Information and communications technology, encompassing digital services and infrastructure, cybersecurity and software, is ubiquitous throughout the economy and society. As the digital transformation gathers pace, the number and complexity of ICT services is accelerating.
Information and Communications Technology (ICT) relies on a complex, globally distributed, and interconnected supply chain ecosystem that is long, has geographically diverse routes, and consists of multiple tiers of outsourcing. This ecosystem is composed of public and private sector entities (e.g., acquirers, system integrators, suppliers, and external service providers) and technology, law, policy, procedures, and practices that interact to design, manufacture, distribute, deploy, and use ICT products and services.
Commercially available ICT solutions present significant benefits including low cost, interoperability, rapid innovation, a variety of product features, and choice among competing vendors. However, the same globalization and other factors that allow for such benefits also increase the risk of a threat event which can directly or indirectly affect the ICT supply chain, often undetected, and in a manner that may result in risks to the end user.
These ICT supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the ICT supply chain.
Faulty hardware components can pose security threats. Hackers often scour online for vulnerabilities that’ll allow them to carry out attacks. Intel’s Meltdown and Spectre chip security flaws or vulnerabilities, which could allow attackers to read sensitive information on your CPU, affected hundreds of millions of chips from the last two decades. While companies like Intel, Apple and Microsoft have issued updates to patch the flaws, the fixes haven’t always worked as intended, and sometimes not implented. The WannaCry ransomware attack, for example, took advantage of Windows computers whose owners never implemented a Microsoft patch.
Apart inherent vulnerabilites there is also threat of fake or counterfeit parts that present critical risks in military systems, electronics systems and sensors, where a malfunction of a single part could endanger missions and lives. A 2012 Senate Armed Services Committee report on counterfeit electronic parts in the DoD supply chain found counterfeit parts to be a widespread problem in the defense supply chain. The “supply chain” is how the Pentagon refers to its global network of suppliers that provide key components for weapons and other military systems.
Apart from Counterfeit electronic components there is also risk of Hardware Trojans (HT), which are malicious circuit inclusions into the design from an adversary with an intention to damage the functionality of the chip at a much later date or leaking confidential information like keys used in cryptography. Time to market demand has forced integrated circuit design, manufacturing and testing to be done at different places across globe. This approach has led to numerous security concerns like overbuilding of chips from foundries, IP protection, counterfeiting and hardware Trojans.
One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs. About 27 percent of Lenovo Group Ltd. is owned by the Chinese Academy of Science, a government research institute. An internal report produced by the J-2 intelligence directorate warned that use of Lenovo products could facilitate cyber intelligence-gathering against both classified and unclassified—but still sensitive—U.S. military networks. The report One official said Lenovo equipment in the past was detected “beaconing”—covertly communicating with remote users in the course of cyber intelligence-gathering.
Recently During the ensuing top-secret probe, US DOD discovered that servers assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) their motherboards, testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
There are other threats. Side Channel Attacks (SCA) is another well-known attack on cryptographic circuits to leak the key used in encryption of the secret data. The adversary can use power side channel, timing side channel to get the key. The recent literature reports attacks based on EM waves and LASERs. Another well known SCA is based on test structures (Design for Testability circuits) inside the chip. There are also concerns of Intellectual Property (IP) Protection, The IP used in products and solutions from original equipment manufacturers (OEM) should be protected.
Threats and vulnerabilities created by malicious actors (individuals, organizations, or nation states) are often especially sophisticated and difficult to detect, and thus provide a significant risk to organizations. It should be noted that ICT products (including libraries, frameworks, and toolkits) or services originating anywhere (domestically or abroad) might contain vulnerabilities that can present opportunities for ICT supply chain compromises. For example, an adversary may have the power to insert malicious capability into a product or to coerce a manufacturer to hand over the manufacturing specifications of a sensitive U.S. system. Note that it is impossible to completely eliminate
Experts advocate secure manufacturing with total control of the manufacturing process from goods inwards to shipping. They maintain that the boards and components down to the tiniest diode and resistor that go into U.S. military systems must be made in America, and that each component and board that goes into these systems must be traceable to U.S. suppliers with approved security processes in place. “We believe the DOD [U.S. Department of Defense] should buy only American-designed, -manufactured and -owned servers from ITAR-approved American suppliers,” said Ben Sharfi, chief executive officer of General Micro Systems in Rancho Cucamonga, Calif. They also advocate Rigorous inspection of every incoming part – even down to the screw level – is crucial.
