By Michael Tidwell, VP Marketing and Business Development
This unsecured supply chain has obvious financial impacts for OEMs: reports estimate that consumer and industrial businesses lose $250 billion annually due to counterfeit electronic components.
Equally concerning is the impact on safety and functionality that these counterfeit devices present. In 2016, researchers at the Georgia cybersecurity firm BorderHawk discovered security flaws in a common networking device called a remote power manager (RPM) that had been purchased from a Chinese manufacturer. According to the Christian Science Monitor, BorderHawk researchers were working on a different project at a large energy firm when they noticed unusual network traffic on their client’s network. Their investigation revealed that the RPM device contained links to a known, malicious domain located in China. The device firmware also contained hidden commands that could be used to obtain lists of user accounts and passwords to access the device and give malicious hackers direct access into data centers and business applications.
“Unfortunately, security researchers say these types of vulnerabilities are not uncommon and often are difficult to detect,” wrote the Christian Science Monitor. “The problem is a byproduct of changes in the way that technology firms source and build their products, often relying on far-flung networks of manufacturers and suppliers who operate with little oversight or quality control.”
According to the publication Military Embedded Systems, even the United States Department of Defense (DoD) supply chain is vulnerable to the risk of counterfeit parts. The DoD estimates that as much as 15% of all spare and replacement parts for military electronics turn out to be counterfeit.
What’s needed is a more trustworthy electronics supply chain, based on secure manufacturing processes and tools that better control and manage manufacturing practices at third-party owned factories. The objective of secure manufacturing is to ensure that OEM devices are manufactured per OEM specification of hardware, firmware and data, and without loss of any OEM IP. Secure manufacturing processes also are designed to authenticate ICs for silicon-vendor proof of origin prior to provisioning to prevent the production of counterfeit or fraudulent devices.
Building Security and Trust into Devices
To implement supply chain integrity and secure manufacturing requires building security and trust into devices with hardware-based security. To achieve this, a number of key building blocks must be put in place. First, OEMs must usesecurable IC elements or microcontroller units (MCUs) with storage protected by a hardware-based root of trust and a trusted execution environment. These elements or MCUs also must provide an immutable boot path and true random number generation mechanism to enable generation and usage of a unique device identity.
While use of secure elements or units is necessary to secure the end device, additional operations must be performed to further build on and enhance the security that is provided by the hardware-based roots of trust. This is accomplished in manufacturing through the process of secure provisioning thatconfigures the hardware roots of trust on a device and, hence,creates the device identity and device-specific security credentials, binding these security elements to the IC responsible for securing the device.
Authentication of ICs before provisioning
Data I/O has developed the SentriX® security deployment-as-a-Service platform to deliver on the promise of secure manufacturing. Using SentriX, OEMs now have the ability to secure their supply chain and manufacture secure devices at scale – without risk of counterfeit production – using a trusted security deployment service.
SentriX is designed with the paramount goal of securing and simplifying the IC provisioning process and helping eliminate the risk of counterfeit devices entering the market. The SentriX security deployment platform helps OEMs overcome key challenges of device security definition, secure manufacturing and the secure provisioning of trust into devices during manufacturing for improved security, lower cost, faster time to market and greater supply chain integrity.
To learn more about SentriX IoT Security as-a-Service, download Data I/O’s e-book “Securing the Electronics Supply Chain with SentriX IoT Security as–a–Service”, email sentrix@dataoi.com or visit www.dataio.com/sentrix.