Securing the hardware supply chain

By Michael Mattioli, Co-Chair of TCG Supply Chain Security Work Group

When we think about cyber threats, we often imagine someone sitting in a dark room, furiously typing as green text spreads across the screen in an attempt to exploit a software vulnerability, or misconfiguration, which may give them access to sensitive information, or control of something to which they otherwise would not have access. While those threats are real, there is an entirely different, and growing, set of threats which are much more difficult for any one organization to control or protect against: threats against the hardware supply chain. The reality is that supply chain threats are now affecting a wide range of industries and organizations: military/defense, financial services, consumer electronics, education, and healthcare just to name a few.

To protect against hardware supply chain threats, it is vital that everyone in the chain has security at the top of the agenda. However, this is no easy task as no single entity has end-to-end control of the modern technology supply chain. This means it is imperative that all organizations (public and private, large and small) come together to ensure security and integrity. This highlights the need for industry standards and ecosystem participation to define, implement, and uphold security guidance.

Addressing the cybersecurity risk

According to a 2021 report from Cybersecurity Ventures, global cybercrime costs are expected to grow by 15 percent per year, over the next five years. As attackers utilize emerging technologies, such as Artificial Intelligence and Machine Learning, the size, cost, and sophistication of attacks increase. Some individuals or organizations may dismiss the risk of an attack as they fail to see how or why they, specifically, may be a target: “I’m John Smith, I have nothing to hide, and no one would want what I have”. However, attackers like to cast a wider net; they are likely not interested in John Smith, but they may very well be interested in targeting every single user of a particular device with a large, distributed user base, such as over 100 million devices. Other times, attackers truly are targeting someone or something specific; it might be a specific company, industry, or even country being targeted. It is important to remember that hackers are not limited to “lone wolves” sitting in a room in their house, or perhaps their basement, on their laptop; the more serious and alarming threats today are from large, well-resourced organizations and nation states.

The hardware supply chain is difficult to secure due to the number of layers and organizations involved. To make things more complex, many of the existing security methods are mostly subjective and often rely on human intervention, such as visual inspection. This includes, but certainly is not limited to, the alignment or placement of labels, incorrect color, size or shape of markings, verifying authenticity of serial numbers, and the use of X-ray imaging. These are all remarkably time consuming and expensive to do at scale; it is also extremely difficult to ensure everyone in the supply chain is playing their part. Potentially malicious and/or counterfeit hardware is extremely difficult to identify and to do so would require the tools, knowledge, and expertise that most organizations simply do not have. Therefore, we need industry-wide standards that offer guidance to ensure hardware supply chain security and integrity.

Taking inspiration from gaming

We can learn a few things from the video game industry and modern video game consoles. There are two main motivations for an attacker in the gaming space; the first is piracy, playing games for free, and the other is cheating, having an unfair advantage over other players. These consoles are subject to the same supply chain as desktops, laptops, tablets and other devices, therefore they still need to be protected against the same supply chain attacks. However, unlike a PC, which usually sits in a corporate office behind a secure firewall and various other physical and digital security measures, a console is purchased by a consumer and taken home, where they have the complete control and freedom to modify it. To protect their business model, gaming organizations must ensure consoles are incredibly resilient against physical attacks.

Modern hardware security techniques, which originated in gaming consoles are now being applied to more mainstream devices such as PCs. One of these technologies is the Trusted Platform Module (TPM). Microsoft Pluton, which is built upon on the TCG TPM and other standards, actually originated in the design and development of the last two generations of Xbox consoles.

A united approach

One of the biggest, and arguably the most important, challenges in the realm of hardware supply chain security and integrity is the number of different organizations or groups involved; everyone implements different processes and methods to varying levels of success. To truly ensure end-to-end protection and integrity, we need industry standards that provide guidance for all stages of the supply chain and device lifecycle. Promising work is already being done in this area, such as TCG’s PC Client Firmware Integrity Measurement (FIM) and PC Client Resource Integrity Manifest (RIM); but there’s still plenty of work to do.

TCG has recently formalized a work group to address supply chain security by bringing together a wide range of large member companies to define and implement the technology standards that will make the supply chain more secure. With a security framework in place, those in the supply chain will be able to demonstrate compliance and therefore increase protection against cyber threats.