Electronics Supply-Chain Trust Standards Emerge

Fragmentation is still rampant, but there are signs of progress.


Creative new ideas for electronics supply-chain trust are in rich supply, whether securing identity, protecting logistics, or establishing provenance. But underlying these efforts are wide-ranging standards in development from a broad set of organizations.

Today, no one-stop-shop for supply-chain standards exists. Instead, there is huge fragmentation. It can be difficult to identify all of the efforts in play and whether they complement or compete with other efforts.

“People are just starting to build up reasonable ideas for how to secure parts of the supply chain,” said Mike Borza, security IP architect at Synopsys. “But it’s much harder if you try to do it on the basis of the free-market free-for-all today.”

Communication between groups generally relies on members in one group knowing members in another group and helping to coordinate efforts. Hopefully, one set of standards and one ecosystem will emerge from these efforts, making it easier for systems makers to know where to turn.

“I’m not averse to jumping up and down and shouting at government agencies to remind them that we used to have a smaller set of standards until they all started fighting with each other,” said John Boggie, director, head of cybersecurity certification at NXP and Charter of Trust’s ‘certification for critical infrastructure and solutions’ taskforce lead. “And then it just became fragmented. The industry has tried to build their own standards to unify things, but that ended up with further fragmentation.”

Having standards is important for at least two reasons. The first has to do with interoperability, which is a common motivator for standards. For instance, if a ledger is used to track product provenance, the semantics need to be standardized in order for multiple organizations to be able to parse the ledger.

The second reason is for certification. Standards help to find a common set of criteria so that different companies play by the same rulebook. This helps to ensure that, if you meet the basic requirements for one company, you’ll meet it for others. That doesn’t rule out the ability for some companies to have stronger requirements, but it establishes a baseline. This may be driven by governments or by industry. “Supply-chain trust and authenticity are driven by both need and regulation (or ‘national interest’),” said Neeraj Paliwal, vice president and general manager of security at Rambus.

“Standards may help in this effort to define which data is really needed, and processes for attestation,” noted John Hallman, product manager for trust and security at OneSpin Solutions. “SAE and ISO standards in industry sectors like automotive, aerospace, industrial control systems, and others are already establishing common practices for assurance and could significantly help in identifying common data that may be collected as evidence of trust or assurance.”

All of this will take time, however. “There are providers who are creating solutions,” said Michael Ford, chair of IPC-1782, -2591, and -2551 committees at IPC and senior director emerging industry strategy at Aegis Software. “They’re proprietary, and they’re not flexible, but they are solutions, and they would probably work. But will these organizations trust a proprietary solution? I would say, ‘No.’ This is the reason the standards are so important. Once you have a standard, you create interoperability, you create the environment where several companies are working together, so that if any one company were to do something bad, it would be noticed.”

Kevin Otto, senior director, community engagement at GS1, articulated the spirit of standardization in order to be successful: “Here’s a set of problems we have; how can we come together and solve them?” Standard-setting can sometimes feature intrigue and efforts to game or gum up processes, but that tends to be far and away the exception. “By and large, people tend to be cooperative in this process,” he said.

A variety of organizations
By attempting to plumb the depths of the supply-chain standardization world, you are immediately faced with numerous organizations with often-vague mission statements that sound relatively similar. This variety arises for a couple of reasons.

First, “supply chain” is an extremely broad subject, affecting everything we acquire anywhere. Electronics are one — admittedly increasingly important — portion of that subject. As a result, it’s possible to find organizations dealing with notions that may not apply to electronics. “Cold-chain” logistics, for example, which are important for food and medicines, have no parallel in the electronics world.

Second, semiconductors and electronics are in early stages of securing their supply chains. That means much development is underway in a variety of organizations, and it may be too early to drive for a standard. On the other hand, we may find that lessons learned in other industries can accrue to electronics as well. This greatly muddies the playing field.

