A recent Deloitte Touche Tohmatsu Limited survey* found that 85 percent of surveyed global supply chains had experienced at least one disruption in the past 12 months. These disruptions can disrupt business, result in production delays, incur significant fines and result in legal action. The report also noted that “…supply chain risk management (is) not normally considered effective.”
TCG has been working on this problem and recently has published a specification for the trusted supply chain, defining how TPM credentials are used to verify supply chain entities in the manufacturing, assembly and delivery using the specific TPM on the device. The TPM manufacturer creates an endorsement key on the TPM and then separately creates a signed X.509 endorsement credential and installs it into the TPM to provide proof of the TPM’s source.
The TPM can be used to cryptographically bind production lines and the devices they produce, including multi-vendor, multi-stage production. In this capacity, the TPM augments existing acceptance testing tools and validates the source of components and assembly – and can detect malicious component swaps.
The NSA and Intel, both active in this effort, have announced new open source tools to support this specification and its use. Intel offers an open source tool for creating platform certificates for manufacturers and assembly companies, available at GitHub as the Platform Certificate Validation Tool.
NSA’s Host Integrity (HI) Attestation Certificate Authority (ACA) is available on the NSA Cyber Github site. The ACA provides an “Acceptance Test” policy, used to prove a device was produced by the claimed manufacturer.
*** This is a Security Bloggers Network syndicated blog from Trusted Computing Group authored by TCG Admin. Read the original post at: https://trustedcomputinggroup.org/tcg-and-members-offer-new-ways-to-secure-supply-chain/