The recently published hardware bill of materials framework from the Cybersecurity and Infrastructure Security Agency is a much-needed step toward ensuring semiconductor chip security - but it doesn't go far enough.
The framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, which is critical for supply chain management and risk assessment.
An HBOM must go beyond the manufacturing of semiconductor devices.
It must track chips once they leave the factory, throughout their entire life cycle in the end products, in order to provide the robust security we need against emerging cyber threats.
We were reminded why this level of vigilance is important in August, when Google researcher Daniel Moghimi uncovered the Downfall vulnerability.
The initial chips impacted by the vulnerability were manufactured in 2015.
Even if CISA's HBOM framework had been in place back then, it would still be ineffective against Downfall because it doesn't track where and how those semiconductors are in use.
That's why we need a more thorough HBOM framework, one with additional life cycle traceability, to shore up a chip's security posture once a new vulnerability is uncovered.
The framework encourages businesses to detail their upstream sourcing, including a list of all suppliers and components.
These are all worthwhile conditions because while a company may know what a chip is supposed to do, it often doesn't know how it has been designed.
By spelling it out, CISA acknowledges the pivotal role that safeguarding the supply chain plays in ensuring chip security.
This framework follows another recent government effort to increase supply chain transparency - US President Joe Biden's May 2021 executive order that mandates software bills of materials for federal vendors.
An SBOM inventories all software components, versions, and vulnerabilities so organizations can quickly respond to security concerns as they arise.
Pairing one with an HBOM would provide comprehensive, integrated, and complementary security tracking of the entire life cycle of electronic products from development to disposal.
Unlike the SBOM directive, the scope of CISA's HBOM framework conclusively ends when manufacturing is complete.
We need an HBOM with an end-to-end view to help us act once we identify the Downfalls of the future.
Chips Remain Vulnerable for Years As Downfall demonstrated, vulnerabilities may not surface until years after devices have gone to market because hardware components can have prolonged life spans and lack modern security protections.
Whereas software can be patched, hardware vulnerabilities - unless they can be remediated by a firmware update - must be addressed through physical manipulation or other fixes that may reduce a device's performance or disable functionality altogether.
This is what makes a more comprehensive HBOM important.
Organizations must be able to grasp which threats they face due to chip vulnerabilities, with complete visibility into the manufacturing and entire life cycle of the chip.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 15 Feb 2024 21:10:19 +0000