The federal government is starting a new program to develop best practices and guidelines for organizations to verify the integrity and authenticity of the hardware components of the computers, servers, and other devices they buy. The project is meant to address the growing concerns in both the government sector and enterprises about the threat of attackers and malicious insiders in the supply chain compromising hardware before it gets to the customer.
The effort is sponsored by the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence and is designed to produce a set of tools and recommendations that organizations can implement on their own to help determine whether the hardware they’ve bought is authentic and has not been tampered with. The main focus of the project is to verify the link between the OEM and the ultimate end user and help identify any possible weak spots for tampering or other modifications along the way. NIST is asking for comments from interested experts and organizations until Jan. 6.
Supply chain security has become a serious concern for enterprises and government agencies in the United States as more and more devices and their various components are manufactured and assembled overseas, making it difficult to gain visibility into the integrity of the manufacturing process. Recently, public and private sector cybersecurity officials have expressed concerns about the ability of organizations to identify suspect suppliers and share that information with peers and colleagues without fear of reprisal.
“Information about suspect suppliers cannot be freely exchanged when enterprises are subject to a variety of legal actions, including violations of federal or state anti-trust laws, anti-competitive behaviors or deceptive trade practices,” Robert Mayer, senior vice president of cybersecurity at USTelecom said in his prepared remarks before the House Homeland Security Committee in October.
The new NIST project isn’t a direct solution to that problem, but it would give organizations some tools to gain better insight into the integrity of the hardware products they’re buying.
“Cyber supply chain risks may include unauthorized production, tampering, theft, and insertion of unexpected software and hardware, as well as poor manufacturing and development practices in the cyber supply chain. Tampering or misconfiguration in an organization’s supply chain is a difficult challenge to effectively solve. Modern supply chains are highly complex, introducing risk of tampering at numerous points,” the draft guidance from NIST says.
One of the main challenges with supply chain security is the sheer number of parties involved in any one particular device’s manufacture, distribution, and sale. A given laptop or server could have major components from a dozen or more separate suppliers, and each of those components may comprise parts from several other individual suppliers. All of those components are then assembled by the OEM and either sold directly to the end customer or through a channel partner or other distributor. Each link in that chain represents a potential risk for tampering, and the customer virtually never has any visibility into the practices of the various companies involved, so IT departments essentially have to trust that the hardware they’re buying is genuine and unadulterated.
“The specific scenarios they propose seem like they're cherry picked instead of just being a broad overview of realistic possibilities.”
Joe FitzPatrick, a hardware security researcher and trainer at Securing Hardware, said the NIST focus on hardware integrity is a good sign, but he’d like to see some more depth in the recommendations.
“Nothing is surprising and nothing is new, but this stands out from different similar things I've seen in the recent past because it's dealing with hardware, not firmware,” FitzPatrick said.
“The specific scenarios they propose seem like they're cherry picked instead of just being a broad overview of realistic possibilities.”
The NIST draft guidelines include a few different potential methods for verifying to a reasonable degree that the hardware is what it’s billed as and hasn’t been altered. The proposed methods rely mainly on some attribute that is irrevocably bound to the hardware and can be verified by the end customer, such as a serial number or other identifier. One potential drawback of this approach, though, is that it relies on the enterprise IT team to perform some testing of a given piece of hardware, which can be complex and difficult.
“This project will leverage verifiable and authentic artifacts that manufacturers produce during the manufacturing and integration process that can support C-SCRM. This may include manufacturer declarations of platform attributes (e.g., serial number, list of hardware components) and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself. For example, these declarations of attributes and measurements could be cryptographically linked to a strong device identity, such as those associated with the Trusted Platform Module (TPM) or Device Identifier Composition Engine,” the guidelines say.
Individuals interested in commenting on the NIST guidelines can submit their comments until Jan. 6.