Secure Supply Chain Management (SCM)

by | Jan 18, 2018 | Business

Not Just For Companies

Supply Chain Management (SCM) security is mainly focused on protecting downstream products from upstream issues.  For example, a smart appliance might have numerous sensors, boards, and chips controlling its different parts.  If any of those parts are compromised then the overall product ends up with a security vulnerability.  This is a Bad Thing.

It is so bad, in fact, that most smart device manufacturers are forced to pay a surcharge up to 40% for the same components from a “trusted” component manufacturer that they could get from a wide range of other providers.  Even with the surcharge, nothing is safe as these component manufacturers still get hacked.

The reality, however, is that the SCM security issue is not just a manufacturer issue as both governments and consumers are hugely impacted by untrusted SCM processes.  Just ask all of those Chinese manufacturers that cannot gain a presence in the US despite offering high-quality devices.

Independent Trust

This lack of trust issue is not new.  In fact, the way in which most trusted Internet connections run assumes a lack of trust.  In this case, we use Certificate Authorities (CAs) to provide the trust.  The hottest area online today, cryptocurrencies, like Bitcoin, work in a similar manner.

So why not use the same process for these “untrusted” device manufacturers?

It would be relatively easy for these manufacturers to implement a policy-based agent like the one Bear provides and then turn the controls over to an independent group.  In fact, if a large group of these manufacturers all used such an approach, their cross-device protection would be far beyond what is available on the market today.  Given the huge concerns most US consumers have about online privacy, such a move would transform this glaring weakness into a strong competitive advantage.

This is just a preliminary thought and the road between thought and implementation can be long.  But, given their complete ineptitude at gaining traction in the U.S., shouldn’t this be a path worth exploring?