SECURING THE ELECTRONICS SUPPLY CHAIN
Once malicious firmware has been inserted into electronic components, it can be almost impossible to detect. Because it is in the hardware, the malware will remain in place even when all the software has been upgraded or replaced.
What, then, is to be done about this? The answer is to solve the problem of malicious firmware in a way that produces other security benefits at the same time. That way, these other benefits can justify the necessary security expenditures.
- Scott Borg, “ISA Framework for Securing the Electronics Supply Chain,” pp.1, 3
Initiated in 2005 in conjunction with the ISA’s founding partner, Carnegie Mellon University, ISA launched the industry’s first integrated program analyzing the complex problems of managing the global IT supply chain to assure the security of IT hardware products and services. Under Carnegie Mellon’s leadership, ISA hosted a series of national conferences that brought together hundreds of thought leaders and experts from industry, government, and academia to conduct a thorough analysis of the problem.
In 2008, ISA engaged one of the nation’s top cyber economists, Scott Borg, head of the US Cyber Consequences Unit, to assist ISA in taking our initial work and building out a sustainable framework to security the IT supply chain including informational technology as well as economic social and legal issues. ISA completed the framework in 2009 and was the only organization to provide comments on the subject that were cited in President Obama’s “Cybersecurity Policy Review.”
In 2010, ISA launched a new program of invitation-only workshops designed to move the ISA supply chain framework through the standardization and best practices levels. The workshops in the series have surveyed the practical security measures necessary for the Design, Fabrication, Pre-assembly, Assembly, Distribution, and Maintenance Phases, along with reviewing the legal contractual conditions necessary for implementing the other security measures.
ISA expects to publish a 60+ page guidelines document encompassing these cost-effective and pragmatic security measures in short order.
ISA is also embarking on the Supply Chain program’s next stage, in conjunction with the Vienna Based World Institute for Nuclear Security (WINS), to develop model contract language for the management of vendor networks associated with the IT supply chain.