The Cybersecurity and Infrastructure Security Agency (CISA) recently released the hardware bill of materials (HBOM) framework to address supply chain risk management and semiconductor chip security. While this framework is a positive step, some experts argue that it doesn’t go far enough in ensuring comprehensive chip security.
According to critics, the HBOM framework primarily focuses on the manufacturing of semiconductor devices and does not adequately track the chips once they leave the factory and throughout their entire life cycle in end products. This lack of post-manufacturing traceability leaves the chips vulnerable to emerging cyber threats, as highlighted by the Downfall vulnerability uncovered by Google researcher Daniel Moghimi in August.
The Downfall vulnerability, which affects a wide range of advanced microprocessors, poses a significant risk by allowing attackers to access private data. The initial chips impacted by the vulnerability were manufactured in 2015, highlighting the extended life span of hardware components and the potential for vulnerabilities to surface years after the devices have entered the market.
Even if CISA’s HBOM framework had been in place at the time of manufacturing, it would still be ineffective against Downfall because it does not provide the necessary traceability to track and address vulnerabilities post-manufacturing. This has led experts to call for a more thorough HBOM framework with additional life cycle traceability to enhance chip security posture in the event of new vulnerabilities.
Despite these criticisms, CISA is commended for introducing the HBOM framework, which encourages businesses to detail their upstream sourcing and implement traceability throughout the manufacturing process. This increased visibility is aimed at minimizing the introduction of counterfeit or malicious parts during production and marginalizing high-risk vendors.
While the HBOM framework is a meaningful step toward addressing security risks within the semiconductor supply chain, experts argue that it falls short by not extending its scope to the entire life cycle of chips. The lack of end-to-end visibility leaves chips vulnerable to security risks for years, as demonstrated by the Downfall vulnerability.
Experts emphasize the importance of a comprehensive HBOM framework to provide complete visibility into chip vulnerabilities throughout their entire life cycle. Unlike software vulnerabilities, hardware vulnerabilities cannot always be easily patched and may require physical manipulation or other fixes that could impact a device’s performance.
In conclusion, while the HBOM framework is a positive step toward semiconductor chip security, there are calls for a more comprehensive approach that includes additional life cycle traceability. This level of vigilance is essential to address the prolonged life span of hardware components and ensure comprehensive chip security in the face of emerging cyber threats.