Technical White Paper

SUPPLY CHAIN SECURITY SOLUTIONS FROM INTEL AND LENOVO: ENSURING DEVICE SECURITY FROM THE FACTORY FLOOR THROUGH END OF LIFE By TOM DODSON Supply Chain Security Architect, Intel Corporation Supply Chain Security Solutions from Intel and Lenovo: Ensuring Device Security from the Factory Floor through End of Life 1 With the expansion of data centers, cloud computing, and the Internet of Things, ensuring trust in the supply chain has become more important than ever. A supply chain, based on trusted hardware and standards developed by the Trusted Computing Group, can enhance security for everything from sourcing components to distribution of the final product. This paper describes the incentives for organizations to prioritize supply chain trust and introduces the Intel® Trusted Device Setup and Intel® Transparent Supply Chain services, which Intel has developed in partnership with Lenovo. It also explains the use of a hardware root of trust to establish a trusted supply chain. SUPPLY CHAIN SECURITY IS A CONCERN ACROSS THE PUBLIC AND PRIVATE SECTORS. Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. — National Institute of Standards and Technology Supply Chain Security Solutions from Intel and Lenovo: Ensuring Device Security from the Factory Floor through End of Life 2 INCENTIVES FOR SUPPLY CHAIN TRUST The use of technology to compromise supply chains is not a new phenomenon; one article in Supply Chain 1 24/7 provides a history of supply chain cyberattacks dating back to the Cold War. Before end users even turn on their new equipment, malicious actors have numerous opportunities to disrupt and compromise the supply chain tasked with delivering new devices into end users’ hands. Such attacks should concern every company regardless of their size or market focus. The U.S. government is well aware of the significance of the problem: A paper from the National Institute of Standards and Technology (NIST) states that “Federal agencies are concerned about the risks associated with information and communications technology products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within 2 the ICT supply chain.” In 2015, the U.S. Department of Defense published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement. This interim rule gave government contractors a deadline 3 to implement the requirements of the Special Publication 800-171, which NIST published to counteract cybersecurity threats. Section 252.246-7007 of this document, Contractor Counterfeit Electronic Part Detection and Avoidance System, specifically addresses “design, operation, and maintenance of systems to 4 detect and avoid counterfeit electronic parts and suspect counterfeit electronic parts.” The Rise of Remote Work Companies seeking to secure end-user devices are confronting a new factor in an already fraught equation: the sharp increase in the number of employees working remotely. According to Gallup, the percentage of employed Americans who said they had worked remotely doubled in the spring of 2020 alone—climbing from 31 percent in March to 5 62 percent in April. What began as a temporary solution may well become permanent: According to Gartner, nearly three in four CFOs plan to shift 6 some employees to remote work permanently. But