Standards can be a tough thing in the early days of a development. Nail them down too quickly, and you may find that it locks out later, better ideas as they come along. On the other hand, supply chains are incredibly interconnected, and having a common way to do things can remove a huge amount of friction from the processes. That creates pressure for earlier, rather than later, standards.

There are standards bodies, alliances, ecosystems, task groups, and all manner of bodies working on ideas. But it can be difficult to be sure which ones are truly setting standards.

Some groups have other activities in addition to, or instead of, building formal standards. Some spend much of their energy doing proofs-of-concept in an effort to solve challenging problems. As those notions solidify, they may create a standard themselves, or they may work with another organization for the formal standards work. They also may dedicate some of their energy to education and outreach — whether about their own standards or the standards of other groups.

This means that attempting to get a complete view of the efforts underway for the electronics supply chain is almost impossible. Start with a few organizations, and more digging uncovers more groups doing related work. Our attempt here is to identify, as much as we’ve been able to, which organizations are involved in which aspects of electronics supply-chain trust.

Standards bodies
SEMI specifically deals with semiconductor supply-chain issues. Its focus to date has been on its E142 standard. “The SEMI E142 standard defines a semantic model,” said Dave Huntley, business development at PDF Solutions and co-chair of three SEMI committees/task forces. While the main motivator is traceability, such capabilities also serve to promote forward trust as systems are assembled.

SEMI also has been working on a standard for attesting to the processing of integrated circuits. While its focus was originally blockchain, “we abstracted blockchain away from the standard, so it no longer dictates that,” said Huntley. Blockchains can be enormous if what they store isn’t carefully selected. SEMI is limiting logged activity to a handful of verbs that represent the major milestones during and after device manufacture. “All we’re standardizing are about six or seven transactions, like enroll, ship, receive, scrap, and verify,” he said.

Ledger work has slowed pending some DARPA work, but momentum may be returning. “We’ve had a significant interest coming from Japan.”

IPC has activities that resemble those of SEMI, but it is focused on logistics and boards. IPC is looking at how labels, boxes, subsystems, and systems can be uniquely identified and tracked. One of the challenges is to “use different kinds of IDs for different stages in the supply chain,” explained Ford. “They will have to be connected together, which is the kind of ontology that we’re seeking to define.”

IPC and SEMI appear to be working together to avoid duplication, with SEMI dealing with chips and IPC dealing with higher-level entities. “We agreed that they have traceability standards on the board level, logistics and board level side,” said Huntley. “We have traceability and all sorts of other standards in the semiconductor assembly.”

GS1 focuses on blockchain-related standards, although currently it has no presence in the electronics market. It has four practices: apparel/general merchandise, health care, retail groceries, and food service. “There are several ecosystems out there today that are supporting supply chain traceability, but they don’t really talk to one another,” said Kraig Adams, vice president of customer engagement, blockchain at GS1, in a presentation at a NIST blockchain webinar. “So as the use of blockchain continues to grow, with the new and different blockchain ecosystems being developed, our members have expressed interest in the true interoperability of these systems to exchange information across ecosystems.”

GS1 does not standardize how the blockchains work, but it does standardize what the entries mean. That involves looking at the many use cases pertaining to the industry and creating standardized syntax, fields, and formats for these blockchain entries. “We believe that GS1 standards are components between the business application and the blockchain ecosystem that properly identify, capture, and share the what and where of the asset along the supply chain,” said Adams.

Doing a full semantic definition assumes that one has thought of every possibility and that things won’t change, neither of which is true. So these standards do evolve. As new entries arise for standardization, it can take GS1 three to four months to complete that effort. If one company wants to do something unique, it’s not likely to result in an update of the standard. But if there’s more general interest, then they can make enhancements in a backwards-compatible way.

