These articles both tell the stories of companies and organizations that have lost business, customer confidence, and sensitive data because of supply chain security holes. Even in well-architected security solutions like the RSA authentication tokens and gaming machine security chips, companies that lose track of parts inventories and accesses in delivery, maintenance, and upgrade will eventually encounter security breaches that are difficult to detect and very costly to recover from.

CPU Tech would like to thank Ernie for his time, effort, and representation of the Anti-Tamper technology area over the last few years, and welcome Kevin in his new set of responsibilities.

This comes with a series of other changes, as tend to occur each summer in the Government hierarchy. In addition to the recent transition of the Secretary of Defense office from Robert Gates to Leon Panetta, the Anti-Tamper mission area is also seeing a transition of responsibilities from Tony Kim at the Air Force Research Lab ATSPI Center. Taking over the role of AT Program Management will be Captain Jason Williams, and the role of AT Technology Lead will be assumed by Mr. Frank Parada.

Reading the indictment itself of VisionTech’s activities is startling — over 59,000 ICs were purchased and discovered to be fakes, with forged markings and logo/copyright violations of over 20 different chip suppliers (most of the top industrial IC suppliers, including FPGA and ASICs).

The Chinese operation supplying these appears to be very sophisticated, and they seem to have no problem identifying small companies within the United States willing to broker these false devices into any defense source they can find.

This puts a spotlight, once again, on whether there is a need for a ‘Trusted Supply’ of microelectronics within the Department of Defense, whether Trust can be applied after the fabrication process, and whether a few ‘Trusted ICs’ in a system is sufficient to ensure the safety and critical operation of US weapon systems.

Read more in a new White Paper posted on the CPU Tech website.

There are no specific mentions of anti-tamper technologies or new export compliance regulations, though there will be some drastically different definitions and screenings for ‘ITAR Control’ in both defense and commercial sales articles.

“As you all know, Export Control Reform is a major priority of this administration, and we are pleased to note that the reform effort is continuing apace. We are increasingly making strides toward a new phase of Export Control Reform – where we convert the plans and concepts still on the drawing board into concrete proposals and regulatory changes. Since the last DTAG Plenary in October, the PM Bureau has initiated a number of ITAR revisions. We published proposed rules on the revision of USML Category VII and plan to publish additional categories for comment in the near future. We have also published a proposed new policy to address the so called “see-through” rule, and a proposed exemption for the export of replacement parts in the Federal Register. We are now in the process of reviewing comments and revising these rules for final publication. The final rule on Third Country and Dual Nationals should be published this week. DTAG recommendations were incorporated into all of these rules.”

Following up on previous posts on this blog about promoting our work with Flexera Software and Mocana, two more links are now available on the front page of CPU Tech’s website.

The first of these is a new press release between Mocana and CPU Tech highlighting the fact that we are leveraging their expertise in secure embedded core development in several areas — secure connections and crypto libraries. The second is a new article from Flexera Software in Embedded Computing Design magazine.

This means it is still everyone’s problem . . . and no one person’s.

The attempt to identify and coordinate a single Executive Agent to address Supply Chain security can be found in the text of the House Appropriations Bill HR 5136, section 1063. I will include the wording below so that it is not necessary to comb through a thousand pages of congressional language:

Sec. 1063. EXECUTIVE AGENT FOR PREVENTING THE INTRODUCTION OF COUNTERFEIT MICROELECTRONICS INTO THE DEFENSE SUPPLY CHAIN.

A) EXECUTIVE AGENT. — Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall designate a senior official of the Department of Defense to serve as the executive agent for preventing the introduction of counterfeit microelectronics into the defense supply chain.

B) ROLES, RESPONSIBILITIES, AND AUTHORITIES

1) ESTABLISHMENT — Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall prescribe the roles, responsibilities, and authorities of the executive agent designated under subsection (a).

2) SPECIFICATION — The roles and responsibilities of the executive agent designated under subsection (a) shall include the following:

(a) Development and maintenance of a strategy and implementation plan that ensures that the Department of Defense has the ability to idenfity, mitigate, prevent, and eliminate counterfeit microelectronics from the defense supply chain.

(b) Development of recommendations for funding strategies necessary to meet the requirements of the strategy and implementation plan developed under subparagraph (A).

(c) Assessments of trends in counterfeit microelectronics, including:

(i) an analysis of recent incidents of discovery of counterfeit microelectronics in the defense supply chain, including incidents involving material and service providers;

(ii) a projection of future trends in counterfeit microelectronics;

(iii) the sufficiency of reporting mechanisms and metrics within the Department of Defense and each component of the Department of Defense;

(iv) the economic impact of identifying and remediating counterfeit microelectronics in the defense supply chain; and

(v) the impact of counterfeit microelectronics in the defense supply chain on defense readiness

(d) Coordination of planning and activities with interagency and international partners.

(e) Development and participation in public-private partnerships to prevent the introduction of counterfeit microelectronics into the supply chain.

(f) Such other roles and responsibilities as the Secretary of Defense considers appropriate.

(C) SUPPORT WITHIN DEPARTMENT OF DEFENSE. — The Secretary of Defense shall ensure that each component of the Department of Defense provides the executive agent  designated under subsection (a) with the appropriate support and resources needed to perform the roles, responsibilities, and authorities of the executive agent.

(D) REQUIRED ACTIONS. — The Secretary of Defense shall submit to the congressional defense committees–

(1) not later than 180 days after the date of the enactment of this Act, a description of the roles, responsibilities, and authorities of the executive agent prescribed in accordance with subsection (b)(1);

(2) not later than 1 year after the date of the enactment of this Act, a strategy for how the Department of Defense will identify, mitigate, prevent, and eliminate counterfeit electronics within the defense supply chain; and

(3) not later than 18 months after the date of the enactment of this Act, an implementation plan for how the Department of Defense will execute the strategy submitted in accordance with paragraph (2).

This position, sensibly, will attempt to get a single DoD Office to focus on something that is everyone’s problem. The benefits of this, in particular, are the requirements to formulate a strategy as well as a funding recommendation for supply chain security solutions. The downsides, no doubt argued by the Pentagon, is that this is too large a problem to be focused on a small, initially unfunded office or individual.

According to some reports, Stuxnet is a piece of malware targeted for ‘SCADA’ software – or control systems software used in power plants, utilities, factories, and in this case nuclear plants. Both the targeting of SCADA and state sponsorship of Stuxnet are rumored – not confirmed.  

Note how the malware got in there: “installed in electronic parts”, or embedded in firmware. I guess they didn’t have a Trusted Manufacturing flow.

UPDATE: An article just came out right after I posted this, from SC Magazine, highlighting a survey on Supply Chain Security and using the Stuxnet infection of Iranian facilities as an example.

The article provides little new insight or information to current users or potential users of the Acalis Secure Processor. The article talks about some of the challenges with the micron-level insertion of Anti-Tamper and other security feature circuits into modern electronics: the security can be proven in hardware testing, but the application of the security is now heavily reliant on the reliability and testability of the embedded firmware and software used to set the security configurations.

This leads to and highlights the Supply Chain security problems discussed previously on this blog, and highlighted this week in a Wall Street Journal article on new provisions in the Senate Defense Authorization Act.