Supply Chain Risk Management
Securing the Supply Chain for Information and Communications Technology is critical to the security of any organization.
SCRM Solutions
SCRM Solutions include a wide range of measures that can be applied at different points in the supply life-cycle. The effort to find and implement SCRM Solutions is robust and many faceted. Commercial companies have identification and protection products; hardware, software and firmware test laboratories; and searchable data bases. A number of academic, government and commercial resources continue to research innovative ways to improve SCRM solutions.
Primary SCRM Solution efforts include:
Recognizing Counterfeits: Keeping clone or counterfeit electronic components out of the supply chain eliminates the risk of clone or counterfeit parts making their way into critical infrastructure. Techniques include but are not limited to:
- Advanced image processing with high-resolution camera records of individual surface micro-structure creating a fingerprint for ID storage in a data base.
- Visual Inspection for workmanship of marking. evidence of physical alteration; part numbers and logo checks of actual products; verification of dimensions to an vendor specification including Critical Physical Dimensions; resistance to solvents.
- Internal Visual Inspection: Destructive Physical Analysis Decapsulation/Delidding of Packages Visual inspection; Comparison of die logos, part numbers and other internal identification features.
Active Component Marking of Authentic Parts: Technologies applied to an authentic part as a marking that allows positive identification and ensures that the component item has not been tampered, altered, or substituted. Some active marking techniques require a closed loop where authorized users, and only authorized users, have complementary data to confirm the active mark. Techniques include but are not limited to:
- Virtual Tags that create intrinsic fingerprints to an authenticated part that cannot be removed, modified or copied. It is secure, unforgeable, covert, and does not mark or alter the item. An example would be thousands of unique microdots that would be impossible to locate and cost ineffective to remove.
- Dielets with no electrical connections attached to the host component, which when scanned will upload a serial number to a central, industry-owned server. The server sends an unencrypted challenge to the dielet, which sends back an encrypted answer and data from passive sensors that indicate tampering may have occurred.
Analytic Models and Metrics: High-level tools that proactively monitor local and global suppliers, shipment controls, susceptibility to counterfeiting, criticality of component to system operation. Techniques include but are not limited to:
- Reliance on authoritative news, regulatory and legal sources and big data risk analytics to provide additional awareness on private companies beyond what they self-report or what is uncovered by conventional methods.
Software Assurance: Includes test procedure that provide high assurance that no unauthorized changes are made to software and no external threat can access the software to alter its operation.
- Software testing is the most developed, but probably the most dynamic, SCRM Solution. Testing methodology is sophisticated and improving daily. But new hacking tools, malware, worm, Trojan Horse and other attacks are continually and rapidly developed and deployed.