The Trusted Computing Group (TCG) is an organization probably best known for developing the trusted platform module (TPM), which is now an ISO standard (ISO 11889). It may be familiar for its use in provisioning secure devices during (or after) system test. “The Trusted Computing group is developing a platform certificate, which factors the bill of materials and the physical assets from the board,” noted Tom Katsioulas, head of trustchain business at Siemens EDA. This appears, however, to be limited to TPMs, based on the intended audience they specify. That makes it unlikely to be widely used, although it would be relevant to any secure assembly house making use of a TPM.

The SAE has established a standard — AS6171 — for evaluating devices that don’t have a well-attested provenance. The concern is that such a device could be counterfeit. This standard provides tests for determining whether or not the device may be used in a system. The tests may also help to identify some forms of tampering, but that’s not their primary goal.

SAE also has a G-32 Cyber Physical Systems Security Committee focused on dealing with both hardware and software security. “Even outside of [the aerospace and defense] industries, you’re seeing G-32 emerging as a body to organize these kinds of supply-chain problems,” said Borza.

Meanwhile, there’s the Blockchain in Transport Alliance (BiTA), also focusing on materials transport. Its membership tends to be from the logistics and transportation industries, so it’s not specific to electronic goods (but would include them). As described by its website, “Alliance members share a common mission of driving the adoption of emerging technology forward. We accomplish this by developing industry standards; educating members and others on blockchain applications/solutions and distributed ledger technology; and encouraging the use and adoption of new solutions.”

The NIST SP 800-193 standard, meanwhile, is more about creating what they call “platform firmware resiliency.” It’s intended to protect systems against attack and alteration by including a root of trust in the system that manages the configuration and can roll over to a good memory backup in the event that trust in the main memory has been lost.

“NIST standard SP 801-93 gives guidelines on how to build systems that are resilient against attacks that you might see in a supply chain,” said Srirama Chandra, security system architect at Lattice Semiconductor in a presentation at the 2020 Linley Fall Conference. “You can use the same methodology to protect any system, whether it is networking servers, industrial systems, or whatever you’re building.”

This is, technically speaking, more of a security standard than a supply-chain standard. But it does help to build supply-chain trust, since devices with such resiliency are less likely to have unhappy surprises lurking within. And its very operation hinges on deciding whether or not to trust the memory.

Other organizations
The following organizations are not formal standards bodies. Instead, their focus is to get stakeholders talking and to develop and promote best practices in the industry. Such organizations, like standards bodies, must ensure that their membership can work together without running afoul of anti-trust collusion laws.

The Global Semiconductor Alliance (GSA) has an effort focused on the Internet of Things (IoT). Security is extraordinarily important for IoT devices, so the GSA has groups working on a trusted supply chain and on device identity as well as other aspects. “GSA publishes things that effectively become best practices,” said Borza.

Among its activities is the Trusted IoT Ecosystem Security, or TIES, program. It’s stated purpose (per its website) is to “promote trusted end-to-end solutions in the IoT value chain that accelerate the adoption, growth, and field use of connected chips, devices, systems, and IoT applications while enabling recurring services revenue streams and high-value business models.”

Charter of Trust is an organization focused on cybersecurity as a whole. Its stated role is to bring together companies from across industrial boundaries. Each industry has its own standards, as does each region into which one might sell. In particular, small and medium-sized businesses may have a hard time getting their arms around what’s needed for certification in the markets they’d like to sell into.

“There are enough standards, enough initiatives,” said Michael Deckert, supplier management for cybersecurity at Siemens and Charter of Trust’s ‘responsibility throughout the digital supply chain’ taskforce lead. “We want to be the helping hand, out of a practical perspective, that bridges the gap” between the different standards and the realities of what’s needed for compliance.

“When you connect everything up together, it’s not just that it’s discrete components,” explained NXP’s/Charter of Trust’s Boggie. “It’s all of the services and everything that goes around the IT systems plus the infrastructure. And we brought all of these people together. We’ve got the discrete component guys, we’ve got the operational services, we’ve got cloud service providers, and the system builders.”

