Computing System Manufacturing Supply Chain Security white paper

The Next Security Frontier: Taking the Mystery Out of the Supply Chain Understanding the Strategic Importance of Transparency in the Computing Ecosystem Authors Michael Mattioli Goldman Sachs & Co., Principal Engineer, Hardware Engineering Tom Garrison Intel Corporation, Vice President & General Manager, Security Strategy and Initiatives, Client Computing Group Baiju Patel, PhD Intel Corporation, Intel Fellow – Security, Client Computing Group Table of Contents Summary . 1 Key Supply Chain Risks to Security. 2 Impact of Transparency. 3 Trust Requires Industry- Wide Participation. 4 Technology choices. 5 Ledger or Database. 5 Self-reporting . 5 Governance. 6 Recommendation. . . . . . . . . . . . . . . . 6 Summary By the time a Personal Computer (PC) or a server (referred to as computing system in this document) is delivered to its intended customer, the sum of its parts has traveled through a highly complex supply chain. This supply chain includes diverse component suppliers, subsystem manufacturers, integrators, and original equipment manufacturers (referred to as suppliers in this document). The final product may go through several warehouses and may be transported via several shipping companies before it makes it to IT/ end customer. Considering ever-increasing threats to supply chain, customers have a growing need to know that the final product they received is indeed the product they ordered. Unintentional mistakes/errors, poor handling, or intentional fraud are key risks to the customer not receiving the system they ordered. Additional risks may come from malicious actors, including nation states and well-funded criminal organizations, who are motivated to tamper with systems in the supply chain. The consequences of these risks could include financial or reputational loss to the customer. While many customers today treat a PC or Computing System as a “Black Box” and trust the supplier and transport, a growing portion of customers – such as Financial or Government Institutions – have additional procurement requirements. They are actively taking steps to ensure that the computing system, as delivered, meets their risk profile and can fulfill their compliance, security, and performance requirements. Typically, these customers specify their requirements as part of their Request for Quotation (RFQ) process. The systems delivered to them are often evaluated by an in-house team or an external partner to ensure that the systems meet the requirements specified in the RFQ. However, it is only practical to evaluate a small subset of systems and results may not be available right away. This can either delay the deployment of systems or increase the risk by deploying a large number of systems before receiving all the results. White Paper | The Next Security Frontier: Taking the Mystery Out of the Supply Chain 2 Figure 1. Simplified Supply Chain Process It is important for the PC supply chain ecosystem to take measures to ensure a growing list of customers can trust the supply chain with increased accuracy and decreased cost. Improving transparency in the supply chain will help meet the need for security and quality assurance among broader customer segments as both awareness and risks continue to grow. Key Supply Chain Risks to Security Any typical component or system changes hands dozens of times from inception to deployment and ultimately retirement. Supply chain is a continuous process, ever an evolving one, and may not end even when it leaves the customer’s hands (e.g. recycle or donate). Participants in the supply chain also treat their role as Intellectual Property