Manufacturer inserting malicious software into their equipment?

It was reported recently - Feb 2019 -  that the Japanese government will be issuing guidelines to owners/operators of critical infrastructure, such as water and electricity on their purchase of telecommunications equipment to avoid the risks of these equipment being embedded with malicious software. (source: Nikkei Asian Review)


This is a continuation of the fallout arising from the allegations started by the US against the telecom equipment manufacturer Huawei.


The allegation by foreign countries against Huawei is that its telecom infrastructure equipment may contain backdoors that could enable unauthorised surveillance by the Chinese government.


For equipment and devices, all software and driver updates were already installed in it. 

Drivers update are send automatically by the software developer periodically. The developers constantly refined and update their software to enhance its performance and also to patch up any vulnerabilities which they may find subsequently. These equipment and devices comes with anti-virus software.

 

All equipment and devices are susceptible / vulnerable to a breach or attack as viruses can be inserted into any IT system through a lot of ways and does not necessarily need to be made inserted directly into the equipment / devices.


The manufacturer and software developer does not provide the assurance to the users that its equipment / devices are breached proof i.e., malware cannot penetrate its system. Cyber attackers / hackers frequently creates new viruses and released it. All operating system or software are vulnerable - which explained why it has these driver updates.


In cybersecurity definition, malware, shorthand for malicious software, is always understood to be software developed by cyber attackers / hackers with the intention of gaining access or causing damage to a computer or network, often while the victim remains oblivious to the fact there's been a compromise.


If a 'backdoor' is really inserted inside, it would only make spying / surveillance easier. If hackers do really want to attack these owners / operators of critical infrastructure, with or without the 'backdoor', they can still insert other malware into the system, albeit slightly more difficult.


An organisation that practised benchmark cyber resilience would have met all the pre-requisites i.e., the organisation would have regular pen testings, vulnerability assessment to assess its 'health' and an adequate defence to monitor and minimise any 'incoming' threats. 

During these pen testing and assessment exercises, threats / malwares already planted inside the IT system would be identified, located and disabled / destroyed. 


New and improved 'defensive walls' would be added, if necessary, to strengthen the existing defences to track and identify potential new threats from attacking. 


Logically, it is not impossible to assume that if these 'defensive walls' can 'defend' new potential threats from coming in, it can also 'prevent and stop' threats or information from inside going out. 


The following companies competes with Huawei around the world as telecom equipment manufacturers :-

  1. Cisco 

  2. Dell

  3. Juniper

  4. Alcatel

  5. Brocade

  6. Arista

  7. Aruba

  8. VM Ware

  9. Netgear

  10. Extreme Networks