Combatting Compromised Electronic Hardware: Considerations for Securing Global Supply Chains
by Paul J. Ortiz
The electronic hardware industry is uniquely vulnerable to targeted attacks given that the products they build have complex and highly vulnerable supply chains that span the globe. In addition, they are attractive targets commercially because of their high price points which can generate significant revenue for counterfeiters. Given that these types of products are often installed in highly sensitive environments like DoD facilities, stock exchanges, hospitals, and airlines, they are also attractive targets for bad actors seeking to intercept sensitive communications. In recent years, sophisticated companies have built up in-house expertise to identify and attempt to eradicate the types of threats posed by compromised products.
For Original Equipment Manufacturers (e.g. Dell, IBM, Facebook, Google, Amazon, Juniper, HP, Dell, Cisco, etc), it is critical that they secure their supply chains from component procurement through to manufacturing facilities and finally to the end customer. If their supply chain is not secured, they have no hope of ensuring their products are not compromised and neither do their customers.
For these companies, securing their products starts with understanding who they are contracting with from component suppliers to manufacturing partners and finally distribution and logistics providers. Unfortunately, the opportunity for inserting a counterfeit or compromised component or product into any section of the supply chain is incredibly easy to do with the right level of understanding of how products are built and distributed.
There’s one incident that comes to mind that best exemplifies this problem. Imagine a truck full of blank motherboards rolling into a factory, which happened to be the right spec for a large brand owner’s products being built in that factory.