Listed below, in chronological order, are short abstracts or summaries of remarks provided by workshop speakers. The actual presentations were, of course, much more extensive and often covered important issues not described in the abstracts.
Deputy Assistant Secretary of the Air Force for Science, Technology, and Engineering—David Walker (SES)
The Air Force, and the Department of Defense (DoD) in general, increasingly use application-specific integrated circuits (ASICs) to increase weapon system capability. As part of the acquisition process, the DoD must protect both the intellectual property associated with the ASIC design and the manufacturing process in order to prevent our adversaries from rapidly closing the gap of our competitive advantage, from exploiting design vulnerabilities, from sabotage, or from subversion of weapon system function. In 2004, DoD and the National Security Agency (NSA) established the Trusted Access Program Office (TAPO) to provide guaranteed access for the DoD and the Intelligence Community (IC) to trusted microelectronics technologies for their critical system needs. That same year, TAPO initiated the Trusted Foundry Program through a contract with IBM to facilitate government-wide access to trusted foundry services. Beyond the IBM contract, the Defense MicroElectronics Activity (DMEA) would accredit microelectronic suppliers as trusted suppliers. DoD formalized and consolidated its policy in 2012 and issued DoD Instruction 5200.44, which addressed supply chain risk management by requiring use of trusted suppliers for critical ASICs and implementing a program protection plan as part of the acquisition cycle.
Current State of Access to Trusted ASIC Production
Over the years, Air Force organizations and a host of programs of record used IBM and the Trusted Foundry Program to support all stages of the acquisition process from research through sustainment. TAPO renewed the Trusted Foundry Program contract in 2014. In late 2014, IBM announced its intention to sell its microelectronics business to Global Foundries, a foreign-owned entity, voiding the facility clearance license at both IBM locations used by the trusted foundry contract and breaking the trusted supply chain. As part of the Committee on Foreign Investment in the United States (CFIUS) mediation of the sale, DoD and the IC received assurances from Global Foundries that it would undertake actions to continue to provide uninterrupted trusted foundry services to the U.S. government for technologies used under the current contract until at least 2018. In addition, there are other provisions for intellectual property transfer and end-of-life notification should Global Foundries choose to shut down or discontinue a technology line.
There are no current alternatives to the integrated trusted foundry model offered by the Trusted Foundry Program. The Office of the Secretary of Defense (OSD) continues to work toward maintaining the Global Foundries facilities at Burlington and East Fishkill used by the Trusted Foundry Program, to enable programs to procure lifetime buys, and to negotiate with Global Foundries as a new domestic trusted supplier. Starting in fiscal year (FY) 2017, OSD will initiate a program of work to (1) establish a trusted domestic mask supplier; (2) improve DoD laboratory capability to evaluate commercial and military unique microelectronics components; and (3) develop, demonstrate, and transition technologies that enable trust by design as well as advanced evaluation capabilities.
Acting Deputy Assistant Secretary of Defense for Systems Engineering and Principal Deputy Secretary of Defense for Systems Engineering—Kristen Baldwin (SES)
For a number of years, DoD has been on a path to implement a Trusted Defense Systems Strategy. Codified in policy in 2012, “DoD acquisition programs conduct program protection planning activities throughout the life cycle to mitigate opportunities for adversaries to sabotage or subvert mission-critical system functions, system designs, and critical components of our systems. Critical components may be comprised of software, firmware, or hardware, whether specifically designed for the DoD or commercially sourced. The protection of critical components is addressed through secure engineering designs and architectures, supply chain risk management, software and hardware assurance, and anti-tamper techniques. Program protection planning gives special attention to ASICs. For ASICs that are custom-designed, custom-manufactured, or tailored for specific DoD military use, DoD requires they be procured from a trusted supplier accredited by the DMEA.”1
“There are currently 72 DMEA-accredited suppliers, 22 of which can provide full-service trusted foundry capabilities. One of these full-service trusted foundries is Global Foundries U.S. , formerly the IBM Trusted Foundry. In addition to trust, the Trusted Foundry Program provides the U.S. government guaranteed access to leading-edge trusted microelectronics services, necessary because the low-volume DoD and Interagency needs cannot compete with commercial customers who command high-volume production requirements. The Trusted Foundry Program has served DoD and interagency needs since 2003.”2 However, this sole-source trusted foundry model carries risk, given the globalization and vertical integration of the commercial microelectronics market. Looking ahead, DoD must move to an alternative model that enables “both trust and access to needed microelectronics capability from the commercial marketplace.”3 This long-term trusted foundry strategy will improve DoD’s ability to evaluate microelectronic components, protect designs from espionage or manipulation, and transition advanced technologies that permit the use of commercial sources for sensitive applications that require trust.
