When your software evolves to a certain state, non-specific hardware can become a hindrance to overall performance. The next logical step is to build custom hardware that creates a fully controlled environment.
However, when your engineering process includes components sourced overseas, malicious additions to your component’s firmware can create hardware security threats for you and your customers down the road. It’s crucial that your engineering includes a hardware procurement strategy.
Earlier this year, an agreement between Lenovo and IBM worth approximately $2.3 billion was nearly scuttled because of hardware security concerns. The US Government called the deal into question when they expressed concerns over the newly proposed supply chain.
Because hardware components of the IBM x86 servers, which are central to DoD and national infrastructure networks, would be sourced in China there is a valid concern over how much control of our national data infrastructure would be in the hands of potentially uncertified Chinese vendors.
While the ramifications of malicious activities in this case are enormous, the core problem applies to supply chain security for all companies: When you don’t know where your hardware components are coming from, you don’t know what they’re capable of doing.
Reducing Hardware Security Threats
Supply Chain Security
It’s nearly impossible, especially after your hardware is fully assembled, to thoroughly test the individual components for malware or other code that doesn’t belong. What’s more, even if you were able to get those components individually, there are no automated or electronic test procedures that can be used to thoroughly inspect the firmware. For all practical purposes, it’s impossible to conduct any absolute tests on components to ensure they are safe.
Supply Chain Vendor Evaluation
The answer, then, is to certify the vendors in your supply chain. There is no specific industry standard for this certification – it’s up to you to decide how you’ll thoroughly vet and interview each component manufacturer. As a general rule, it’s best to meet them on-site, view their processes directly, and interview them face-to-face.
Your objective to learn their manufacturing security protocols and how they protect their own supply chain. If you are able to gain a level of confidence in their hardware procurement strategy and in the vendors they use, then you can certify them as safe.
Don’t Forget Their Supply Chain: If your provider’s supply chain security doesn’t meet your standards, you may need to interview and internally certify their vendors as well.
Counterfeit Hardware Component Detection
After you have confidence in your vendors, you will need to know for certain that you’re actually receiving the components that you certified. It does no good for you to certify your vendors if you won’t be able to tell that your components are same ones you certified. In order to be able to detect counterfeit hardware components, gather and maintain detailed specifications on:
- Chip Markings
- Chip Size
- Chip Materials
When you receive components from your vendors, thoroughly compare a random sample of the components against the gathered specifications. If there are any differences, you should consider rejecting the batch entirely – the risks are too great.
Look at the packaging too: A counterfeit product may look perfect, but be packaged incorrectly (or re-packaged). Knowing what the manufacturer packaging should look like will allow you to catch these fakes too.
Managed Hardware Engineering Solutions
A truth is, global sourcing challenges regarding the hardware engineering process will always exist. You don’t have to do it yourself. Managed engineering partners can handle the process of global hardware sourcing and supply chain security for you. By working with a managed engineering solutions company, you can rely on having the components your hardware requires, secure and safe, while your focus stays where it belongs – on creating great software.