Electronic supply chain security is highly relevant in a world besieged by cyber attacks which are only set to increase, both in frequency and sophistication. Supply chain attacks have become a valuable tactic for cyber criminals looking to cause disruption, particularly nation state actors. These attacks, coupled with a rise in counterfeit electronic components which require vigilance and increasingly strict regulation, have meant that supply chains must be secure to adapt to this ‘new normal’.
Cyber attacks and counterfeit components pose risk
Electronic supply chain security needs to be looked through the lens of both cyber attacks and counterfeit components, as both are being leveraged by cyber attackers to gain an advantage, and can be equally harmful. Regulation reflects how countries are attempting to mitigate the risks posed by these attacks and components.
According to information released by HP in August 2024, a study of 800 IT and security decision makers found that one in five organisations said they had been impacted by nation state threat actors, while over a third said they or others they knew have been impacted by those targeting supply chains to insert malicious hardware or firmware into devices
And a whopping 91% said they believe nation state threat actors will target physical PC, laptop or printer supply chains to insert malicious malware or components into hardware – signifying a serious need to secure against this.
A 2011 report by the US Senate Armed Services Committee identified over 1,800 cases of counterfeit parts in military aviation and naval systems, which included memory chips and FPGAs within critical components. Memory chips were installed in night vision devices and missile guidance systems, risking mission failure or more – reflecting just how damaging counterfeit components can be.
And in 2024, the ERAI reported a total of 1,055 counterfeit and nonconforming parts, marking a 25% increase compared with the previous year and the highest number of parts reported by the ERAI since 2015 – showing no signs of slowing down.
Counterfeit components can be particularly damaging due to how increasingly interconnected our world is: electronics now not only power computers and televisions, but smartphones, aeroplanes and vehicles. As Victor Meijers, Sr Vice President at the ECIA wrote in Procurement Pro: “The effects can be catastrophic.”
What does electronic supply chain security look like?
Electronic supply chain security must therefore address and mitigate the risks posed by a combination of cyber attacks and counterfeit components. This includes integrating supplier risk management into the process, such as vetting and monitoring suppliers – conducting due diligence on suppliers and using approved vendor lists can go some way in avoiding grey market or unauthorised businesses.
Procurement contracts can stipulate cybersecurity clauses such as mandating security testing, requiring software bills of materials (SBOMs) and specify data protection and incident notification requirements.
Following on from the publication of their survey which demonstrated a grave need for securing the supply chain, HP advised the following steps:
- Adopt Platform Certificate technology to verify hardware and firmware integrity
- Securely manage firmware configuration of devices – HP’s Sure Admin for PCs or HP Security Manager allow administrators to manage firmware remotely using public-key cryptography
- Take advantage of vendor factory services to secure hardware and firmware right from the factory
- Monitor ongoing compliance of device hardware and firmware configurations
NIST published guidance detailing how to integrate cybersecurity supply chain risk management in May 2022, addressing concerns around malicious, counterfeit or vulnerable products. It advocated for implementing a cycle of frame, assess, respond, and monitor supply chain risks, as well as placing emphasis on vetting suppliers, requiring software bills of material (SBOM) for transparency purposes, and evaluating secure development practices, particularly where open-source and third-party code was concerned.
By adopting these best practices, businesses can improve electronic supply chain security and mitigate the risks posed by an increasingly digitised world.