The Trusted Foundry Program was established as a joint effort between DoD and the NSA in response to Deputy Secretary of Defense Paul Wolfowitz’s Defense Trusted IC Strategy issued in 2003. The DoD component resides in OSD’s Office of the Assistant Secretary of Defense for Research and Engineering. The Trusted Foundry Program is managed by DMEA. As of March 14, 2016, there are 71 Trusted Accredited
1 Testimony of Kristen Baldwin, Assessing DoD’s Assured Access to Microelectronics in Support of U.S. National Security Requirements, Hearing before the Committee on Armed Services House of Representatives, 114th Congress, 2015, H.A.S.C. No. 114-63, https://www.gpo.gov/fdsys/pkg/CHRG-114hhrg97497.
Suppliers offering products and services for state-of-the-art, state-of-the-practice, legacy, and obsolete microelectronics covering the entire integrated circuit supply chain.
Modern weapon and cyber systems are extremely sophisticated, relying on state-of-the-art electronics to achieve performance only dreamed of just a few years ago. A very high percentage of the microelectronics utilized in these systems are commercial-off-the-shelf (COTS)—many of which are designed, manufactured, packaged, and tested off-shore. Their robustness is absolutely essential to the warfighter!
Counterfeit microelectronics have been of great concern for several years now and, historically, has been widely believed to be motivated by profit. New classes of counterfeits are emerging where the motivations are not so evident. The fundamental differences between these two classes of counterfeits are highlighted below.
|For Profit||Clones and Mimics|
Still the original part from OEM:
A completely different part:
This presentation will show real world examples of clones and mimics that have been examined at Naval Surface Warfare Center (NSWC) Crane Division. This will demonstrate the evolving tactics used by the counterfeiter. These tactics are very dynamic in nature, thus the tools and techniques for detection cannot be static, which presents a challenging problem for developing screening procedures. Finally the very nature of the technical assessment tools and techniques will be discussed as well as a few trends observed in the open source community.
The Air Force Office of Special Investigation (AFOSI) is a U.S. federal law enforcement agency that reports directly to the Office of the Secretary of the Air Force. Operating worldwide, AFOSI provides independent criminal investigative, counterintelligence, and protective service operations outside of the traditional military chain of command. AFOSI proactively identifies, investigates and neutralizes, serious criminal, terrorist, and espionage threats to personnel and resources of the U.S. Air Force and DoD, thereby protecting the national security of the United States. The desires of potential adversaries to acquire or mimic the technological advances of the U.S. Air Force have heightened the need to protect critical Air Force technologies and collateral data. The AFOSI Technology Protection Program provides focused, comprehensive counterintelligence and core mission investigative services to safeguard Air Force research and development, technologies, acquisitions, programs, critical program information, personnel, and facilities.
DoD’s threat space for compromised sensitive electronic components is evolving quickly. Existing vulnerabilities included the counterfeiting and cloning of parts, malicious alterations, and supply chain exploits after fabrication. The recent transfer of DoD’s most advanced trusted foundry to foreign ownership now introduces additional risk of intellectual property theft. For advanced lithographies, the trusted foundry
era is over, and the Defense Advanced Research Projects Agency (DARPA) has been developing technologies to insure the integrity and authenticity of components used by DoD. A new methodology for asserting these tools to address specific threats faced by each component is also needed. This talk will provide an overview of tools and approaches being developed by the Microsystems Technology Office (MTO) for providing trust, which will insure that not only mission success but warfighter lives are not put at risk by compromised components.
