{"title":"Supply chain risk mitigation for IT electronics","authors":"F. McFadden, Richard D. Arnold","doi":"10.1109/THS.2010.5655094","DOIUrl":null,"url":null,"abstract":"Supply Chain Risk Management (SCRM) is one of the 12 Comprehensive National Cybersecurity Inititiatives (CNCI), but the range of supply chain problems has not been defined rigorously, and effective defenses have not yet been developed. Risks range from the increased unreliability of counterfeits to data exfiltration and adversary control enabled by hardware Trojan horses embedded in chips. Risks are different for military vs. non-military Government vs. civilian organizations. We cite cases that underscore the reality of supply chain risk, and analyze the structure of supply chains that affect different part of the market for IT electronics, in order to provide a better understanding of attack methods. We discuss techniques for defending against the range of threats, and propose a practical solution based on a suite of simple, inexpensive test procedures that could be used to build an \"80% solution\" for detection of counterfeits and embedded malicious implants before they are deployed. Tests we have prototyped include power signatures and of IR thermographic signatures of boot events. Deployment of such a test suite would change the SCRM game by making it significantly more difficult for supply chain exploits to succeed.","PeriodicalId":106557,"journal":{"name":"2010 IEEE International Conference on Technologies for Homeland Security (HST)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"31","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 IEEE International Conference on Technologies for Homeland Security (HST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/THS.2010.5655094","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 31
Abstract
Supply Chain Risk Management (SCRM) is one of the 12 Comprehensive National Cybersecurity Inititiatives (CNCI), but the range of supply chain problems has not been defined rigorously, and effective defenses have not yet been developed. Risks range from the increased unreliability of counterfeits to data exfiltration and adversary control enabled by hardware Trojan horses embedded in chips. Risks are different for military vs. non-military Government vs. civilian organizations. We cite cases that underscore the reality of supply chain risk, and analyze the structure of supply chains that affect different part of the market for IT electronics, in order to provide a better understanding of attack methods. We discuss techniques for defending against the range of threats, and propose a practical solution based on a suite of simple, inexpensive test procedures that could be used to build an "80% solution" for detection of counterfeits and embedded malicious implants before they are deployed. Tests we have prototyped include power signatures and of IR thermographic signatures of boot events. Deployment of such a test suite would change the SCRM game by making it significantly more difficult for supply chain exploits to succeed.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
