Supply chain risk mitigation for IT electronics

Supply Chain Risk Management (SCRM) is one of the 12 Comprehensive National Cybersecurity Inititiatives (CNCI), but the range of supply chain problems has not been defined rigorously, and effective defenses have not yet been developed. Risks range from the increased unreliability of counterfeits to data exfiltration and adversary control enabled by hardware Trojan horses embedded in chips. Risks are different for military vs. non-military Government vs. civilian organizations. We cite cases that underscore the reality of supply chain risk, and analyze the structure of supply chains that affect different part of the market for IT electronics, in order to provide a better understanding of attack methods. We discuss techniques for defending against the range of threats, and propose a practical solution based on a suite of simple, inexpensive test procedures that could be used to build an "80% solution" for detection of counterfeits and embedded malicious implants before they are deployed. Tests we have prototyped include power signatures and of IR thermographic signatures of boot events. Deployment of such a test suite would change the SCRM game by making it significantly more difficult for supply chain exploits to succeed.