Although rising geopolitical tensions have been the focal point of semiconductor supply chain vulnerability discussions, there are two other challenges that are equally important to highlight — climate change and offshore manufacturing. 

Semiconductors power our modern technology and are often considered “the oil of the 21st century.” Due to their increased importance, production has significantly ramped up, putting extreme pressure on watersheds. Chip design companies are also prioritizing innovation, and as such, many are outsourcing their physical manufacturing to third-party offshore foundries to reduce costs. 

Put together, these three issues have revealed nuanced security challenges to the semiconductor supply chain, including IP theft, counterfeiting, and reverse engineering. These threats often result in system failures, data loss, and product unavailability. Collusion threats — where adversaries collaborate at different stages of the supply chain — are also on the rise, increasing the threat of compromised hardware. Semiconductors are foundational to military and civilian technologies; addressing these security issues are critical to preserving national security.

In June, the National Institute of Standards and Technology (NIST) released a white paper proposing a framework for analyzing threats related to the semiconductor supply chain. The paper breaks down the semiconductor supply chain into stages established on a chip’s lifecycle: 

  1. Concept
  2. Design
  3. Integration
  4. Manufacturing
  5. Testing
  6. Provisioning
  7. Deployment
  8. End of life 

The paper then presents a five-step approach to supply chain threat analysis. The purpose of the paper is to guide security efforts using a metric-based approach that stakeholders can use to improve their threat mitigation techniques and implement more secure and robust designs.

NIST proposes a five-step framework for supply chain threat analysis, looking to identify and understand risk, and how potential collusion might exacerbate the risk:

  1. Describe the potential attacker and establish a baseline understanding of the resources that may need to be protected.
  2. Identify hardware threats and protect components where necessary.
  3. Analyze hardware development lifecycles and threat exploitability.
  4. Analyze the effect of collusion among adversaries in different stages.
  5. Identify security-critical stages for each threat so that the stage can be secured.

The paper concludes with NIST’s plan to extend this framework by integrating different hardware vulnerabilities. In the future, researchers plan on applying this framework to supply chain threats specifically related to 3D heterogeneous integration. This allows for chips, each potentially made from different materials and serving different functions, to be vertically stacked and packaged into one. As design approaches further modernize and advance, the supply chain only becomes more complex, introducing additional phases involving more suppliers — creating new opportunities for potential threats. 

Supply chain risk management has become increasingly vital to safeguard national interests. Collusion threats increase attack severity, highlighting the need for anticipatory strategies. By following the framework laid out in the NIST white paper, stakeholders can proactively protect critical information vital to maintaining economic stability. The risk-based cost-benefit analysis may better inform decisions on what stages are the most security-critical to prevent severe attacks. 

Jessie Shen

Read Next

Protecting Mobile Security in a Competitive Ecosystem

In an amicus brief filed in Epic Games v. Apple Inc., the Center for Cybersecurity Policy and Law urges the 9th Circuit to ensure that competition remedies do not undermine security.

Competition and Security Need to Go Hand-in-Hand

In an amicus curiae brief filed in United States v. Google, the Center urges the Court to account for cybersecurity – and public safety – in mandating remedies for the case.

The Center for Cybersecurity Policy and Law's Amicus Brief - United States Vs. Google, LLC

The Center for Cybersecurity Policy and Law's Amicus Brief - United States Vs. Google, LLC