One in five businesses have been impacted by attacks on hardware supply chains

HP has released the findings of a global survey highlighting the growing danger from threat actors targeting physical device supply chains. The study of 800 IT and security decision-makers (ITSDMs) responsible for device security highlights the need for businesses to focus on device hardware and firmware integrity, with attacks on hardware supply chains and device tampering expected to increase.

  • Monday, 5th August 2024 Posted 3 months ago in by Phil Alsop

Key findings include:

Almost one-in-five (19%) organizations surveyed say they have been impacted by nation-state threat actors targeting physical PC, laptop or printer supply chains. In the US, this figure rises to 29%.

Over a third (35%) of organizations surveyed believe that they or others they know have already been impacted by nation-state threat actors targeting supply chains to try and insert malicious hardware or firmware into devices.

Overall, 91% believe nation-state threat actors will target physical PC, laptop or printer supply chains to insert malware or malicious components into hardware and/or firmware.

Almost two-thirds (63%) believe the next major nation-state attack will involve poisoning hardware supply chains to sneak in malware.

“System security relies on strong supply chain security, starting with the assurance that devices are built with the intended components and haven’t been tampered with in the factory or during transit. If an attacker compromises a device at the firmware or hardware layer, they’ll gain unparalleled visibility and control over everything that happens on that machine. Just imagine what that could look like if it happens to the CEO’s laptop,” comments Alex Holland, Principal Threat Researcher in the HP Security Lab.

Holland continues, “Such attacks are incredibly hard to detect, as most security tools sit within the operating system. Moreover, attacks that successfully establish a foothold below the OS are very difficult to remove and remediate, adding to the challenge for IT security teams.”

Considering the scale of the challenge, it’s unsurprising that 78% of ITSDMs say their attention to software and hardware supply chain security will grow as attackers try to infect devices in the factory or transit.

Organizations are concerned that they are blind and unequipped to mitigate device supply chain threats like tampering. Over half (51%) of ITSDMs cannot verify if PCs, laptops or printer hardware and firmware have been tampered with while in the factory or in transit. A further 77% say they need a way to verify hardware integrity to mitigate the risk of device tampering.

“In today’s threat landscape, managing security across a distributed hybrid workplace environment must start with the assurance that devices haven’t been tampered with at the lower level. This is why HP is focused on delivering PCs and printers with industry-leading hardware and firmware security foundations designed for resilience, to allow organizations to manage, monitor and remediate device hardware and firmware security throughout the lifetime of devices, across the fleet,” comments Boris Balacheff, Chief Technologist for Security Research and Innovation, HP Inc. Security Lab.

In recognition of these risks, HP Wolf Security is advising customers to take the following steps to help proactively manage device hardware and firmware security, right from the factory:

Adopt Platform Certificate technology, designed to enable verification of hardware and firmware integrity upon device delivery.

Securely manage firmware configuration of your devices, using technology like HP Sure Admin (for PCs), HP Security Manager (for Printers), or HP Security Manager (Support). These enable administrators to manage firmware remotely using public-key cryptography, eliminating the use of less secure password-based methods.

Take advantage of vendor factory services to enable hardware and firmware security configurations right from the factory, such as HP Tamper Lock, Sure Admin, or Sure Recover technologies.

Monitor ongoing compliance of device hardware and firmware configuration across your fleet of devices.

The promise of AI is on every biopharma’s radar, but the reality today is that much of the industry is grappling with how to convert the hype into...
IT teams urged to resolve ‘data delays’ as UK executives struggle to access and use relevant business data.

‘Playtime is over’ for GenAI

Posted 5 days ago by Phil Alsop
NTT DATA research shows organizations shifting from experiments to investments that drive performance.

GenAI not production-ready?

Posted 5 days ago by Phil Alsop
Architectural challenges are holding UK organisations back - with just 24% citing having sufficient governance to implement GenAI.

AI tops decision-makers' priorities

Posted 5 days ago by Phil Alsop
Skillsoft has released its 2024 IT Skills and Salary Report. Based on insights from more than 5,100 global IT decision-makers and professionals, the...

The state of cloud ransomware in 2024

Posted 5 days ago by Phil Alsop
Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm.
Talent and training partner, mthree, which supports major global tech, banking, and business clients to build job-ready teams, has revealed the...

AI innovation is powering the Net Zero transition

Posted 5 days ago by Phil Alsop
Whilst overall AI patent filings have slowed, green AI patent publications grew 35% in 2023.