On Software Supply Chains

by King Ables

The attack on the SolarWinds network management platform Orion allowed a bad actor to inject malware into the product prior to it being signed and deployed to customers during a regular software update. This highlights a largely underappreciated but universal truth of the Internet age--almost all businesses depend on a software supply chain they do not control. This attack affected many IT infrastructures across all industries.

Here at atsec, we do not use any of the tools involved, so we have no concerns about this attack related to our local network, our data, or the data we maintain for our customers. However, a number of other companies, like health insurance providers, possess some of our data in order to provide their services. We have asked all of our suppliers to provide what they can about their own assessment of whether they could have been affected and if any of our data might have been compromised.

We received quite the variety of responses.

Not everyone has a definitive answer yet. This is understandable as long as they are actively investigating. This is an evolving issue and even an initial assessment may change over time as new information is discovered.

Some responses were simply unhelpful, like a link to a web page describing the vendor's standard privacy and security policies. The page contained no information regarding this specific attack and therefore did not answer our question.

So far, only one vendor answered with enough detail that we are confident they have performed a substantive analysis. We will continue to query the others until we can have this same confidence in their answers.

Any organization using the SolarWinds Orion network management platform in the last 16 months should be actively performing an analysis to determine if and how their environment may have been affected. This would start with current network traffic monitoring and audit log analysis going back to at least October 2019, when the attack is currently believed to have started. These activities should continue until the software is updated and the backdoor is verified to have been eliminated.

atsec is recognized as a NESAS Security Test Laboratory to perform Security Evaluation of Telecommunication Equipment

The GSMA (Global System for Mobile Communications) organization recognizes atsec's ISO/IEC 17025 accreditation that now allows network product evaluations against NESAS Security Assurance Specifications (SCAS).

The NESAS scheme is a collaboration and jointly led by 3GPP and the GSMA, and is open to all vendors of network equipment products that support 3GPP defined functions. NESAS has been developed to strengthen the level of security in 5G and LTE networks following established best practices and schemes that provide security assurance.

NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as testing requirements using 3GPP defined security test cases for the security evaluation of network equipment.

atsec is the first laboratory that can perform security assessments of the development and product lifecycle processes, as well as security evaluations of network equipment.

“NESAS accreditation and GSMA recognition allows us to provide a one-stop shop service to our customers. We have performed numerous security assessments of the development and product lifecycle process, and we are now able to offer network product evaluations against NESAS SCAS. We are looking forward to start working with our existing and new customers on security evaluations of their network equipment”, says Rasma Araby, COO and Laboratory Director at atsec AB.

atsec’s ISO/IEC 17025 accreditation scope is unique and includes all NESAS Security Assurance Specification currently listed on GSMA NESAS website. It allows security evaluations of various 5G and LTE network components and functions.

atsec offers this service globally through atsec AB in Stockholm, Sweden.

atsec also offers other security assessment, testing and evaluation services. Information about our services is available in our service portfolio.

Happy Birthday atsec!

Today atsec celebrates its 21st Birthday!

We can finally get a pilot license, gamble at the casino and we won't be mad when we get carded at the ICMC! We are happy to look back on more than two interesting decades and would like to thank our customers, the government agencies, our colleagues and friends for their support on our journey!

Here's to the next 21 years!

Your atsec team