Fri Apr 8 06:47:17 PDT 2016
Risk Management: Interdependencies: How are supply chain risks managed?
Options:
Option 0: Follow at least regulatory mandates.
Option 1: Ignore supply chain issues.
Option 2: Purchase from commercial suppliers with sound reputations and avoid black market suppliers.
Option 3: Use operations security methods to avoid association of components with projects to reduce systematic intentional attacks.
Option 4: Purchase only from vendors vetted by official bodies or certified for the purposes.
Option 5: Use detailed inspection processes to verify and validate components.
Option 6: Perform well-defined acceptance testing processes to verify proper operation.
Option 7: Specify manufactured components and verify thoroughly against specifications.
Option 8: Use an end-to-end chain of custody program with transparency.
Option 9: Use an end-to-end step-wise specification and inspection process to verify all aspects of the process.
Option 10: Implement physical controls over the lifecycle of all components.
Option 11: Implement personnel controls over the lifecycle of all individuals involved in the production.
Option 12: Use a fully captive end-to-end process entirely within "owned" facilities, people, materials, equipment, etc.
Basis:
Ignore supply chain issues. In many low consequence
environments, lowest cost of acquisition is a dominant factor in
decision-making. This is all the more so in cases where operations are
not expected to last a very long time, or in cases when acquisition
costs are limited and longevity of the effort is not known
in advance. For rapid prototyping and research environments this is
also often a reasonable strategy, since equipment is not typically
utilized to its capacity and acquisition times are often very short to
meet deadlines for projects that will not have long-term application.
Purchase from commercial suppliers with sound reputations and
avoid black market suppliers. This is always a good idea when
making "open" purchases of commodity goods, and reasonable controls of
this sort should be implemented in most cases.
Use operations security methods to avoid association of
components with projects to reduce systematic intentional
attacks. This includes such methods as purchasing parts in bulk
from different suppliers and mixing batches to avoid systematic
exploitation, purchasing under pseudonyms associated with less
"interesting" or targeted businesses, purchasing from other locations
or offices, and similar methods. This is usually applied in cases
where confidentiality is desired as to the specifics of what is being
built, where, and for what purpose.
Purchase only from vendors vetted by official bodies or
certified for the purposes. Examples of certification
processes include such things as Trusted Computing Group (TCG) and
Common Criteria (CC) certifications, purchasing from nationally
restricted companies (US only manufacturers), classified personnel
only makers, and so forth. Care should be taken in reviewing specifics
of "approved" products, since things like the Common Criteria have
protection profiles that may not suit the need. Similarly, national
(e.g., US) manufacturers may use a lot of extra-national (e.g.,
non-US) components, and major operating systems available today (i.e.,
Linux, Windows, OSX) are all internationally made.
Use detailed inspection processes to verify and validate
components. This approach uses a wide range of inspection
processes depending on what is to be assured. For example, part
inspection processes (e.g., x-rays or ultrasound) may be used to
assure that parts have the same internal structures present as
expected from a "golden unit", packaging may be inspected to assure
that seals are present and acceleration in delivery was not excessive,
composites may be taken apart to verify that components are as they
should be and that no components are added, removed, or replaced,
weights, sizes, and other physical characteristics may be tested
against specifications or previous units, and so forth.
Perform well-defined acceptance testing processes to verify
proper operation. Acceptance testing should be part of any
effort involving non-trivial consequences. For example, component
testing processes may be used to assure that parts operate to within
tolerances aver specified ranges, complete tests for logical
components of moderate complexity may be undertaken, test modes may be
exercised to verify that known fault types are not present, component
tests may be done prior to assembly in test rigs or similar test
facilities, composites may be tested across a range of operating
conditions, samples may be extracted for destructive testing, failure
modes may be verified against test conditions to verify that failsafe
modes operate properly, performance tests of various sorts may be
undertaken, known samples with different known conditions may be used
to verify that all identified conditions are detected and properly
responded to, etc. The list goes on and on, and is usually formally managed
by a process that produces test sequences that can be largely
automated and repeated. Such tests are often demonstrated prior to
shipment and then verified at arrival before components are tested
in the production environment.
Specify manufactured components and verify thoroughly against
specifications. In many cases, the components are specified at
a level of detail to support verification of functionality as well as
security properties. To the extent that protection requirements are
specified, they don't often get tested to the level of specificity of the
design. In some cases, the specifications are done at the circuit or
even layout level, so that the manufacturing process is quite tightly
specified and can be verified at a high level of precision in the
delivered product.
Use an end-to-end step-wise specification and inspection
process to verify all aspects of the process. In this process,
in addition to specification and end product verification, each step
in the manufacturing process is inspected (and perhaps even
supervised) by the purchaser to assure that the process itself is as
desired each step of the way. This requires a very close relationship
between the parties and is usually used only for very high-valued
contracts.
Use an end-to-end chain of custody program with
transparency. Chain of custody controls include restriction
and documentation who is in control and possession of components parts
over time. Transparency implies that those who are responsible for
verifying chain of custody have the ability to examine elements of
process and history so as to be able to adequately verify chain of
custody and other controls.
Implement physical controls over the lifecycle of all
components. In some cases, physical controls over components
are required throughout the processes undertaken. For example, in the
manufacture of sensitive military systems, fireworks, explosives,
space vehicles, integrated circuits, and so forth. There are different
reasons for these controls, ranging from "security" issues to purity
requirements for reliability of precise manufacturing processes.
Implement personnel controls over the lifecycle of all
individuals involved in the production. Personnel controls are
usually associated with sensitivity of mechanisms, intellectual
property rights, or thefts. For example, cleared personnel may be
required for classified processes, in industries like cosmetics and
pharmaceuticals, the formulas and processing methods are very tightly
controlled to protect against intellectual property theft, and in the
integrated circuit business, the circuits are worth more per ounce
than gold, and controls are used to limit "shrinkage" from employees
walking out with devices.
Use a fully captive end-to-end process entirely within "owned"
facilities, people, materials, equipment, etc. This is a
method used when extremely high surety is desired and the threat level
or consequences of mistakes is extreme. For example, it may be used in
the production of weapons of mass destruction, intelligence
mechanisms, space systems, and similar arenas. Today this is extremely
rare because of the enormous amount of expertise involved in complex
environments and the economies of scale associated with
production. In most cases, pockets of expertise are in different
places and work for different organizations.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|