Complex Chips Make Security More Difficult

Why cyberattacks on the IC supply chain are so hard to prevent.

APRIL 7TH, 2022 – BY: JOHN KOON

Semiconductor supply chain management is becoming more complex with many more moving parts as chips become increasingly disaggregated, making it difficult to ensure where parts originated and whether they have been compromised before they are added into advanced chips or packages.

In the past, supply chain concerns largely focused primarily on counterfeit parts or gray-market substitutions using sub-par binned parts. Now, as IC architectures become more domain-specific, often including some level of AI/ML, chipmakers are using more application-specific components such as accelerators, custom memories, and IP blocks from more suppliers. As a result, the supply chain is becoming broader, more diverse, and parts are becoming much harder to track. Today’s supply chain spans everything from raw materials, where purity is essential for  advanced processes, to soft and hard IP, subsystems, packaging, delivery, and warehousing.

Failure to keep track of all components at every stage opens the door to cyberattacks. In some cases, this could include sleeper code or hardware vulnerabilities. But more often these attacks are prompted by unintentional flaws in a design that result in security holes, some of which may not be discovered for years. Tracking each component, and the integration of those components in a larger system, is an enormous challenge. And if something goes wrong and the system is compromised, it’s not always clear what caused the problem.

“To have a secure IoT supply chain, trust in data and trust in devices must be established,” said David Maidment, senior director for secure devices ecosystem at Arm. “However, there are several challenges to this. The supply chain is very complex, with lots of different devices and entities where data, products, and services must exchange ownership without contracts being in place. Much of the supply chain has existed without the IoT for 20-plus years, and is therefore built on legacy devices without security in mind. As we move to hyper-connected value chains it is essential that all devices are built from the ground up with security at their heart.”

That requires precise traceability, which has been increasingly difficult to implement as designs become more complex. “Especially for the bigger IP companies, the high-end IP costs a lot. A lot of companies buy a per-use license. The problem is that it can’t be policed by the IP provider. It’s legally bound, but they don’t know if it’s getting used on more than one design,” said Simon Rance, vice president of marketing at ClioSoft. “The bigger companies don’t want to buy IP from an IP provider and break those legal agreements, which can happen very easily. But a designer in a company has no idea if it’s a one-time license. We’re seeing a lot of IPs held on file servers. They’re not locked down. There’s a management issue that’s missing.”

When any part of the supply chain is disrupted, the whole supply chain is affected. A supply chain can be long and complex, with suppliers at multiple tiers.

“The supply chain can be complex,” said John Hallman, product manager at Siemens EDA. “There are many suppliers that contribute to making the ICs, including the designers, mask makers, and the fabrication houses themselves. Additionally, these component manufacturers use raw materials coming from different parts of the world.

Even though a manufacturer has security measures in place, there’s no guarantee its suppliers have equally strong protection. Hackers often take advantage of a manufacturer’s trust in its suppliers. Suppliers with weak cyber defenses are prone to attack, and once a supplier is breached, hackers can gain access to the manufacturer’s enterprise system. Often this happens without immediate detection, and in cases of espionage with sophisticated nation-state backing, some attacks may never be detected.

The European Union Agency for Cybersecurity (ENISA) pointed out in its recent report that 66% of cyberattacks are related to suppliers’ software code. It is important for an organization or end user to validate third-party software code before using it to ensure no malware exists.

The supply chain itself can be corrupted, as well. Manufacturers often trust their suppliers and use the supplier’s software code without checking it for malware. It’s common for a manufacturer to have direct access to its distributors, because it allows them to obtain data on the availability of various chips, IP, and electronic systems. More recently, though, as enterprise resource planning (ERP) software has become more widespread, manufacturers download a software module from the distributor. The manufacturers then integrate that module with their own ERP systems. Unless the software module undergoes a malicious software detection process, the malware can enter the ERP system unnoticed. Some victims of cyberattacks don’t even know how and when their systems became infected.

Fig. 1: The lifecycle of supply chain attacks can be divided into two Advanced Persistence Threat (APT) attacks. The first one targets one or more suppliers. Once the malware enters through the back door, the second attack will target the customers’ assets. This type of cyberattack is more difficult to detect because the customers already trust the suppliers. Source: ENISA

Fig. 1: The lifecycle of supply chain attacks can be divided into two Advanced Persistence Threat (APT) attacks. The first one targets one or more suppliers. Once the malware enters through the back door, the second attack will target the customers’ assets. This type of cyberattack is more difficult to detect because the customers already trust the suppliers. Source: ENISA

Ransomware is especially pernicious because it has both short- and long-term impact. According to an IBM report, an average ransomware attack will cost an average of $4.62 million. After an attack the business must react and clean up. Costs include escalation, notification, lost business, and response efforts, excluding the ransom cost itself. On average, it takes 287 days to identify and repair a data breach. The longer it takes to fix the problem, the higher the costs.

ENISA forecasts that the number of supply chain cyberattacks will quadruple over last year, with the attacks coming in many different forms. Supply chains could be attacked through various means — malware infection, social engineering, brute-force attack, exploiting software and configuration vulnerability, physical attack or modification, open-source intelligence, and counterfeiting.

The impact of any of these can be huge. Recent high profile cyberattacks on supply chains include the Colonial Oil pipeline (disrupted fuel supply, causing long lines and high prices), Kaseya VSA remote monitoring (affected 1,500 downstream businesses worldwide), SolarWinds (18,000 companies worldwide were impacted, including many government agencies and Fortune 500 companies) and the Ukraine power grids (225,000 customers were left without power).