Threat of Counterfeit Electronic Components and Supply Chain
A counterfeit part is manufactured by the OEM and presented as new, but the performance and reliability of the part is questionable. Components may be recycled or remarked, they may have not passed OEM tests, they may be unlicensed or over manufactured. A cloned part is not manufactured by the OEM but may be designed to mimic the performance of the authentic part. Copies may be manufactured in foreign plant, or new design of reverse-engineered components using stolen IP, potentially with altered function to appear the same.
Counterfeiting consists in selling second hand products, lower quality devices, or functional copies directly onto the market causing potential financial losses. There are also concerns of Intellectual Property (IP) Protection, The IP used in products and solutions from original equipment manufacturers (OEM) should be protected. Currently, counterfeiters are able to utilize sophisticated and well financed tools and technologies for recycling. ICs and other components are taken off from PCB boards under very high temperatures. Then the components are subject to cleaning, sanding, remarking, repacking and sold on the market as new.
Between semiconductor design, manufacturing and packaging, PCB production, and distribution a single chip can pass through more than 14 different locations. Post initial use, ICs are often shipped to a developing country, stripped from their boards, refurbished and remarked, and repackaged and sold again. During this process uncontrolled heating or mishandling can lead to immediate failure or latent electrostatic discharge failures. Because of these factors, its nearly impossible to know whether a particular IC is genuine or up to performance standards.
Counterfeit electronic components such as microchips are a major problem for the Defense Department, where a single malfunctioning part can reduce reliability and threaten the lives of soldiers. A 2011 Senate Armed Services Committee investigation found at least 1,800 cases of counterfeit parts in U.S. weapons and about 1 million suspected counterfeit parts in the supply chain. In a single missile interceptor system, the Missile Defense Agency found 800 fake parts; costing over $2 million to replace them.
Suspect counterfeit parts found in some of the military’s equipment include a component part in the SH-60B Helicopter’s Forward Looking InfraRed System, a memory chip in the L-3 Display System on the USAF’s C-130J and C-27J cargo planes, and an ice detection module on a Navy P-8A Poseidon commercial airplane. All three parts were traced to manufacturing plants located in China.
Malicious inclusions of code could cause life saving equipment to fail, missiles to lose control, and cryptography keys to be leaked. For example, a trojan leaking cryptography keys in counterfeit IoT devices could potentially give hackers access to a network of devices that can be utilised in ‘Mirai’ like attacks and cannot be recalled or patched. Hardware trojans have been noted, as in 2007, it was assumed that a backdoor built into a Syrian radar system was responsible for the system’s failure.
PCBs give another opportunity for an attacker to tamper, clone, counterfeit, and insert a hardware Trojan. In fact, since PCBs lie at the heart of an electronic system and integrate several components to achieve the desired functionality, it is increasingly important to guarantee a high level of trust and reliability at such an integration stage. The incident allegedly at Supermicro serves as an example. Advances in the RE automation process can enable us to shorten the time to identify these type of threats at multiple levels of an electronic system.
Hardware Trojans can enter at multiple points
BECAUSE of the globalization of their manufacturing process, integrated circuits (ICs) have become increasingly vulnerable to malicious alterations. This kind of malicious alteration, called a hardware trojan (HT) insertion raises concerns as ICs are used in a wide variety of critical applications. This threat can have different effects, which can be parametric (which, for example, reduces the IC’s performances) or functional (which can leak sensitive data or cause a denial of service).
The first vulnerabilities are at the design stage. Modern microcircuits are designed using sophisticated computer-aided-design software. These CAD tools are created by specialized companies that often work closely with chipmakers. The tools can themselves can add malicious codes. A corrupted piece of hardware can be introduced into the product or a rogue designer can introduce an HT into the HDL description. The third party libraries or components such as the accelerators used to crunch numbers for encryption and decryption, are often designed by third parties which raises the possibility of adding malicious code at design time.
Because of very high up-front cost, most chip makers now rely on a handful of outside foundry services, based in China, South Korea, Taiwan, and the United States, among other countries, that specialize in implementing silicon designs. A hardware Trojan or malicious circuit can be added during manufacturing phase so that it fails at a crucial time or generates false signals. For example, filler cells can be substituted by logic gates inducing a denial of service or more complex functionalities, or a fuse can be disabled, and so on. Or the attacker can add a backdoor that can sniff out encryption keys or passwords or transmit internal chip data to the outside world.