Most platform information technology systems are legacy and were designed and built prior to the nation-state cyber threats we face today. Many device manufacturers and integrators do not understand the number, or extent, of commodity- or proprietary-embedded components in their products. They are also typically unaware of the extent of hardware and software reuse, which could result in pervasive compromise across technologies and devices and cause systemic failures and cascading effects if the hardware or software is vulnerable. More importantly, many traditional cybersecurity countermeasures designed for commercial use are not adequate or even appropriate due to embedded system constraints, environmental and user considerations, and the severity of consequences. That said, the United States must respond to its eroding competitive advantage in the semiconductor space resulting in a national security risk.
Software supply chain attacks against code and application repositories through malware insertion and wide-spread code reuse and distribution are increasing (e.g., GIT hub, Mac App Store). More importantly, the Internet of Things attacks against cyberphysical and embedded systems (e.g., smart vehicles, commercial avionics, medical devices, ATMs) are becoming a reality and prominent themes at the Black Hat and RSA conferences. Attacks that disrupt the integrated circuit supply chain—whether for purposes of espionage, theft of critical data or technology, or to disrupt mission-critical operations or infrastructures—are especially nefarious. Unlike software worms or viruses, a component cannot just be wiped clean. Replacing infected hardware with a trusted component is the only option. Hardware exploits can result in adversary access and control of critical systems, cause premature or instantaneous failures in operations, or exploit cryptographic systems.
Despite recent policy and regulatory changes, heightened attention to this class of systems, and added budgeted investments, many DoD acquisition challenges remain. Some priority objective areas for focus include the following:
- Arming program managers with better actionable threat intelligence to better understand cyber threats to embedded microelectronics, especially hardware and the convergence of electronic warfare and cyber. Anticipatory intelligence activities to learn adversary interest and research in critical embedded system technologies can inform risk assessments and system life-cycle activities and guide investments in developing and sunsetting ineffective security and resiliency countermeasures. Similarly, reviewing whether classification, sharing policies, or practices are unduly impeding capability development and deployment should be assessed.
- Increasing the availability of trusted countermeasures and solutions. Guidance is lacking on the best combinations of effective protection methods (e.g., information assurance, anti-tamper, hardware assurance and software assurance, trusted suppliers, trusted foundry programs, operations security, and test and verification) for embedded systems for different missions, operating environment, and threat models. If understood, methods to develop and automate the insertion of countermeasures into hardware and firmware designs and implementations should be made a priority. In addition, approaches are needed to incentivize vendors to build these security solutions for specialized military systems (that represent a small marketplace), to create outreach programs internationally, and to
leverage innovation coming out of venture capitals, research organizations, academia, the National Laboratories, and federally funded research and development centers.
Creating holistic engineering and risk management practices that minimally cover
- – Defining consistent guidance on the “How” in order to implement the “What” defined in recent directives and regulations pertinent to embedded systems;
- – Unifying often independent organizations and disciplines (e.g., mission assurance, systems engineering, security engineering, systems of systems engineering, and resiliency engineering, anti-tamper, safety critical analysis, supply chain risk management, survivability and nuclear surety) into a cohesive practice for embedded systems;
- – Shifting fundamental ideology from thinking like a defender to take the attacker’s vantage point, and focusing on the adversary’s goals/intent, capabilities, cyber effects, and work factor to derive security and resiliency requirements in the context of mission objectives against this threat; and
- – Righting the imbalance of guidance that exists for software to concentrate on firmware and hardware security guidance. For example, expand existing cyber frameworks and standards to cover embedded systems vulnerabilities (e.g., CVE, OVAL), threat sharing protocols (e.g., STIXTM, TAXIITM), attack patterns (e.g., ATT&CKTM), and structured languages for cyber observables (e.g., CybOXTM).
- Automating and institutionalizing system assurance approaches against defined metric objectives and across the systems development life cycle. Because hardware and firmware analysis is so labor intensive and expensive, automation is crucial to cost-effectively improving the quality, assurance level, and speed of the analyzing embedded components. Specifically, more best practice guidance on assurance techniques for firmware and hardware should take advantage of advancements in areas such as formal methods, side-channel analysis, fuzzy testing, encryption, trusted computing technology and trust attestation including on-chip hardware root of trust.
