Secure Sourcing of COTS Products

Systems are built by integrating components upwards from the lowest level of the supply chain to the finished, often highly complex, product. That upward integration process represents a potential security weakness. In that, without direct scrutiny or control from the OEM it is possible to surreptitiously insert malicious code, or counterfeit parts at the bottom of a multilevel, or offshored, build. And inevitably any malicious object inserted down the integration ladder will then be integrated into the end product, the most recent example being the SolarWinds hack of 2021. The possibility of such a thing occurring is so obvious that you would think that there have been practical efforts to address it. However, even though we’ve expended a lot of time and effort to ensure robust, efficient, and defect-free code production, we have done very little to ensure against compromises that might occur during the integration process. So, the aim of this talk is to outline the challenge of supply chain risk, as well as present a couple of potential solutions from the automobile industry. Speaker(s): Daniel Shoemaker, Virtual: https://events.vtools.ieee.org/m/364736