THE recently published The Cybersecurity and Infrastructure Security Agency’s (CISA) hardware bill of materials (HBOM) framework is a much-needed step in ensuring the security of semiconductor chips, but it doesn’t go far enough.
The framework gives suppliers and buyers a consistent and repeatable way to communicate about hardware components, which is critical for supply chain management and risk assessment. However, an HBOM must go beyond the production of semiconductor devices. It must track chips once they leave the factory, throughout their lifecycle in final products, in order to provide the robust security we need against emerging cyber threats.
We were reminded why this level of vigilance is important in August, when Google researcher Daniel Moghimi discovered the Downfall vulnerability. The downfall, which affects a large family of advanced microprocessors, can be exploited to give attackers access to private data. But the first chips affected by the vulnerability were produced in 2015. It has been eight years since the first devices that included these semiconductors entered the market.
Even if CISA’s HBOM framework had been in place then, it would still be ineffective against Downfall because it doesn’t track where and how semiconductors are used. That’s why we need a more comprehensive HBOM framework, with additional lifecycle traceability, to strengthen a chip’s security posture once a new vulnerability is discovered.
The existing framework is a good start
Despite its initial limitations, CISA is to be commended for introducing an HBOM framework, even if it calls it “voluntary and flexible.” This is a significant action by the government to address security risks within the semiconductor supply chain.
The framework encourages companies to detail their upstream sourcing, including a list of all suppliers and components. It also requires traceability throughout the manufacturing process and outlines a consistent way to name all component attributes.
These are all useful conditions because while a company may know what a chip is supposed to do, it often doesn’t know how it was designed. By making this explicit, CISA recognizes the critical role that supply chain safeguards play in ensuring chip security. This increased visibility is intended to marginalize high-risk suppliers and minimize the introduction of counterfeit or harmful parts during production.
This framework follows another recent government effort to increase supply chain transparency: US President Joe Biden’s May 2021 executive order mandating software bills of material (SBOM) for federal suppliers. An SBOM inventories all software components, versions, and vulnerabilities so that organizations can quickly respond to security issues as they arise. Pairing one with an HBOM would provide comprehensive, integrated, and complementary security monitoring of the entire lifecycle of electronic products, from development to disposal.
But unlike the SBOM Directive, the scope of CISA’s HBOM framework permanently ends when production is completed. There has to be a record of where that chip ends up. By giving up the same level of visibility after the chips leave the factory, multiple security risks remain. We need an HBOM with an end-to-end vision that helps us take action once we identify the collapses of the future.
Chips remain vulnerable for years
As Downfall has shown, vulnerabilities may not emerge until years after devices hit the market because hardware components can have extended lifespans and lack modern security protections. While software can be patched, hardware vulnerabilities, unless they can be fixed with a firmware update, must be addressed through physical manipulation or other fixes that could reduce a device’s performance or disable its functionality altogether.
This is what makes a more comprehensive HBOM important. Organizations need to be able to understand what threats they face from chip vulnerabilities, with complete visibility into manufacturing and the entire chip lifecycle. Only maximum transparency can provide the intelligence needed for proactive monitoring and rapid response when defects inevitably emerge. Anything less is an unacceptable risk.