- Aligning modernization efforts with improved security. Legacy embedded system modernizations can replace insecure legacy components with newer technologies with built-in security features and lower SWaP (size, weight and power) impact. Modernizations can also support rearchitecting to minimize the attack surface and increase resilience into the future. Identifying common critical components across multiple programs and missions promotes solutions with economies of scale. Finally, opportunities to introduce innovative solutions to ride technology waves should be sought. Specifically, technology insertion roadmaps for the insertion of trusted hardware, system-on-chip components (for security), and Trojan-proof chips are needed. The ability to more frequently change the system introduces an element of surprise and uncertainty to the adversary.
- Tracking trends, innovation, and business practices for military advantage. Some examples to consider are the following: anticipating the “backshoring” of manufacturing, anticipating the security implications of field-programmable gate arrays programmability on security; tracking and anticipating disruptive technologies, riding technology maturity curves, and promoting legal reforms to close advantageous tax loopholes to disincentive offshoring.
- Building capability and capacity in embedded systems security. There is a shortage of cyber security talent in general. There is even greater capability shortfall to fill in such specialized areas as secure integrated circuit design, cyberphysical security, and reverse engineering and anti-tamper for firmware and hardware. Professional development is needed to fill this gap.
Security-relevant supply chain risk management requirements are dramatically increasing. The goal to simply reduce the risk of counterfeit parts has now expanded to include component criticality analysis, malicious insertion, anonymity plans, covered defense information protection, provenance mapping, component pedigree, and trusted suppliers. A significant knowledge and awareness gap throughout the
acquisition community within industry and government contributes to a barrier which stifles solutions from being integrated into systems and at times also produces overconfidence and unwarranted trust in delivered systems.
Contracts are awarded on technical merit, past performance, and cost. If security-relevant requirements are not crisply defined with metrics and measures, system security quality attributes will be traded away to system technical capability and a more affordable solution. Today, progress is being made as the presence of security-relevant requirements in contract statement of work language is increasing and maturing. However, system security and program protection have not yet made it into the contract award evaluation criteria. To encourage progress, the National Defense Industry Association (NDIA) Systems Security Engineering (SSE) Committee led a 2-year collaborative effort with the NDIA Developmental Test and Evaluation Committee, the International Council on Systems Engineering SSE Committee, the Trusted Supplier Steering Group, and MITRE to provide an industry perspective.
Consistent with the theme of the workshop, the Space and Missile Systems Center and the broader National Security Space (NSS) systems, the current government acquisition processes for acquiring reliable and secure microelectronic components for space systems is comprehensive with numerous tenants to provide the visibility and collaboration across several fronts to ensure that an engineering, manufacturing, and test infrastructure exists, including a supply base from prime contractors through sub-tier suppliers to facilitate the development and acquisition of complex, highly reliable satellite systems, which fly in a radiation environment and we cannot perform repair on orbit.
The workshop organizing committee provided the following questions for speakers:
- What are the current technological and government policy challenges associated with maintaining a reliable and secure source of microelectronic components?
- What are the current government acquisition processes for acquiring reliable and secure microelectronic components?
- What are some options for possible business models within the national security complex that would be relevant for the Air Force acquisition community with respect to secure and reliable microelectronic components?
The charts presented address the technologies and supply base critical to NSS that are necessary to engineer and produce current and future space systems that are responsive to the needed capabilities of national security. Future space systems will require leading-edge semiconductors and microelectronic devices that, in most cases, do not have a commercial market. In addition, consistent with past practices and initiatives, continued government involvement will be required to ensure a responsive industrial supply base for the products and technologies required for future space systems.
The world threat environment has changed significantly over the course of the last decade, requiring the Defense Industrial Base, including the National Laboratories and production facilities of the National Nuclear Security Administration (NNSA), to respond accordingly. Government agencies have mobilized under a variety of national-level directives to protect critical security elements against a broad spectrum of new advanced adversary threats. The U.S. government is concerned about the increased trend toward non-domestic procurement supply chain for nuclear weapon components, when coupled with the reality of increasingly sophisticated adversaries. Our defensive measures must reflect a full appreciation for the rapidly evolving, persistent, and aggressive approaches an adversary may employ that could impact our research, design, development, production, testing, storage, packaging, transportation, maintenance, surveillance,
dismantlement, and disposal. The Nuclear Enterprise Assurance (NEA) program is an effort to drive activities to prevent such threats.
