Hardware bill of materials are essential in electronics products: EE Times

Cindy F. Cape

//php echo do_shortcode(‘[responsivevoice_button voice=”US English Male” buttontext=”Listen to Post”]’) ?>

When you have a severe allergy, you can’t eat just any food. You need to know what’s in it first. If no one can tell you the ingredients, you probably shouldn’t be eating it.

Andreas Kuehlmann (Source: Cycuity)

And yet individuals and businesses all over the world do essentially the same thing with electronic products. They’re consuming electronics that are part of cars, medical devices, critical infrastructure, and more. Few consumers, however, can tell you the details of the ingredients in any of the products they use, let alone whether they pose a security risk.

Marc Andreessen was one of the first to recognize that “software is eating the world,” yet we often forget that all software runs on hardware. Hardware complexity is growing at a similar rate as software code size. Semiconductor manufacturers now develop a growing number of chips customized to specific applications and increasingly with hardware security support built in, creating more opportunities for security risk.

Ultimately, a product is only as secure as its weakest component, and organizations can’t afford to integrate technology without knowing the details of its ingredients beyond their basic function. While those ingredients might be harmless, they could also leave an open door for an attacker. We need to ask the same questions of any electronic product that we do of our food. What’s in it and how safe is it?

What hardware can learn from software

For food, we’ve been trained as consumers to read the ingredients label or to ask what’s in a meal. It’s certainly not a perfect world, but the transparency of ingredient labels steers consumers toward the right products for them. Accountability drives better quality.

Similarly, in manufacturing, a “bill of material” (BOM) is a well understood concept that provides the list and quantities of raw materials, components, and parts needed to build a product. Complementing this list with security details has gained traction on the software side as a “software bill of material” (SBOM).

Sometimes 90–95% of a software application is built from open–source components that the user is never aware of. An SBOM not only tells you what components are in a software application, but also whether they’re the latest version, and if any of them harbor a known security vulnerability that potentially leaves the entire application susceptible to cyberattacks.

SBOMs gained further traction after last year’s presidential executive order. It aims to untangle the software supply chain, requiring all software vendors to supply an SBOM to the federal government so government agencies know exactly what’s in the software they use. In the event of a new security issue, such as a vulnerability exploited remotely, these agencies can react faster thanks to the SBOM.

Unlike in software, hardware security issues have gained increased attention only recently, after the discovery of the Spectre and Meltdown vulnerabilities in 2017. Before then, it was broadly assumed that a chip couldn’t be hacked without physical access. Now we know that security design flaws in hardware can sometimes be exploited remotely.

For example, a remotely executed unprivileged software application can exploit hardware–specific information leakages to extract secrets or hijack control of the system. Moreover, such attacks can be automated and potentially target all products that include the vulnerable hardware, making attacks vastly more scalable and impactful. To make matters worse, it’s impossible or very difficult to fix hardware vulnerabilities once the chips are deployed.

Remotely exploitable hardware vulnerabilities have only come in more focus recently and haven’t received the same attention as software vulnerabilities. We’re still very much in the education phase, as more companies realize the risks.

That education needs to break through to action. A hardware bill of materials (HBOM) that provides the details of the security of hardware components, including its security validation, would complement an SBOM to reveal the security posture of any electronic product. Combining an SBOM and HBOM can offer a holistic view of the product, allow an organization to track the ingredients over its lifecycle, and support faster action when vulnerabilities are discovered in either hardware or software.

Security information we need in a hardware bill of materials

The foundation for an HBOM would be adopting the equivalent to the SBOM to document and track hardware security vulnerabilities, such as the recently discovered Augury vulnerability in the Apple M1 chip. Understanding which silicon versions are vulnerable and knowing what products use the affected chip provides better guidance on how to assess business risk and understand which products require security updates.

Yet, we should go further on the HBOM content and include artifacts that demonstrate how security was considered during planning, development, and verification of hardware components. The more information that’s disclosed, the more valuable the HBOM becomes for judging a product’s security and driving action when vulnerabilities are found. Examples include:

Certainly, HBOMs would not be a silver bullet. But they can establish the kind of transparency that allows educated decisions during product design, support, and maintenance, as well as respond to any security incident. In conjunction with adopting emerging product security standards, HBOMs can help us achieve a new level of visibility, assurance, and security.

—Andreas Kuehlmann is CEO of Cycuity


Next Post

10 Top Web Hosting Companies in 2022

Disclaimer: This is sponsored content. All opinions and views are of the advertiser and does not reflect the same of WFTS. For a hot minute, you’ve wanted to get your blog or online startup running, but you’re not sure how to navigate those waters.  Maybe you’ve even tried a few […]