The SolarWinds attack occurred in 2020. Even though patches have been available, not every company affected has the knowledge or awareness to implement the solutions. The vulnerabilities will be exploited by hackers again and again. This year there were 140 more cyberattacks, resulting in 14 breaches with sensitive information stolen.

Cyberattacks on supply chains continue to increase. In a supply chain, each device endpoint is a cyberattack target. Nothing is immune from attack, and the problem becomes worse as devices remain in the market for longer periods of time. That makes a sustainable, flexible, long-term defense strategy all the more critical. The three key elements include developing trust throughout the entire supply chain, creating end-to-end visibility, and finally, practicing continual improvement.

“Every connected endpoint is a potential point of entry for a bad actor, so every connected endpoint must be secured,” said Jared Weiner, senior analyst for industrial, automation and sensors at VDC Research. “A holistic, layered approach to cybersecurity is essential. Though the specific requirements of individual devices vary, organizations managing a supply chain should consider authenticating hardware devices and software with security in mind (i.e., those featuring embedded security hardware or software), and further protected by some combination of asset management, endpoint protection, and network visibility solutions.”

Trust is critical in supply chain security
Establishing trust is always important in any application. But for a supply chain, trust is even more vital because so many parties are involved. Tier 1 and tier 2 suppliers may have been doing business with an OEM for years, but that doesn’t mean they can be trusted when it comes to supply chain management. Today, any of these suppliers or their subcontractors may have malicious software codes embedded in their systems without knowing it.

“Remote monitoring and connectivity has in itself become a critical part of the supply chain,” said Arm’s Maidement. “The ability to monitor the location and condition of goods in transit is essential, and any service interruption of that monitoring has huge cost implications. Companies are totally dependent on high-quality dependable insights, and as such require trusted devices to deliver this monitoring at scale. Any non-secure device, such as poorly designed or legacy devices, leaves the door open to adversaries.”

The practice of “zero trust” is particularly important here. Any device or software outside the organization cannot be trusted.

“There are many points during a system’s development where malicious code can be introduced through a back door throughout a chip’s development cycle, product manufacturing and system development,” said Andy Jaros, vice president of IP sales and marketing at Flex Logix. “This is why the U.S. Government has a zero trust philosophy for system development. Included in zero trust are methods for monitoring system activity for aberrant behavior, circuit obfuscation to reduce side channel attack risks, and controlling chip or circuit functionality.”

End-to-end supply chain visibility
Visibility across the supply chain and and endpoint protection require the flow of information from any supplier to the manufacturer to be clearly identified and trustworthy. Defending the supply chain network in this way helps prevent contamination by unknown malware via a back-door attack.

“The end-product manufacturer or system integrators inherit the entire supply chain and the responsibility to oversee the whole process,” said OneSpin’s Hallman. “Do they have the end-to-end view and the flow of information on hand to know where everything comes from? This includes the management of RoHS and the detection of counterfeit parts. Having the visibility on what has been transferred is important.”

Given the constant change in the supply chain, including new technology that can make previous security obsolete, and chip shortages that may require vendors to use multiple sources, adding a level of flexibility into the supply chain is also a good idea. In effect, the supply chain needs to keep pace with the technology flowing through it.

“Embedded FPGA IP can be used to address these vulnerabilities through CPU boot image authentication, system activity monitoring, randomly swapping out different bitstreams having the same functionality or programming critical or highly proprietary circuitry post system manufacturing or deployment,” said Flex Logix’s Jaros.

Continual improvement
The National Institute of Standards and Technology (NIST) noted that when a software supply chain is attacked, the cyber threat actor infiltrates the supplier’s network. The malicious code will then be sent to the customers and further compromise the customer’s data, as in the case of the attack on SolarWinds. The agency proposed a solution called Cyber Supply Chain Risk Management (C-SCRM), which is a process to identify, assess, and mitigate the risk associated with the distribution and interconnection of IT/OT products and services.

In its recent report, NIST proposed eight key practices to achieve high quality supply chain management with continual improvement:

  1. Integrate C-SCRM across the organization.
  2. Establish a formal C-SCRM program.
  3. Know and manage critical suppliers.
  4. Understand the organization’s supply chain.
  5. Closely collaborate with key suppliers.
  6. Include key suppliers in resilience and improvement activities.
  7. Assess and monitor throughout the supplier relationship.
  8. Plan for the full life cycle.

“A safe supply chain requires continuous verification and authentication,” said Hallman. “In the case of the SolarWinds breach, the attackers used updates to the software to enable a ‘back door.’ To minimize cyberattack risk, at the minimum, one must practice the basic security hygiene including rigorous verification, applying security best practices as simple as, ‘Does the transaction have the right checksum? Or have regression tests been used?’ There are tools like digital twins available. You will be surprised how many organizations do not practice the basics.”

There are additional supply chain standards and resources available. They include blockchain, SEMI E142, IPC, GS1, AS 6171, and the Trusted Computing Group platform.

Conclusion
Cyberattacks on supply chains are rising. As Arm’s Maidment noted, “In order to protect your business, it’s important you’re assessing and managing risk from hackers. First, establish a chain of trust from data and devices outward to the cloud anchored from a hardware root of trust in every device. This ensures your data is in trusted hands and can help deliver valuable business insights. Second, actively procure certified secure devices that will protect your network. Even with the most secure networks in place, an insecure device leaves a hole in your systems for hackers to take advantage of. Devices certified by reputable certification bodies such as PSA Certified give you the added assurance. Finally, be proactive with security when designing your products. It’s not enough to be reactive when things go wrong. Instead, build security in from the start of your design using components with a certified hardware root of trust. You can also source pre-validated components (such as silicon chips, or system software) to ensure your building devices on a trusted foundation.”