Kansas City National Security Campus Response
Due to current and dynamic spectrum of threats posed on the nation’s Nuclear Security Enterprise (NSE), the NEA program has been established to mitigate potential consequences. NEA includes a Weapon Trust Assurance (WTA) program to ensure safe, secure and effective nuclear weapon stockpile, and a Supply Chain Risk Management (SCRM) program to ensure malicious hardware or software are prevented entry into the NSE supply chain. The underlying requirement is to design, develop, and produce all future weapons with enhanced features that are resilient to subversion attempts. This is accomplished by
- Managing the risk of deliberate insertion of a part into the supply chain;
- Changing the philosophy from just testing to assure functionality, to added testing to identify potential malevolent action; and
- Working with counterintelligence to determine areas of known adversarial focus and vulnerabilities.
The Kansas City National Security Campus (KCNSC) has implemented a strong SCRM program, which includes a counterintelligence component, as well as a collaboration with other government agencies and universities to develop new technologies for trusted screenings. An awareness training program has been developed to increase the understanding of the advanced persistent threat.
A key question one must consider is whether or not there is a viable strategy for the U.S. government and its various departments to own, maintain, and adequately utilize a secure semiconductor foundry at a given lithographic generation. In order to make this assessment in a meaningful fashion, it is vital to first understand the trajectory existing technology is on. In approximately the year 2003, the traditional trajectory of semiconductor research, development, and manufacturing changed dramatically. Although there had been massive technological progress prior to this date, much of that progress relied upon the ongoing scaling of transistor dimensions following the admonition of Moore’s Law. Roughly doubling the density of device elements on a chip every 18 months, Moore’s Law provided a guide to the rate of progress in semiconductor development. However, this was enabled by a different set of rules, known as the laws of classical scaling. Classical scaling allowed one to produce a device burning exactly half the power of its predecessor, while reducing the area of the device by exactly a factor of two. This was absolutely critical, as it ensured that a chip of fixed dimension, regardless of later generation, burned precisely the same power as the prior generation, despite having twice the number of devices in its area. This relied on precisely shrinking the dimensions of all elements of the transistor. However, in 2003, a critical element of the transistor, the gate oxide, reached a dimension at which its electrical behavior became dominated by a quantum mechanical phenomena known as tunneling.
As we enter this new era in terms of what drives system performance, new opportunities present themselves to mitigate supply chain risk. We are increasingly seeing the use of field-programmable gate arrays (FPGAs) and graphic processing units as accelerative elements within systems, rather than for the ready replacement of long lead time and design intensive ASICs. It is significant that in realizing the importance of this emergent trend, Intel has acquired Altera, a leading FPGA manufacturer, and is implementing monolithic chips containing close-coupled CPUs and FPGAs having shared memory. The availability of systems on a chip with a duality of functionality makes possible real-time monitoring and validation of critical FPGA functions by an independently programmed yet close-coupled CPU. It is likely,
and seen from experience, that such functionally and architecturally diverse single chips are far more robust in terms of security of function than can be achieved with a simple software- or hardware-based defense. Active methods of real-time system assurance, whether by direct monitoring as elaborated here, or via behavioral monitoring as enabled by a cognitive system exploring departures from a norm, all such options must also be explored as first or second lines of defense again malicious functionality implemented in a critical system during its manufacture.
DoD capabilities have been repeatedly revolutionized by electronics and by the information technologies that leverage those electronics. But over time, there has been a dramatic shift in the landscape of where these technologies are developed and produced. Electronics technology and supplies increasingly come from global commercial suppliers. Innovation and manufacturing efficiency are increasingly driven by economies of scale. And these changes have resulted in both tactical and strategic risks in the supply chain. DoD has trouble obtaining specialized products at the lower volumes it needs. Low volumes of production also can compromise the yield and reliability of production. When DoD seeks out supplies, it often finds it must turn to foreign suppliers who may not provide the needed security. Even if there is security when making a buy today, the global landscape is rapidly changing, and pressures on business continue to drive industry consolidation, and there is no guarantee that important defense electronics technology and industrial capacity will be available in the United States. There are options for managing these situations in a tactical manner, but in the long term, there are some major challenges.
