Securing the supply chain
Recently, I had the privilege of addressing the delegates at the Embedded Tech Trends (ETT) industry forum [in San Diego January 28-29]. I spoke about what we at Abaco see as one of the most pressing concerns for our industry, and one that we take extremely seriously: The issue is one of ensuring the absolute security of our supply chain.
It’s something that’s always been central to our business, but it was brought into even sharper focus with the revelation by Bloomberg in October last year in an article entitled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” The article detailed the discovery of evidence that Supermicro embedded computing boards destined for mission-critical applications had been tampered with – a minuscule IC had been inserted – during the offshore manufacturing process. This tampering, Bloomberg alleged, would allow a foreign power access to the board wherever it was deployed, with potentially unthinkable consequences.
The Bloomberg revelation came against a background of increasing governmental anxiety about the role of foreign powers and the technology used to create vital national infrastructure such as telecommunications and power generation/distribution. The Five Eyes Intelligence alliance has seen three of its members – the U.S., Australia, and New Zealand – officially reject the use of foreign technology in such environments, while in Canada, foreign influence is under review. Similarly, the U.K. [United Kingdom] is now having second thoughts about the role it has given to Huawei amidst allegations of the Chinese government having significant input into the company’s operations.
First and foremost, Bloomberg’s revelations reinforce how imperative it is that, wherever possible, those who supply to the U.S. military should design and manufacture in-house in facilities that maintain the utmost security – not allowing cameras on-site, for example – with total control of the manufacturing process from goods inwards to shipping.
Every embedded computing board manufacturer relies, of course, on an inflow of parts from third parties – another opportunity for the manufacturing process to be infiltrated. You might be amazed to know that more than 50 percent of electronics distributors say they have uncovered counterfeit parts in the supply chain. Rigorous inspection of every incoming part – even down to the screw level – is crucial.
Secure manufacturing, though, is only part of the response. Take ITAR [International Traffic in Arms Regulations], for example. Long regarded by some companies as a tedious hoop through which they must jump, 100-percent ITAR compliance is mandatory for the ultimate security of sensitive information. Not only should ITAR be observed, it should be embraced, and every employee should be trained to ensure ITAR is integrated within the company’s fabric.
ITAR observance and compliance should, of course, be part of a robust IT infrastructure. Here, NIST [National Institute of Standards and Technology] sets the pace: As part of its continuing efforts to safeguard critical information, Abaco has implemented two-stage authentication for sign-on to its systems – a small thing, perhaps, but nonetheless vital.
There’s much more beyond the above few – but imperative – measures that embedded computing board manufacturers need to take, such as supplier qualification and inspection and the implementation of repeatable processes that are fundamental to any quality system. Beyond that, manufacturers need to ask: What are the technologies that we can implement at the board level to prevent tampering or unauthorized access and ensure the safety of the information on the board? Those are challenges that I propose to discuss in more depth in a future article.
At Abaco, we never forget who we serve. We’re in the business of helping deliver our warfighters a technology advantage that can ensure both their safety and their success. Nothing – absolutely nothing – should compromise that goal.
Chris Cummins is the chief operating officer of Abaco Systems.