By Michael Tidwell, VP Marketing and Business Development 

Counterfeit or fraudulent electronics is an enormous problem for OEMs and device manufacturers, particularly those that rely on a global supply chain and programming and assembly at remote, third-party contract manufacturers (CMs). That’s because the electronic device supply chain is not fundamentally secure and can be hijacked by bad actors who clone products, over-produce devices, steal intellectual property (IP) during the manufacturing process, or substitute inferior or counterfeit integrated circuits (ICs) for those originally specified by the OEM.

This unsecured supply chain has obvious financial impacts for OEMs: reports estimate that consumer and industrial businesses lose $250 billion annually due to counterfeit electronic components.

Equally concerning is the impact on safety and functionality that these counterfeit devices present. In 2016, researchers at the Georgia cybersecurity firm BorderHawk discovered security flaws in a common networking device called a remote power manager (RPM) that had been purchased from a Chinese manufacturer. According to the Christian Science Monitor, BorderHawk researchers were working on a different project at a large energy firm when they noticed unusual network traffic on their client’s network. Their investigation revealed that the RPM device contained links to a known, malicious domain located in China. The device firmware also contained hidden commands that could be used to obtain lists of user accounts and passwords to access the device and give malicious hackers direct access into data centers and business applications.

“Unfortunately, security researchers say these types of vulnerabilities are not uncommon and often are difficult to detect,” wrote the Christian Science Monitor“The problem is a byproduct of changes in the way that technology firms source and build their products, often relying on far-flung networks of manufacturers and suppliers who operate with little oversight or quality control.”

According to the publication Military Embedded Systems, even the United States Department of Defense (DoD) supply chain is vulnerable to the risk of counterfeit parts. The DoD estimates that as much as 15% of all spare and replacement parts for military electronics turn out to be counterfeit.

What’s needed is a more trustworthy electronics supply chain, based on secure manufacturing processes and tools that better control and manage manufacturing practices at third-party owned factories. The objective of secure manufacturing is to ensure that OEM devices are manufactured per OEM specification of hardware, firmware and data, and without loss of any OEM IP. Secure manufacturing processes also are designed to authenticate ICs for silicon-vendor proof of origin prior to provisioning to prevent the production of counterfeit or fraudulent devices.

Building Security and Trust into Devices

To implement supply chain integrity and secure manufacturing requires building security and trust into devices with hardware-based security. To achieve this, a number of key building blocks must be put in place. First, OEMs must usesecurable IC elements or microcontroller units (MCUs) with storage protected by a hardware-based root of trust and a trusted execution environment. These elements or MCUs also must provide an immutable boot path and true random number generation mechanism to enable generation and usage of a unique device identity.

While use of secure elements or units is necessary to secure the end device, additional operations must be performed to further build on and enhance the security that is provided by the hardware-based roots of trust. This is accomplished in manufacturing through the process of secure provisioning thatconfigures the hardware roots of trust on a device and, hence,creates the device identity and device-specific security credentials, binding these security elements to the IC responsible for securing the device.   

Security credentials like keys, certificates, chain of trust, firmware and data that are provisioned into a device IC are very important secrets for an OEM. Should a bad actor gain access to these security credentials during the manufacturing process, the security deployed into devices can be compromised. Thus, in order to protect the security credentials that need to be provisioned into devices during manufacturing, it is fundamental that the deployment process itself be secure.

Authentication of ICs before provisioning

Data I/O has developed the SentriX® security deployment-as-a-Service platform to deliver on the promise of secure manufacturing. Using SentriX, OEMs now have the ability to secure their supply chain and manufacture secure devices at scalewithout risk of counterfeit productionusing a trusted security deployment service.

To prevent production of counterfeit or inferior devices, SentriX programming processes are designed to authenticate ICs for silicon-vendor proof of origin prior to provisioning additional security credentials into the device. Secure element ICs and MCUs provide a secure cryptography-based authentication process that is based on a silicon-vendor IC identity certificate that is pre-provisioned into the IC during the manufacturing process. During the SentriX authentication process for individual ICs, a silicon vendor ID, a product ID and a serial number are read from the IC and compared against a list of such data provided by the silicon vendor. If the data read from the IC is not found in the list provided by the silicon vendor, the device is marked as counterfeit and eliminated from the manufacturing process.

SentriX is designed with the paramount goal of securing and simplifying the IC provisioning process and helping eliminate the risk of counterfeit devices entering the market. The SentriX security deployment platform helps OEMs overcome key challenges of device security definition, secure manufacturing and the secure provisioning of trust into devices during manufacturing for improved security, lower cost, faster time to market and greater supply chain integrity.

To learn more about SentriX IoT Security as-a-Service, download Data I/O’s e-book Securing the Electronics Supply Chain with SentriX IoT Security asaService”, email sentrix@dataoi.com or visit www.dataio.com/sentrix.