Forging computer supply chains with stronger, transparent links
Presented by Intel
Imagine you have X-ray vision. You can look at a server or PC and see every piece inside. You know when and where each part was manufactured, installed, and updated, by whom – across each one’s entire lifecycle. Whether you’re a builder or buyer, it’s easy (or easier) to spot suspicious parts and suppliers. Ditto for potential hardware, software, and firmware threats. Push a button and ZAP! Problems flagged or gone.
New developments in supply chain tracking and intelligence are bringing these superpowers closer (minus the X-ray vision, for now anyway). Next-generation systems promise to provide the ecosystem and industry with the transparency and security needed to protect against two of today’s biggest supply chain threats: counterfeiting and firmware exploits.
Today, it’s already possible to gain a range of new insights from the device– from verifying that the hardware you ordered matches what you received, to improved component-level tracking for reliability analysis, to helping to identify security issues. More capabilities are on the way.
For many, it’s none too soon.
Exploits fuel growing concern
A steady rise in hacks, counterfeits, and scares has pushed concerns about technology parts and supply chains higher on the agendas of security leaders, C-suites, boards, compliance, investors, M&A, legal, marketers and PR, and many others.
Across private and public sectors, there’s increasing worry about knockoffs, grey market parts, and illicit hardware and software that can steal data, shut down key systems, and damage reputations, businesses, industries, national security, and whole sectors of today’s hyper-connected world economy.
“The globalization of technology design, development, manufacturing, and distribution has created an environment of complicated supply chains with limited transparency,” says Leslie S. Culbertson, executive vice president and general manager of Product Assurance and Security at Intel. “There is a growing need to provide assurances of platform integrity in every stage of the compute lifecycle, and to do so in a manner that is as transparent as possible.”
So what’s the best way to manage rising risk in global supply chains? How do organizations of all types work towards improving safety and integrity without stifling growth? It’s a hot topic — even if you don’t have “supply chain” in your title.
Government response has largely focused on regulation, legislation, and trade actions such as limits and bans against doing business with suspect companies and nations. Most prominent: a presidential executive order in May banning sale or purchase of certain electronics to specified hostile nations. The 2018 SECURE Technology Act gave U.S. federal agencies new authority to consider supply chain risks when procuring products. While these measures play a key role in a holistic approach, they’re only part of the solution.
Public-private alliances that unite major federal and business interests are a second key leg.
Private sector action is the other vital piece. For manufacturers, distributors, and buyers, maintaining tight controls, visibility, and validation within a specific ecosystem is one of the best ways to help protect against supply chain attacks.
A leading-edge example is Intel® Transparent Supply Chain tools. Piloted in 2015, they’re a set of policies and procedures to help resellers and end customers manage risk by helping to improve unprecedented accountability and traceability. It’s both an effective current system and roadmap for further development.
How it works
At every manufacturing site in the ecosystem, software generates “build” data. It’s an ingredient list of everything that went into the device including BIOS. Each piece gets a unique certificate identifier from a Trusted Platform Module. Once data is cryptographically linked to the device, it’s uploaded to secure cloud servers. Member makers and buyers can download data sets or access them via a secure web portal.
Explains Charlie Stark, an Intel security engineer: “Many manufacturers provide a spreadsheet on build data. The value in going this extra step is that there’s now a cryptographic, traceable way to prove that the data you’re looking at isn’t generic data about all devices. It’s the specific data about the device that’s in your hand.”
Answering key questions
The deep information provided by a transparent and secure supply chain visibility system helps everyone in the ecosystem answer key questions, at every stage of a device’s lifecycle:
- Build: What components are in the device?
- Transfer Does the device arrive as built?
- Operate: Is the device safely updated and maintained?
- Retire: Is the returned device what was expected? (Requires functioning auto-verify)
Improving accountability and assurance
Having this kind of system-level and component-level traceability greatly improves visibility, trust, and security for everyone involved in the chain. It creates a window into the ecosystem to automate compliance, prevention, and remediation.
Product and components: Users can check individual serial numbers, work-order numbers, manufacturer, date, location, product group, and more. Planned analytics capabilities would enable tracking of labeling, identification, and reliability of specific products. For example, if there’s a recall on certain components, affected devices could be tracked.
Vendor and suppliers: Users can identify vendors who are suspicious, unapproved, from hostile regions with high risk of espionage, or plagued with high failure rates and downtimes. “For example, if 32 ATMs fail, and they all had voltage regulators from the same company, and the same lot, you could quickly identify them,” Stark explains.
At a more macro level, secure ecosystems can form crucial cornerstones and foundations for industrywide, nationwide, and even global protection. When linked with other ecosystems and industries, they provide a crucial complement to laws and regulations. The result is a set of holistic and interlocking protections needed to combat growing threats to private and public sectors.
What’s now, what’s next
Intel has implemented capabilities for transparency in the supply chain in its NUC mini-PC and Intel Server Product S2600 family. The latter are “white box” systems volume-manufactured for third-parties, including major cloud service providers, and OEMs. Plans are underway to expand to other products and systems.
The success of ecosystem security requires participation of major partners. Tier-1 OEM vendors have been active in adopting and using Intel Transparent Supply Chain tools to help ensure transparency and trust for their own products and partners. Lenovo, for example, supports TSC on select Intel Core commercial notebooks today, and has plans to support across all commercial PCs as well as their Intel Xeon-SP based server systems. Other server and PC OEMs are likely to be quick to follow as a response to growing customer desire for improved levels of data and transparency.
The overall goal, according to Stark, is to include all ecosystem participants — buyers and sellers. It’s a step strongly encouraged by supply chain security experts. As Accenture concluded in a recent report: “This is no time for splendid isolation. Your ecosystem needs you.”
Expansion: Industry and blockchain
As a next step, Intel hopes to establish transparent supply chain as a standard across the computer industry. It’s a big goal, Stark acknowledges. “But industry has tackled big, global challenges before,” he says. “Think of removing lead from gasoline or conflict-free diamonds. It’s completely doable.”
Industry efforts took a major step forward in early December. Intel introduced the Compute Lifecycle Assurance Initiative. Explains Culberston: “The vision is to align the industry and bring greater transparency for customers at every stage of the compute lifecycle.”
And if this sounds like a natural application for blockchain, you’re right. Adding the technology’s powerful tracking capabilities would create a powerful mutual-trust model, and remove product data as an attack honeypot for attackers. Intel demonstrated this capability at RSA 2019, and continues a pilot with a major industry manufacturer. Stay tuned.
Eliminating weak links
No protection can stop every incident every time. Experts predict that supply chain attacks will continue to escalate, perhaps sharply. Ecosystem-wide visibility and accountability represent powerful defenses against the growing wave of supply chain attacks.
It’s not yet X-ray vision. But building on leading edge-systems like Intel ® Transparent Supply Chain is one of the best ways to find and remove weak links and help ensure our computing infrastructure is safe and operating the way it’s supposed to.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact [email protected].
Source: Read Full Article