Supply Chain Security

When we think about cyber threats, we often imagine a lone attacker sitting in a dark room, furiously typing as green text spreads across the screen in order to gain access to sensitive information or assume control of some system to which they would otherwise not have access.  While this sort of threat does exist, we now see a much greater threat in the form of coordinated adversaries attempting to compromise the supply chains of our industries and governments.  These adversaries exploit supply chain vulnerabilities, stealing intellectual property, exploiting software vulnerabilities, surveilling and disrupting critical infrastructure, and engaging in other malicious activity.  To address these vulnerabilities, we need to recognize that within each phase of product lifecycles, from design, manufacture, and transport, to provisioning, utilization, and decommission, there are serious risks.

To effectively protect our infrastructure and devices throughout product lifecycles, we must also consider the components of these products and computing systems.  In the hardware supply chain, we see a specific and growing set of threats which are much more difficult for any one organization to protect against.  Taken together, supply chain threats now affect a broad range of industries and organizations, from critical infrastructure, military and defense, and financial services, to consumer electronics, education, and healthcare.  Mitigating or eliminating these threats is the goal of Supply Chain Security.

Adversaries infiltrate trusted suppliers and vendors to target equipment, systems, and information used every day by industry, governments, and private citizens.  To protect against these threats, it is vital that every actor in the chain has security at the top of their agenda.  However, this is no easy task as no single entity has end-to-end control of the modern technology supply chain.  This means it is imperative that all organizations (public and private, large and small) come together to ensure security and integrity.  This highlights the need for industry standards and ecosystem participation to define, implement, and uphold security guidance.

TCG has been developing Information and Communications Technology (ICT) security standards that enable construction of trusted infrastructure.  The Supply Chain Security Workgroup is developing solutions that bring together these TCG technologies to address supply chain security as well as exploring new ways to mitigate the risks presented by an increasingly global, complex, and disaggregated supply chain.


Dennis Mattoon
Microsoft Research
Dennis Mattoon is an Architect for Microsoft Research. As one of the founding members of the Security and Privacy Research and Engineering team in MSR, he and his team have spent the last 10+ years focused on advances in trusted computing and system security. His most recent work has been on the Device Identifier Composition Engine Specifications (DICE), Robust and Resilient IoT (RIoT), and the Cyber-Resilient Platform Initiative. ( In addition to chairing the Attestation, Supply Chain Security, and DICE workgroups, Dennis has previously represented Microsoft on TCG efforts including DRTM, development of the TPM 2.0 reference implementation, and TSS.  Dennis was also responsible for Microsoft partner enablement/adoption of TPM 2.0 as well as the TSS.MSR  and Trusted Applications projects from Microsoft Research.
Michael Mattioli
Vice President
The Goldman Sachs Group, Inc.
Michael leads Prime Services Engineering Consulting within the Global Markets Division at Goldman Sachs. He focuses on engineering strategy and risk management, including hardware/software architecture and information security/privacy, with senior leaders of the firm’s global asset management clients. He is also responsible for the overall strategy and execution of hardware innovation within the broader technology industry. He previously led the Hardware Engineering team at Goldman Sachs where he was responsible for the design and engineering of the firm’s digital experiences and technologies.
Jun Takei
Intel Corporation