Securing the Hardware Supply Chain
This article, prepared in conjunction with AFCEA’s Technology Committee, is the second in a series of three articles addressing supply chain considerations of software and hardware. The first article is titled Securing the Federal Software Supply Chain. The third article in the series will provide an illustration of how hardware and software define resilience and security requirements.
Today’s supply chains are complex, multilayered, global and continually being optimized for speed and cost. In the past, attempts to secure the supply chain have been fragmented, narrow and not specifically focused on the entire supply chain of parts, components, manufacturing, product assembly, distribution, maintenance, repair and obsolescence. Moving forward, government and industry must work together to advance transparency and integrity across the entire life cycle of the compute platform to deliver assurance and resilience.
Government agencies and industry are focused on improving the security of their system supply chains. Many are deploying dedicated supply chain security teams. A key priority is enabling a more holistic view of the threat landscape—across physical, digital and human attack vectors to more effectively aggregate information and see attack trends using data, analytics and artificial intelligence (AI). With improved monitoring across the supply chain, agencies and organizations are more informed as risks emerge. A key part of this hardware supply chain are semiconductors, serving as an essential component in a digitally transformed world with integral parts of assets used in most industries—not least the government and military. Organizations find typical systems that have growing attack surfaces increasingly vulnerable:
- Access control systems
- Network appliances
- Surveillance systems
- Fleets of vehicles
- Communication infrastructure
- Cloud infrastructure
- Any microelectronics that are fundamental components of any electronic device
As part of the system supply chain, it is paramount to have a holistic view while building in security based on standards that are part of a continuous evaluation and improvement plan.
Holistic Visibility and Intelligence
A holistic approach to supply chain security information also helps fuel deeper conversations between supply chain risk managers and other stakeholders, such as cybersecurity specialists, physical security teams and human resources. Increased collaboration and connectivity between these disciplines is critical. The only way this 360-degree view will be successful is with industry, government and research collaboration.
A malicious individual could alter a small component in the overall system for espionage or sabotage. Such attacks can be especially devastating in security-critical industries, such as the military and defense applications. A part of the CHIPs and Science Act of 2022 is designed to leverage U.S. microelectronics capabilities, through the Microelectronic, called ME Commons, effort, while building manufacturing plant sites in the United States and securing a critical technology supply chain. The program builds off the initial development under the Department of Defense's (DoD’s) Rapid Assured Microelectronics Prototypes (RAMP) initiative. RAMP consists of a collaborative effort to secure the technology supply chain and thereby leverage domestic integrated chip design capabilities while reducing dependence on offshore chip fabrication and packaging, along with testing and assembly. RAMP emphasizes a focus on circuit design and secure manufacturing.
Likewise, threat intelligence services can help agencies and organizations stay informed about the latest attack trends and tactics. Many suppliers seek ways to share information and help protect their industries against threats.
A Zero-Trust Security Approach
Zero-trust security quickly is becoming another new standard. Here, employees and partners are assigned only the access they require to do their jobs, and nothing more. This limited approach to granting access privileges helps combat the increasing number of threat mechanisms and attack vectors throughout the supply chain. Zero trust is a response to enterprises today, which includes remote users, bring your own device and cloud-based assets not located within an enterprise boundary. Employing a zero-trust approach can help enhance an agency’s information security risk management, and organizations can turn to the National Institute of Standards and Technology's zero-trust policy, NIST SP800-207: “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
In addition, to speed up security validation in the hardware supply chain, Battelle's Rapid Assembly Inspection for Commercial-Off-the-Shelf, or RAICS Security for Microelectronics solution, standardizes supply chain security inspections and verification. RAICS uses a data-driven, in-line test approach to quantify the cyber risk of component assemblies. It supports the need for emerging "zero trust cyber supply chain requirements. As an integrated hardware and software solution, RAICS is designed specifically to assess semiconductor component trust and assurance, minimize the search space for threats, reduce the inspection time from hours to minutes and standardize the risk reporting process with bill-of-material generation and quantified anomaly maps.
Certifications and Third-Party Validation
Many agencies seek to align with supply chain security standards to ensure their assets are protected. As shown via zero trust, there are frameworks, certifications and event validation steps available. Certifications such as ISO28000 and ISO27001, or the use of the NIST Cybersecurity Framework and NIST AI Framework, can provide assurance that operators are taking the right steps to prevent and quickly remediate breaches. External validation and finely tuned internal controls can help confirm compliance and promote more effective certification efforts. Most manufacturing supply chains have automation using AI and machine learning, so ensuring the link to security and AI is critical. Leveraging other model techniques can provide and authenticate a full chain of system custody.
Thorough and Ongoing Evaluation
Scrutiny should be applied at each node in the global supply chain, including thorough upfront evaluation and rigorous ongoing auditing of all supply chain partners. Contracts can be used to solidify agreements and standardize supplier expectations. Audits can then help verify that suppliers are adhering to the agreement. Taking the appropriate remedial steps when issues are flagged and carefully tracking the restorative progress are critical. These response and remediation practices should be embedded into existing supplier management or quality improvement programs. Transparency and trust should be the foundation of any supply chain relationship.
Intel offers one industry example of the broad view, certification and dedication to ongoing supply chain security, necessary for a manufacturer with, on average, 1,500 suppliers. It is imperative companies and organizations routinely address supply chains to ensure full transparency.
Additionally, steps to strengthen supply chain security use a risk management framework based on best practices and industry standards throughout organizations’ vast supplier network—from design, services and IP management to warehousing and logistics. Few programs outside of China include supplier guidelines that consider security practices and procedures, regular supplier risk assessments, contractual language protections for counterfeiting, on-site auditing and real-time cybersecurity monitoring.
RAMP and RAMP-C are great examples of this collaboration of government with industry to deliver semiconductor design, development and delivery for the mission. One of the product deliverables has advanced signal acquisition hardware and software capability to collect and transmit a component fingerprint to an authenticated server for classification, from which a user report provided the results of the authentication classifier. The outcome now is an enhanced, robust technological solution to this problem, namely, RAICS. RAICS leads the way in being an automated, nondestructive, hardware and software solution that quantifies trust and assurance of COTS from commercial and military use. Additionally, it enables direct integration into the hardware supply chain in locations such as manufacturing facilities, repair depots, and test and integration facilities.
This article shows the complexities, multilayers and need for ongoing evaluation and improvement of systems supply chain. Security will only be done collaboratively with industry, government and future research, such as the work on securing microelectronics and foundry services by the Defense Advanced Research Projects Agency (DARPA), which funds research moving beyond the DoD’s previously trusted foundry model. In today’s environment, current trusted foundry facilities can no longer support advanced, leading-edge process technology, thereby slowing down DoD technology adoption.
With industry, government and research facilities focused on secure supply chains, we will have continuous improvements. It is critical to recognize the requirement for integration of software and hardware needed to secure the supply chain. This integration will determine the assurance and resilience needed to support today’s and future mission.
Vicki Barbur and Gretchen Stewart are members of AFCEA International’s Technology Committee. Barbur is senior advisor at KeyLogic Systems, focused on technology commercialization, technology licensing and technology partnerships. Stewart is the chief data scientist-public sector at Intel Corporation.
