Australian IT buyers have been warned to be vigilant after US agencies bought and installed dodgy equipment for military purposes, hospitals and schools.
The Australian Cyber Security Centre (ACSC) has inserted new controls into the Information Security Manual (ISM), which includes guidelines for procurement and outsourcing, IT News reported.
The updates demand checks for “integrity” and “authenticity” of IT purchases.
IT buyers relating to “applications, ICT equipment and services” – are encouraged to verify the integrity of purchases “as part of acceptance of products and services.”
It comes after earlier this year a $1 billion IT counterfeit racket was uncovered in the US whereby dodgy Cisco was found to be circulating in the market.
The purpose of the ISM outlines a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats.
It is not clear if the counterfeit equipment has made its way into the Australian market.
An ACSC spokesperson would not be drawn on the timing of the controls being added to the ISM, iT News reported.
iT News reported the spokesperson told the publication new controls “provide additional clarity to organisations to help them more easily exercise due diligence with their procurements of products.”
“Ultimately, effective cyber supply chain risk management is based upon trusted partnerships between suppliers, manufacturers, distributors, retailers and their customers,” the spokesperson said.
The counterfeit equipment circulating in the US and believed to have been manufactured in China, was allegedly sold as new Cisco product models moonlighting as newer ones
The US Department of Justice alledge the operation was fronted by a 38-year-old Florida man who ran at least 19 companies, at least 15 Amazon storefronts, and 10 eBay storefronts to peddle the counterfeit goods.
“The operation allegedly generated over $100 million in revenue,” The US Department of Justice said.
“Cyber supply chain risk management activities should be conducted during the earliest possible stage of procurement of applications, ICT equipment and services,” the ACSC says in its ISM.
The ISM guidance says in managing cyber supply chain risks it is important for organisations to preference suppliers that “demonstrate a commitment to the security of their products and services.”
