The Australian Cyber Security Centre has inserted new controls into the information security manual (ISM) that demand checks on the “integrity” and “authenticity” of IT purchases, months after US agencies were found to have bought and installed counterfeit networking gear.
An update to the ISM [pdf] on Thursday last week introduced three new controls, numbered ISM-1790, ISM-1791 and ISM-1792.
The controls ask the buyers of IT - “applications, ICT equipment and services” - to verify the integrity of what they’ve bought “as part of acceptance of products and services”, and then to maintain integrity.
They also seek action to determine the “authenticity” of products and services at acceptance.
The ISM offers some guidance on the type of checks that could be used to comply with the controls.
“Applications may benefit from delivery via encrypted communication channels while ICT equipment may benefit from tracking and tamper-evident packaging,” it advises.
“In doing so, such measures are only beneficial if they are assessed as part of acceptance of products and services.
“In all cases, suppliers should be consulted on how best to confirm the integrity of their products and services.”
The ISM adds that while integrity is important, “so is ensuring … authenticity.”
“For example, a counterfeit product or service securely delivered is still a counterfeit product or service that may not operate as intended or pose a risk to the security of a system,” the ISM states.
“To assist in identifying counterfeit products and services, suppliers should be consulted on how best to confirm the authenticity of their products and services.”
The new controls and guidance come just months after a major Cisco counterfeiting operation was dismantled, albeit not before raking in an alleged US$100 million in revenue and catching out US hospitals, government agencies, schools and military that purchased dud switches and routers.
Buyers allegedly experienced equiment failure, as well as performance, functionality and safety issues.
The counterfeit boxes were built from substandard components and ran pirated software, according to investigators.
An ACSC spokesperson would not be drawn on the timing of the controls being added to the ISM.
The spokesperson told iTnews that the new controls "provide additional clarity to organisations to help them more easily exercise due diligence with their procurements of products."
"Ultimately, effective cyber supply chain risk management is based upon trusted partnerships between suppliers, manufacturers, distributors, retailers and their customers," the spokesperson said.
"Organisations should seek to establish cyber security expectations with their suppliers, including software vendors. These expectations should be clearly documented in contracts or memorandum of understandings to ensure vendors are appropriately managing their own security posture, including their cyber supply chain risks.
"Organisations should understand what mechanisms vendors have to ensure the integrity and authenticity of the products that they are receiving following purchase."
The spokesperson encouraged agencies "to speak to vendors if they have concerns about the legitimacy of procured products or software.
"Many vendors can provide customers with helpful information to support clients to avoid counterfeit products," they said.
ISM controls are formulated by the ACSC “to provide efficient and effective mitigations” to key security risks, according to ISM explanatory notes.
It is up to IT and security executives to identify risks that pertain to their environment and then to select and tailor controls as well for their respective use cases.
.png&h=140&w=231&c=1&s=0)
