Microsoft, Intel and Goldman Sachs have joined a Supply Chain Security work group, which operates within a non-profit organization called Trusted Computing Group (TCG). Working together, representatives from the companies will "define how TCG technologies can be implemented to address supply chain security challenges."
Within the technology industry and across the IT channel, much of the supply chain security discussion typically involves software. Indeed, hackers have leveraged remote monitoring and management (RMM) and remote control software to launch multiple cyberattacks across MSP ecosystems and downstream customers. Examples include the REvil Ransomware attack against Kaseya's VSA software in July 2021. That attack spread to roughly 50 MSPs and roughly 1,500 downstream customers.
Still, effective supply chain security also needs to address hardware. In a statement about the challenge, TCG said:
"The hardware supply chain is difficult to secure due to the number of stages, organizations, and individuals involved and current security methods are mostly subjective and require human intervention. As malicious and counterfeit hardware is extremely difficult to identify, most organizations do not have access to the tools, knowledge, or expertise to successfully detect it. With guidance from the Supply Chain Security work group, those in the supply chain will be better equipped to protect against cyber threats."
The Supply Chain Security work group will focus on two key area:
- Provisioning, which involves ensuring devices are genuine and from a trusted source at every step of the supply chain; and
- Recovery, which involves helping companies to recover their systems, devices, and networks quickly in the event of a cyberattack.
Hardware Supply Chain Security: Executive Perspectives
The new work group's co-chairs are:
- Dennis Mattoon, principal software development engineer at Microsoft.
- Michael Mattioli, vice president at Goldman Sachs.
In a prepared statement, Mattoon said:
“For nearly 20 years, TCG has guided the industry in adopting technologies that enable secure computing, with specifications for IoT and embedded systems, PCs and servers, mobile, and storage. The supply chain is the one thing that spans all of these verticals and experts from TCG work groups are now coming together to create industry-wide guidance that seeks to make the supply chain more secure.”
Added Mattioli:
"Securing the hardware supply chain is no easy task, as no single company has end-to-end control of the modern technology supply chain. This is why the new TCG work group is so important, as we are bringing together experts from a wide range of companies to define industry guidance that can be implemented across the ecosystem.”
Trusted Computing Group: Open Standards, Specifications Experience
TCG, based in Beaverton, Oregon, has extensive experience developing open standards and specifications that help to secure mobile and embedded systems, networks, storage, infrastructure, and cloud systems. More than a billion devices include TCG-related technologies, the organization says..
For instance, virtually all enterprise PCs, many servers and embedded systems include the TPM; while networking equipment, drives and other devices and systems deploy other TCG specifications, including self-encrypting drives and network security specifications, the organization said.