Priya PatelCISA’s recently introduced framework for hardware bill of materials is a step toward addressing semiconductor risks, but it doesn’t go far enough. The framework provides a consistent way for vendors and purchasers to communicate about hardware components, but it fails to track chips throughout their entire life cycle once they leave the factory. A more thorough framework is needed to ensure robust security against emerging cyber threats.
The initial chips impacted by the Downfall vulnerability, discovered in August by Google researcher Daniel Moghimi, were manufactured in 2015. Even if CISA’s HBOM framework had been in place at that time, it would have been ineffective because it doesn’t track where and how semiconductors are used.
- CISA’s recently introduced hardware bill of materials (HBOM) framework is a step toward semiconductor chip security, but more is needed
- The framework offers a way for vendors and purchasers to communicate about hardware components and manages supply chain risks
- The HBOM framework needs to track chips beyond manufacturing for effective security against emerging threats
- Existing framework is a good start, but a more thorough HBOM framework is needed with additional life cycle traceability
- Chips can remain vulnerable for years, and a comprehensive HBOM is necessary for proactive monitoring and response
CISA’s HBOM framework is a meaningful action by the government to address security risks in the semiconductor supply chain. It encourages businesses to detail upstream sourcing and calls for traceability throughout the manufacturing process. However, the framework falls short by not including record-keeping beyond manufacturing. The Downfall vulnerability serves as a reminder that there need to be safeguards in place throughout a chip’s entire life cycle to maintain robust security.
One suggestion to improve the framework is to pair it with a software bill of materials (SBOM) to provide comprehensive tracking of the complete life cycle of electronic products. This would give organizations greater visibility into both hardware and software vulnerabilities. Hardware vulnerabilities cannot be patched like software and may require physical intervention, highlighting the need for comprehensive tracking.
In conclusion, CISA’s HBOM framework is a step in the right direction but needs to be more comprehensive to effectively address semiconductor chip security. By tracking chips throughout their entire life cycle, organizations can better respond to emerging threats and maintain robust security.
