"It's very early and we're just beginning our investigation," he said.
The infected scanners demonstrate how companies holding valuable intellectual property and data can no longer assume the equipment they buy is safe, experts say. Manufacturers' supply chains stretch across countries, providing many opportunities for the insertion of malware-infected components.
Because of a paucity of equipment made and assembled solely in the U.S., companies need to adopt a strategy of minimizing risk by vetting suppliers and knowing the security measures they take, Paul Rosenzweig, homeland security consultant and founder of Red Branch Consulting, said.
In addition, purchased equipment should be randomly selected and then checked for infection, Rosenzweig said. Also, equipment from suppliers that have not been fully vetted should never go into critical systems.
While steps can be taken to reduce risk, there is no "silver bullet," Rosenzweig said.
"It's a risk management proposition that means there will be failures," he said. "It's not a risk elimination."
In time, many manufacturers will likely have to produce documentation stating their products are safe.
"Private businesses will increasingly demand that hardware and software manufacturers obtain third-party certifications asserting the security of their products," Jacob Olcott, head of the cybersecurity practice at Good Harbor Consulting, said.
Sign up for Computerworld eNewsletters.