.png)
SolarWinds and attacks on open-source repositories have permanently altered how we think about the software supply chain. Recent supply chain infiltrations demonstrate that we have to do the same for hardware supply chains. Trust-based approaches to electronics purchases create unacceptable risk of potentially catastrophic consequences. New regulations such as Cybersecurity Maturity Model Certification (CMMC) or Canadian Program for Cyber Security Certification (CPCSC) only indirectly point to evidence-based approaches through NIST SP 800-161. With a brief test, Palitronica's Anvil Checkpoint supports a zero-trust supply chain and can provide quantitative evidence that the electronics you bought are good, have integrity, and really are what you wanted to buy.
Today's electronics depend on a vast global supply chain that involves multiple stages, from the extraction of raw materials to the final assembly of devices. Essential components such as semiconductors, lithium-ion batteries, and displays are manufactured across different countries, with raw materials sourced from regions rich in minerals like cobalt and lithium. This network spans continents, involving complex logistics, specialized factories, and numerous suppliers, making it highly sensitive to disruptions like geopolitical conflicts, natural disasters, or supply shortages. The interdependence of these stages highlights the fragility and intricacy of the electronics industry’s supply chain.
To show the size, consider the following examples: Airbus works with over 12,000 suppliers globally to produce its commercial aircraft. Boeing includes more than 20,000 suppliers and partners. Samsung Electronics states to have over 2,500 suppliers. Siemens has 65,000 suppliers across 140 countries. General Electric buys directly from over 30,000 suppliers and delivers products for many of the critical infrastructure sectors.
In such a vast network of suppliers, a supply-chain attacker looks for a weak point to infiltrate and uses that point to stage vulnerability and exploit long in advance. The attacker then triggers the attack when it creates maximum effect (e.g., maximum disruption to the population, after ransom demands fail, or before critical events such as elections). Because exploits are staged long in advance, the attacks are nearly impossible to anticipate, and the attacker is nowhere to be found when the attack gets triggered.
The unexpectedness and widespread, catastrophic consequences make supply chain attacks like Black Swan events. A Black Swan event refers to an unpredictable, rare, and high-impact event beyond the realm of normal expectations. Coined by Nicholas Taleb, it describes occurrences that are surprising and often catastrophic that seem obvious in hindsight.
And because industry is terrible at preparing for Black Swan events, supply chain attacks are terrifying.
As Taleb wrote in his seminal work on Black Swan events, industry often ignores Black Swan events, because it optimizes for short-term returns at the expense of long-term considerations. Consequently, although companies understand the potentially catastrophic impact of a supply-chain attack, they try to fly by with trust-based approaches (“My suppliers are all fine people.”) and paperwork (“My supplier returned the questionnaire checking off box that they are trustworthy.”).
Instead of trust, industry should move to a zero-trust approach in the supply chain. A zero-trust approach would mean testing incoming products for compliance and security to fundamentally detect whether the received products really are what they claim to be. Such a test needs to be non-destructive and fast.
Palitronica’s Anvil Checkpoint can assess electronics in just seconds in a non-destructive test to determine whether the provided system matches an approved one (i.e., is the thing in front of you the same that you evaluated). Anvil can detect tampered systems (e.g., a degraded chip used on a sub-assembly) and also non-malicious changes such as defects and reliability issues.
By moving to a zero-trust supply chain with the Anvil Checkpoint, our customers are preparing for the worst --- a Black Swan supply chain attack through their product --- while also getting immediate ROI by identifying defects and reliability issues.
[5] https://www.ge.com/news/press-releases/ge-aims-increase-its-procurement-cee-smes