How major is the threat of compromised supply chains, and what are some examples of the real danger?

Currently, the threat level is still moderate – but it is on the rise, and it is an area businesses need to watch. In fact, supply chain attacks have increased more than 78% in 2018, mostly via vulnerabilities introduced through counterfeit parts or hacked UEFI or BMC code.

The rapidly growing global PC market is incredibly lucrative for counterfeiters. We are witnessing an expanding grey market, and the sale of non-genuine goods raises the likelihood of system components being swapped out for inferior quality or counterfeit parts, bringing risks to both organisations and end-users.  

Compromised hardware not only puts businesses at risk of financial loss, with a dip in efficiency and productivity as well as increased lifecycle management cost, but it also puts end-users at risk of physical harm such as exploding batteries or devices catching on fire.

As manufacturers, it is our responsibility to actively take steps to prevent devices from reaching a mission critical stage. We’re here to add value to our customers’ lives, not cause turmoil.

This is why we put emphasis on ensuring the suppliers we partner with follow industry-standard security practices for all active components used in our products. Apart from conducting security education, as part of our Trusted Supplier Programme, suppliers are required to undergo quarterly compliance and security assessments.

What can businesses do to stay ahead of such dangerous breaches, while complying with privacy laws such as GDPR?

As the device passes through each stage of its lifecycle, it is handled by various suppliers and third-party vendors for modification of software or updates to hardware components. As the supply chain becomes increasingly more connected, so does the exposure to potential cyberattacks – even the smallest loophole will allow for cybercriminals to infiltrate servers and devices, and access valuable data.

Cyber threats are a material risk to businesses, and it can take years to recover from a data breach. Globally, the average cost of a data breach in 2019 was US$4.0 million. As cybercriminals become more sophisticated, so must we as manufacturers.

Security is at the heart of everything we do here at Lenovo. We recommend taking a “Security by Design” approach, where we develop products integrated with firmware management systems. For an added layer of protection, production codes are vetted, stored and safeguarded in our vault to prevent hardware from being modified, unless the code is retrieved from the vault. Staying one step ahead of cybercriminals, we’ve applied advanced technology like AI and big data into our supply chain processes to improve predictability of security flaws and efficiency in mitigating them.

Another example of “Security by Design” is the integration of authentication tools such as built-in webcam covers, biometric fingerprint sensor and Wi-Fi security that prompts when malicious Wi-Fi networks are accessed. 

What does end-to-end supply chain security entail in today’s digital world, and what are the key factors to consider when implementing security solutions for the supply chain?

Building a resilient supply chain requires end-to-end security that is implemented at every stage throughout the full device lifecycle, from development to production and end-of-life.

As an example, this is what Lenovo’s end-to-end supply chain security looks like:

  • At the planning and development stage, intentionally design with security in mind
  • With our Trusted Supplier Program, Lenovo suppliers are screened to ensure they meet the high standards for security
  • Ensure secure packaging by incorporating the use of temper-evident packaging
  • Make sure devices are disposed of in the proper way so data cannot be retrieved from old equipment

With large amounts of data passed around and various third-party vendors involved, a supply chain can only be secure if it is transparent.

To mitigate the risks of counterfeit parts and injection of malware or data breaches, it is essential to ensure traceability at a component and system level. This will not only provide assurance but guarantee the authenticity of components and systems. Only then will manufacturers be enabled to identify dubious components and verify quality systems.