It can be also inserted after manufacturing , for example in the recent incident, Super Micro designs these embedded servers in California and Taiwan, yet has them manufactured in China, where assembly lines were infiltrated and spy chips installed on some of Super Micro’s high-performance computer boards.
An HT is composed of two parts: 1) a trigger and 2) a payload. The trigger is the mechanism that scans a few signals within the IC until a specific condition is met. When this condition is met, the payload is activated. The trigger can either be generated externally (e.g., external signals or a physical condition) or internally (a special internal state, data, etc). Moreover, the trigger can either be combinational (result of a logical operation) or sequential (related to a succession of states).
The payload is the “malicious” effect of the HT. The payload can be explicit when signals are directly added, removed, or deactivated. The payload can also be implicit when the effect cannot be directly observed like, for example, leaking sensitive information through side channels like the power consumption. The detection of an HT before its activation is a difficult task and it still remains a challenging problem even after its activation when the payload is implicit.
Side Channel Attacks (SCA) is another well-known attack on cryptographic circuits to leak the key used in encryption of the secret data. The adversary can use power side channel, timing side channel to get the key. The recent literature reports attacks based on EM waves and LASERs. Another well known SCA is based on test structures (Design for Testability circuits) inside the chip.
Researchers are also developing many technological solutions in the area of IC counterfeits, hardware assurance, cyber-physical systems security, and embedded systems security. Researchers at New York University Abu Dhabi’s (NYUAD) Design for Excellence (Dfx) lab have developed new innovations in computer chip technology that present landmark achievements in IT security. Secured by a secret key so that only authorized users may utilize them and immune to reverse-engineering, ‘logic-locked’ computer chips will provide future users with new guarantees of security for their devices.
Hardware Trojan Detection and Prevention
As most IC designs are extremely large and contain a huge amount of hardware description, these inclusions are difficult to detect and the sheer size of the code can require many people having access to the code at production level. It is difficult to protect against such threats, but some solutions based on ad hoc design and verification methods have been proposed.
A hardware Trojan can be designed as a time bomb to disable and/or destroy a system at some future time. Hardware Trojans can be inserted at any stage of the design flow by an adversarial third party to tamper the original design. It is important to establish a root of trust from design house to supply chain. To distinguish malicious alterations in the design, authors have used power as the side-channel signal. To make the Trojan(s) more observable on outputs, voltage switching on supply rails to alter the circuit logic has also been proposed. Additional gate delay could be introduced by Trojan(s) which can be exploited and it will alter the delay signature of the path where it occupies. In pre-silicon stage, a four-step approach is proposed to filter and locate malicious insertion(s) implanted in a third party Intellectual Property.
Counterfeit detection tests broadly fall into two categories: physical/mechanical and electrical performance based tests. Using physical and electrical test methods, significant numbers of counterfeit ICs can be detected. As counterfeiters start using more advanced mechanisms that are not easily detected by physical and electrical test methods, new detection techniques are needed – specifically, those that are designed for security and low-cost. For example, new optical photon-counting security tagging and verification of integrated circuits (IC) using optically encoded QR codes might present such a low-cost mechanism.
Furthermore, Trojan prevention approach could be used to make it more difficult (ideally impossible) to insert hardware Trojans at the fab. One of the proposed technique is called built-in self-authentication (BISA). This technique could be used to fill unused spaces in a circuit layout with functional standard cells instead of nonfunctional filler cells during layout design. Therefore, BISA could prevent hardware Trojan insertion in limited available spaces. In spite of the amount of work that has been done on hardware Trojan detection and prevention, by no means is this a solved problem.
Functional testing, often referred to as Automatic Test Pattern Generation (ATPG) technique is more commonly used to locate manufacturing faults; it has been shown to be effective in detecting hardware trojans. ATPG involves inputs of ports are stimulated and then the output ports are monitored for variations that may indicate a hardware trojan has been activated. Functional testing techniques can also be useful when attempting to determine the trigger patterns of conditional trojans.
In 2018, Catherine Rooney and others from UK, have utilized and demonstrated three different detection techniques to detect hardware trozon, the first utilises power analysis techniques as well as side channel analysis, allowing security investigators to measure both the power variance, traces and current leakage, followed by a concentrated heat measurements using an infrared thermometer, and finally a thermal camera test is carried out. The three experiments are carried out using off-the-shelf hardware and are applied to both the trojan-free and trojan-inserted designs. Attempts are then made to detect the trojan in its dormant form.