The defense industry’s concerns regarding microelectronics is expanding beyond counterfeit components and into the realm of cybersecurity, according to a report issued this month by the Defense Science Board Task Force. Thanks in part to the defense department’s reliance on commercial electronics components, the task force found defense equipment can be susceptible to cyber attacks at almost any point during its considerable lifespan.
At the heart of the problem is the rapid pace of component obsolescence and practices in the electronics supply chain. The lifespan of some commercial components can be measured in months; defense equipment is designed to last decades. Even if a component is free of cyber-vulnerabilities when it’s manufactured, parts set aside as replacements often sit on a warehouse shelf for years. These same devices may change hands several times during their tenure in the supply chain. Software, malware or malicious programming could be introduced into components at any time during their lifespan and then subsequently sold to the Department of Defense (DoD) or a contractor as a replacement part.
In the typically long DoD acquisition process, approximately 70 percent of electronics in a weapons system are obsolete or no longer in production prior to system [being deployed into the field], the report noted.
Electronics industry associations, including the ECIA, have made recommendations to the government and standards bodies regarding the handling and tracking of electronics components. Many of these procedures, targeted at eliminating counterfeit components from the supply chain, have been adopted. For example, the ability to trace a component back to its original manufacturer is one method that proves its authenticity. Within the past few years the ECIA has also addressed the threat of malware, noting that authentic parts are susceptible to malicious programs. “Traceability does not verify that a part is genuine; properly packaged, stored and handled; free of malware; or unused,” according to Robin Gray, the ECIA’s COO and general counsel.
“Cyber supply chain vulnerabilities can be inserted or discovered throughout the lifecycle of a system,” according to the task force report. “Of particular concern are the weapons the nation depends upon today; almost all were developed, acquired, and fielded without formal [cyber] protection plans.”
The task force was charged, in part, with recommending methods for mitigating cyber attacks. The electronics supply chain’s focus, to date, has been avoiding the introduction of counterfeit components into defense equipment. The report notes, however, that authentic parts are not impervious to cyber-vulnerabilities:
Prominent recent examples include Volkswagen’s insertion of a “defeat device” to thwart emissions testing and insertion of embedded code into Juniper routers. Recently, FTDI, a semiconductor device company, used a Windows driver update to completely disable computers using functional clones of some component chips, demonstrating the full cycle of component insertion, subsequent activation, and effect.
Complex microelectronics will inevitably contain latent vulnerabilities. Diligent test protocols, while an essential best practice, cannot guarantee that systems will be free of such vulnerabilities.
The task force also noted the complexity of the electronics supply chain makes a defense department security practice, called Program Protection Plans (PPP), difficult. PPPs are intended to take a comprehensive approach in considering all aspects of system security, including cybersecurity, and address initial steps to safeguard unclassified program information:
The supply chain for microelectronics parts is complex and involves multiple industry sectors. Each sector sells to each of the others. Furthermore, parts may be returned to manufacturers or distributors and subsequently reenter the supply chain making both pedigree and provenance difficult to track using current procedures. This complex of industry segments feeds three supply chains: the DoD acquisition supply chain, the DoD sustainment supply chain, and the global commercial supply chain. Each supply chain is subject to attack and each offers differing costs and benefits to an attacker.
Review of the program protection processes across the Department shows that security and information system managers address security primarily after the system design has been completed. Current PPPs, however, do not carry over robustly to the sustainment phase.
By the time a defense system is fielded, microelectronic components in that system are likely to be obsolete and may be unavailable from the original equipment manufacturer (OEM) or its sub-tier suppliers. This may force DoD to purchase from distributors where pedigree is less secure and provenance is more difficult to track.
The DoD’s mechanisms for tracking inventory obsolescence and vulnerabilities in microelectronic parts are inadequate, the report added:
Microelectronics components are likely to become obsolete repeatedly during the weapons system lifecycle. Efforts to track component obsolescence lack oversight at a Department-wide level. Reporting of counterfeit and “suspect-counterfeit” microelectronics is mandatory for some, but not all prime contracts and subcontracts. Such reporting requirements are inconsistent and no DoD system at present collects event information on cyber-physical attacks of electronic components as its primary function.
To address these concerns, the task force recommended that “a shared vulnerability database and a parts application database of installed hardware could promulgate corrective actions across weapons systems. DoD will have a continuing need for access to trustworthy, state-of-the-art, application specific integrated circuits (ASICs). That need is likely to grow for systems that support intelligent or autonomous capabilities.”
The task force also recommended that the Under Secretary of Defense for Acquisition, Technology and Logistics (USD AT&L) strengthen lifecycle protection policies, enterprise implementation support, and R&D programs for defense equipment. Such efforts “will ensure that systems are designed, fielded, and sustained in a way that reduces the likelihood and consequence of cyber supply chain attacks.”
In addition, the task force recommends that USD (AT&L) direct development of sustainment Program Protection Plans for critical fielded weapons systems. Military service chiefs should designate fielded weapons systems for development of initial sustainment PPPs to demonstrate their effectiveness, it said.
In a memorandum to the report, the task forced noted that the cost of a DoD-owned trusted foundry “is not a feasible expense.” Among the businesses participating in or providing information to the task force were Intel, Qualcomm, Xilinx, IBM, Cisco, Raytheon, Google and Applied DNA Sciences.