Upload
isalliance
View
215
Download
0
Embed Size (px)
Citation preview
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
1/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved.
Securing the Supply Chain for
Electronic Equipment
A Strategy and FrameworkNovember 2008
Scott Borg
Director and Chief Economist
U.S. Cyber Consequences Unit
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
2/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 2
Problem: concern about malicious firmwaregetting into government, military, and critical
infrastructure systems
Threat of broad regulations and mandates Threat of onerous provisions in government
contracts
Threat of terrible damage in certaincircumstances from hard-wired logic bombs
if nothing is done
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
3/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 3
Nation states installing sleeper, one-use attack tools- Very long term (long preparation time, long lasting)
- Hard-to access systems (e.g., highly protected
infrastructure, military or intelligence)
- Dormant (no regular interaction or operation)- Willing to cause loss of trust in supply chain
Criminals seeking to corrupt systems with no software tocorrupt (e.g., card readers, automated safety systems)
But lets be realistic: limited motives and limitedtargets for malicious firmware
Hence, a severe, but limited problem
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
4/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 4
Imposing costly requirements on American companieswould limit their ability to compete internationally
Protecting less competitive operations is not asustainable national policy
Furthermore: multi-national production iscompetitively necessary
Preliminary estimates suggest that if the government suddenlydemanded stringent supply chain security, many companies
would simply stop supplying the government
Their Opportunity Costs for supplying the government would
become greater than the governments Willingness-to-Pay
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
5/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 5
Companies face supply chain threats and losses otherthan hardwired logic bombs:
Interruptions of supply increasing costs
Quality control problems damaging the brand
Loss of sales to counterfeit products
Loss of intellectual property undermining futureability to compete
Making the supply chain more secure can help withthese other threats too
The relevant security measures are complementary andneed to be applied together to be effective
Strategy: solve this customer problem in a waythat produces other benefits
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
6/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 6
I. Interrupt the operation
II. Corrupt the operation (including inserting malware)
III. Discredit the operation (undermining trust,
damaging brand value)
IV. Undermine the information basis for the operation
(loss of control, loss of competitively important
information)
Four kinds of business attacks possible at eachstage of the supply chain
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
7/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 7
I. Protection against interruption:
Continual, mandatory sharing of production across supplychain
Maintaining alternative sourcesII. Protection against insertion of malware:
Strict control of environments where key intellectual propertyis being applied
Logical tamper-proof seals Physical tamper-proof seals Effective sealing and tracking of containers
III. Protection against undermining trust:
Logging of every operation and who is responsibleIV. Protection against loss of control of information:
Versioning as a tool for protecting intellectual properties
Different remedies for each type of attack
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
8/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 8
Design
Overall product designDetailed product designCreation of production masters
Production
Production facility designQuality control of production processQuality test verification
Distribution
Transport of finished productDistribution of finished product
Maintenance
After-sale maintenance of product
Different supply chain stages to which the remediesneed to be applied (in each branch of production
flow tree)
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
9/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 9
Hence: A Remedies for Stages Grid
REMEDIES
STAGES
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
10/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 10
1) Rigorous, unambiguous contracts, delineating thesecurity measures
2) Locally responsible corporations with a long terminterest in complying
3) Local ways of overcoming agency problems,motivating executives and workers
4)Adequate provision for verifying that securitymeasures are being properly implemented
5) Local enforcement of agreements at all levels
Legal relationships necessary between globalcomponent suppliers, assemblers, and the
overseeing company
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About Securing the Supply Chain for Electronic Equipment
11/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 11
For more information or permission to use this material inits current form, please contact:
Scott Borg
U.S. Cyber Consequences Unit
P.O. Box 1390Norwich, VT 05055
802 649 - 3849
Thank you!