With the growing sophistication of Information and Communications Technology (ICT), along with the increased complexity of a globalized supply chain, organizations and information systems are increasingly vulnerable to supply chain risks. These risks can affect the integrity, security, resilience, safety, and quality of products and services. They may include the insertion of counterfeits into the supply chain, theft, tampering, unauthorized production, insertion of malicious code, as well as poor development practices within the supply chain.
ICT SCRM involves identifying, assessing, and mitigating risks associated with the global and distributed nature of ICT product and service supply chains. The National Institute of Standards and Technology (NIST) is responsible for developing standards, guidelines, tests, and metrics for the protection of non-national security federal information and communication infrastructure. Over the past several years, NIST has collaborated with public and private sector stakeholders to research and develop ICT SCRM tools, metrics, guidelines, and implementation strategies.
NIST’s ICT SCRM program started in 2008, when it initiated the development of ICT SCRM practices for non-national security (i.e., classified) information systems, in response to Comprehensive National Cybersecurity Initiative (CNCI) #11, “Develop a Multi-Pronged Approach for Global Supply Chain Risk Management.” In October 2012, NIST published NIST Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems, containing a catalogue of potential ICT SCRM methods and practices centered around increasing an organization’s visibility into and understanding of how the technology they acquire is developed, integrated, and deployed, thus enabling them to make risk-based acquisition decisions and develop mitigating strategies.
In 2015, NIST published NIST Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations. This publication details a set of processes for evaluating and managing supply chain risk. These processes are integrated into the NIST SP 800-39’s Risk
Management Process. Many controls in Appendix F of NIST SP 800-53 Rev. 4 can help with ICT supply chain risk mitigation. Chapter 3 of NIST SP 800-161 identifies these controls and provides supplementary guidance for their application to ICT SCRM. Additional controls assist organizations in developing more robust and complete ICT SCRM mitigation strategies. It also lists applicable threat events, provides a framework for assessing threats, and provides a template for developing ICT SCRM plans that address the entire system life cycle.
NIST is currently researching industry SCRM best practices and has published several case studies on various companies throughout different sectors of industry. In addition, NIST is working with industry, academic, and government stakeholders to identify metrics that may be useful in measuring an organization’s supply chain risk. NIST is also conducting research on best practices for criticality analysis to better manage ICT supply chain risks. NIST will also begin research to demonstrate cause and effect relationships between cybersecurity and SCRM capability/maturity levels and organizational performance outcomes over time. The results will help identify which specific attributes and behaviors have disproportionate effects on cybersecurity and SCRM capability/maturity and which are more closely associated with cyber incidents.
The semiconductor industry continues to advance rapidly with aggressive scaling and the integration of diverse analog and digital components to provide high-value microelectronic systems-on-chip. The key capabilities for fabricating the components used in these high-value systems are in commercial foundries, which now dominate the world’s production of high-performance integrated circuits. It is desirable for the U.S. academic community and industrial base to have open and assured access to obtain high-performance integrated circuits and systems-on-chip, while ensuring protection of the associated intellectual property.
The goal of the Trusted Integrated Chips (TIC) program is to develop and demonstrate a new split-manufacturing process for chip fabrication, where security and intellectual property protection can be assured. The fabrication of the integrated circuit is divided into front-end-of-line (FEOL), consisting of transistor layers fabricated at an offshore foundry, and back-end-of-line (BEOL), consisting of metallization layers fabricated in trusted U.S. facilities. In this approach, the overall design intention is not disclosed to the FEOL fabricators. The development and demonstration of the TIC split-manufacturing process began at the 130 nm technology node in Phase 1A and continued at the 65 nm node in Phase 1B. For Phase 2, the TIC program performers have scaled the development of their capabilities to the 28 nm node. In Phase 3, the TIC program will explore heterogeneous split manufacturing, using a 28 nm FEOL and a 45 nm BEOL.
This page intentionally left blank.