The CommScope PKI Center for End-to-End Supply Chain Security

Tat Chan March 17, 2021

The supply chain is one of the most overlooked cybersecurity threat areas for service providers. But this blind spot is a fast-growing concern with potentially devastating consequences. In 2020 alone, supply chain cyberattacks increased by 78%. As recently as December 2020, a group of suspected nation-state threat attackers compromised the supply chain of SolarWinds’ software development process, inserting the SUNBURST malware into Orion products, allowing unauthorized access to networks across a wide range of government and private sectors. Supply chain security solutions lacked the sophistication and scope to address threats like this along every layer and link in the chain—until now.

CommScope’s Public Key Infrastructure (PKI) services group offers a comprehensive supply chain security framework, alongside a dedicated product and information security team with decades of end-to-end expertise in the field. Together, they offer the visibility and resources to eliminate cyber threats and create a device identity provisioning system to ensure a trusted supply chain.

Weak Links in the Chain

The supply chain is a natural target to exploit because it encompasses so many different activities, people, entities, information, and resources. The more links, the more opportunities for cyberattacks.

Within the last year, we’ve witnessed the SolarWinds software development attack, multiple APT41 (Double Dragon) attacks to steal credentials and insert malware into manufactured products, and even a ransomware attack on Foxconn’s Mexican facilities—involving stolen unencrypted files, compromised encrypted servers, and deleted backup data.

In short, improperly secured supply chain is a weak point where software and other digital information such as a device identity can be compromised, replaced, or duplicated for the purpose of committing fraud, compromising user privacy, or in some cases even compromising national security.

Securing Certificates and Credentials

Many consumer electronics products—including cellphones, tablets, cable modems, routers, IoT devices, and digital entertainment devices—come with pre-installed digital certificates used to protect private user information as well as content and service provider information in digital transactions. Compromise of these certificates—even after the product is deployed—constitute a compromise of the supply chain.

In particular, large-scale exploitation of digital certificates can occur during the production process.  And with thoroughly globalized supply chains, manufacturers are particularly vulnerable to attacks from all over. Traditional factory environments are by nature less tightly controlled and may not sufficiently protect cryptographic material.

Additionally, security procedures within a manufacturing process are susceptible to attack. A common example is the copying and backing up of data and code. Whether intentional or unintentional, this can result in duplication of unique digital identities—a very serious security violation. Credential delivery systems must ensure that security credentials are not vulnerable to network attacks and are not installed into multiple devices or applications.

Managing device certificates and credentials is a critical element of supply chain security.

Secure Provisioning

In order to securely manage digital certificates and credentials, supply-chain provisioning architectures must be comprehensive—involving multiple layers of encryption and integrity checks to ensure that the overall supply chain stays secure even when a specific network node or encryption layer is compromised.

The CommScope product and information security team has unique experience in this domain, with three decades of end-to-end cryptographic identity provisioning experience in the field. Our supply-chain security framework includes extensive use of hardware security modules, cryptographic tokens, multiple layers of encryption, and end-to-end anti-cloning measures that extend to the entire global infrastructure.

CommScope PKI System Architecture

The CommScope PKI system architecture for secure provisioning of digital identities to a single factory line is illustrated below:

The primary components of this system include:

  • Key-generation facility incorporating multiple physical and procedural security measures
  • Factory equipment with PKI servers (key servers with hardware security)
  • SDK integrated into the software/firmware of the devices being manufactured

This system includes secure network interfaces protected with TLS and a VPN (IPsec). We apply multiple layers of security as part of a defense-in-depth strategy, to ensure a failsafe in the event that one of the layers should fail. This includes anti-cloning measures at every link of the chain—from the time that device credentials are generated or acquired to the time they are installed into a target device. Moreover, the system is scalable to millions of transactions per day and flexible enough that new types of digital identities can be supported in a short period of time.

SDK Security Measures

CommScope delivers the SDK to supply-chain engineering teams along with USB crypto tokens that secure a factory test station. In some environments, this SDK and token may be susceptible to misuse to install digital credentials into unauthorized products. This is a concern especially with third-party repair facilities and service centers, where device manufacturers have much less visibility and control.

To protect against these threats, we’ve introduced fingerprinting of the test stations and associated management infrastructure. The fingerprinting ensures that the SDK and the crypto token are only usable with the test stations approved by the device vendor.

Managed Security Services

Proper secure credential lifecycle management requires a team of security experts and highly skilled IT professionals to handle all aspects of identity management. Managed security services, such as those offered by CommScope PKI Center, offload the responsibility of protecting entire identity management systems from OEMs/ODMs and manufacturers. This includes all hardware equipment setup (e.g. VPN, firewalls) and software deployment needed to support development, factories, and repair/service centers. Our services cover configuration, hardening, patch management, monitoring, and reporting. And we offer support for global deployments including the logistics of dealing with import/export control in different countries. We also provide a complete solution for factory relocation and decommissioning. Finally, we offer business continuity in the case of a disaster, with relevant recovery facilities and planning.

Software Integrity Protection

Finally, trusted supply chains demand an equally robust and secure code signing solution for ensuring the authenticity of software throughout the chain. CommScope’s solution is the PRiSM (Permission Rights Signing Management) system, featuring:

  • Protection of all software encryption and signing keys in hardware, to prevent their leakage and compromise
  • Support for multiple digital signatures and encryption algorithms, as well as multiple GUI-based and automated interfaces covering secure boot, platform, and applications
  • A flexible authorization system allowing a project manager to authorize individual developers for digital signing of specific applications for specific products
  • Support for cryptographically-protected debug access tokens for individual devices, avoiding the need for undocumented back doors in your software
  • Reporting and traceability capability that covers all signing transactions with PRiSM
  • Options for customized signing (e.g. to use chip-specific formats)

CommScope PKI Center

With the right technology, managed services, and a team of experienced security experts, service providers can ensure that their supply chains do no become cybersecurity liabilities.

To learn more about the CommScope PKI Center and its supply chain security and services, please contact PKI.Center@commscope.com.

About the Author

Tat Chan

Distinguished Systems Engineer

Dr. Tat Chan is a distinguished systems engineer at the CommScope PKI Center. Dr. Chan has been focusing in system security in the telecommunication industry for more than 20 years and an inventor on more than 30 issued security-related patents.  His expertise covers secure credential provisioning, certificate authority and PKI operations, secure boot and code signing, feature licensing, and general security analysis for system-on-chips, embedded devices, and communication servers.

Categories

PKI Services