Chapter 10. Manufacturing and Device Security

According to the World Economic Forum, the manufacturing sector has become one of the most targeted sectors for cyberattacks.¹ Usually, we attribute software supply chain security risk to something within the software development lifecycle, but the risk may exist in a compromised chip, component, or product through connectable IT, IoT, Industrial IoT (IIoT), or operational technology (OT) installed in your infrastructure. But even if you don’t have a manufacturing program in your organization, risks can be introduced by your suppliers’ manufacturing processes. This chapter will help you understand the overall risks in supply chain security for the products your organization purchases or produces.

When you consider all the physical and digital components, along with the processes used to build a device, there are hundreds, and potentially thousands, of opportunities for compromise. Each physical device, such as a laptop, usually has firmware, embedded software, and hardware components (e.g., motherboard, laptop screen). A printed circuit board assembly (PCBA), such as the one pictured in Figure 10-1, may have a dozen integrated circuit (IC) components, or chips, that support operation of the device, and many of them contain embedded code libraries at the time of purchase.²

The logic on these ICs can include cybersecurity flaws or intentional compromises from upstream suppliers, and they can result in breaches that are very difficult ...