In addition, most standards specify the full list of possible things that must be done. That’s a tall order both for small companies that don’t have staff to dedicate to such issues and for builders of very low-cost devices. “You can’t expect the cheapest device to have perfect security. For IoT especially, you have to look at how you are likely to be attacked and what the lowest-impact mitigations are that you can put in place to protect the device,” said Nicole Fern, senior hardware security engineer at Tortuga Logic.

Charter of Trust’s approach is to establish a minimum baseline of requirements according to 10 principles. Companies can then build on that going forward. “We took those common standards that people utilize, and we mapped them to the baseline requirements,” said Boggie.

“More needs to be done in relation to supply-chain security and security-by-default,” said Jonathan Sage, government and regulatory affairs executive at IBM and Charter of Trust’s ‘advocacy and communications’ taskforce lead. “That is why we have developed baseline security requirements for the supply chain covering components, products, and services. These baseline requirements map to existing international standards and certification schemes and are an important building block in protecting different kinds of data from unlawful access and stopping technical infrastructures from being compromised.”

Finally, in the defense world, several activities are underway for ensuring component trust. In fact, the U.S. defense community has been a leader in motivating the need for trust standards.

The Defense Microelectronics Activity (DMEA) group certifies suppliers to the defense industry, with a focus on warfighters. One-time vetting is insufficient, since organizations and people within them can change. So an organizational focus on vetting must be kept current. While this may make sense for high-sensitivity projects, it’s not so practical for lower-value systems.

Meanwhile, the DARPA Automatic Implementation of Secure Silicon (AISS) initiative is taking aim at side channel attacks, hardware Trojans, reverse engineering, and supply chain attacks, such as counterfeiting, recycling, re-marking, cloning, and over-production. There are two aspects to this effort. One aims to create a secure engine that can defend against attacks. This will merge into the second aspect, an asset management infrastructure (AMI) that can track devices through the design process. “We are six months in, and I can say that things have been moving ahead positively so far,” said Aileen Ryan, senior director of strategy for the UltraSoC Division at Siemens EDA.

While the AISS efforts apply specifically to defense work, the commercial world is watching and may take the resulting standards into non-defense systems as well. “What we like about dealing with DARPA is that we’re seeing the leading edge of requirements for things that our commercial customers are very interested in having sometime in the future,” observed Borza.

Exactly when in the future remains to be seen. “It’s possible that it could happen in 2021, but more likely 2022,” predicted Huntley.

Fig. 1: Rough Venn diagram illustrating the relationships and overlap between different standards organizations that affect the electronics supply chain. Source: Bryon Moyer/Semiconductor Engineering

Fig. 1: Rough Venn diagram illustrating the relationships and overlap between different standards organizations that affect the electronics supply chain. Source: Bryon Moyer/Semiconductor Engineering

All in all, many organizations are heeding the call for better standards and processes. And there is much yet to be done. Ford gives one example: “It’s just unbelievable that as an industry, we create standards and guidelines for how to deal with counterfeit, how to inspect, how to test, how to do the paperwork, how to communicate with people, and not a single standard to how to actually stop the aggressive counterfeit.”

Some standards may end up overlapping each other. And in most cases, work is still underway. So readers are encouraged to track the activities they are interested in, because things likely will change over the next year and beyond.

Blockchain Attempts To Secure The Supply Chain
The technology is cumbersome and potentially flawed, but it can provide a chain of custody when necessary.
New And Innovative Supply Chain Threats Emerging
But so are better approaches to deal with thorny counterfeiting issues.
Uniquely Identifying PCBs, Subassemblies, And Packaging
New approaches to preventing counterfeiting across the supply chain.
Who’s Watching The Supply Chain?
The proliferation of advanced packaging and heterogeneous architectures adds some new risks.

Leave a Reply

(Note: This name will be displayed publicly)