-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
1/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit. All
rights reserved.
Securing the Supply Chain for
Electronic Equipment
A Strategy and FrameworkNovember 2008
Scott Borg
Director and Chief Economist
U.S. Cyber Consequences Unit
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
2/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 2
Problem: concern about malicious firmwaregetting into
government, military, and critical
infrastructure systems
Threat of broad regulations and mandates Threat of onerous
provisions in government
contracts
Threat of terrible damage in certaincircumstances from
hard-wired logic bombs
if nothing is done
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
3/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 3
Nation states installing sleeper, one-use attack tools- Very
long term (long preparation time, long lasting)
- Hard-to access systems (e.g., highly protected
infrastructure, military or intelligence)
- Dormant (no regular interaction or operation)- Willing to
cause loss of trust in supply chain
Criminals seeking to corrupt systems with no software tocorrupt
(e.g., card readers, automated safety systems)
But lets be realistic: limited motives and limitedtargets for
malicious firmware
Hence, a severe, but limited problem
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
4/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 4
Imposing costly requirements on American companieswould limit
their ability to compete internationally
Protecting less competitive operations is not asustainable
national policy
Furthermore: multi-national production iscompetitively
necessary
Preliminary estimates suggest that if the government
suddenlydemanded stringent supply chain security, many
companies
would simply stop supplying the government
Their Opportunity Costs for supplying the government would
become greater than the governments Willingness-to-Pay
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
5/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 5
Companies face supply chain threats and losses otherthan
hardwired logic bombs:
Interruptions of supply increasing costs
Quality control problems damaging the brand
Loss of sales to counterfeit products
Loss of intellectual property undermining futureability to
compete
Making the supply chain more secure can help withthese other
threats too
The relevant security measures are complementary andneed to be
applied together to be effective
Strategy: solve this customer problem in a waythat produces
other benefits
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
6/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 6
I. Interrupt the operation
II. Corrupt the operation (including inserting malware)
III. Discredit the operation (undermining trust,
damaging brand value)
IV. Undermine the information basis for the operation
(loss of control, loss of competitively important
information)
Four kinds of business attacks possible at eachstage of the
supply chain
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
7/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 7
I. Protection against interruption:
Continual, mandatory sharing of production across
supplychain
Maintaining alternative sourcesII. Protection against insertion
of malware:
Strict control of environments where key intellectual propertyis
being applied
Logical tamper-proof seals Physical tamper-proof seals Effective
sealing and tracking of containers
III. Protection against undermining trust:
Logging of every operation and who is responsibleIV. Protection
against loss of control of information:
Versioning as a tool for protecting intellectual properties
Different remedies for each type of attack
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
8/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 8
Design
Overall product designDetailed product designCreation of
production masters
Production
Production facility designQuality control of production
processQuality test verification
Distribution
Transport of finished productDistribution of finished
product
Maintenance
After-sale maintenance of product
Different supply chain stages to which the remediesneed to be
applied (in each branch of production
flow tree)
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
9/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 9
Hence: A Remedies for Stages Grid
REMEDIES
STAGES
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
10/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 10
1) Rigorous, unambiguous contracts, delineating thesecurity
measures
2) Locally responsible corporations with a long terminterest in
complying
3) Local ways of overcoming agency problems,motivating
executives and workers
4)Adequate provision for verifying that securitymeasures are
being properly implemented
5) Local enforcement of agreements at all levels
Legal relationships necessary between globalcomponent suppliers,
assemblers, and the
overseeing company
-
7/31/2019 2008 11 00 Scott Borg Supply Chain Presentation About
Securing the Supply Chain for Electronic Equipment
11/11
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 11
For more information or permission to use this material inits
current form, please contact:
Scott Borg
U.S. Cyber Consequences Unit
P.O. Box 1390Norwich, VT 05055
[email protected]
802 649 - 3849
Thank you!
