Supply Chain Security

When we think about cyber threats, we often imagine a lone attacker sitting in a dark room, furiously typing as green text spreads across the screen in order to gain access to sensitive information or assume control of some system to which they would otherwise not have access.  While this sort of threat does exist, we now see a much greater threat in the form of coordinated adversaries attempting to compromise the supply chains of our industries and governments.  These adversaries exploit supply chain vulnerabilities, stealing intellectual property, exploiting software vulnerabilities, surveilling and disrupting critical infrastructure, and engaging in other malicious activity.  To address these vulnerabilities, we need to recognize that within each phase of product lifecycles, from design, manufacture, and transport, to provisioning, utilization, and decommission, there are serious risks.

To effectively protect our infrastructure and devices throughout product lifecycles, we must also consider the components of these products and computing systems.  In the hardware supply chain, we see a specific and growing set of threats which are much more difficult for any one organization to protect against.  Taken together, supply chain threats now affect a broad range of industries and organizations, from critical infrastructure, military and defense, and financial services, to consumer electronics, education, and healthcare.  Mitigating or eliminating these threats is the goal of Supply Chain Security.

Adversaries infiltrate trusted suppliers and vendors to target equipment, systems, and information used every day by industry, governments, and private citizens.  To protect against these threats, it is vital that every actor in the chain has security at the top of their agenda.  However, this is no easy task as no single entity has end-to-end control of the modern technology supply chain.  This means it is imperative that all organizations (public and private, large and small) come together to ensure security and integrity.  This highlights the need for industry standards and ecosystem participation to define, implement, and uphold security guidance.

TCG has been developing Information and Communications Technology (ICT) security standards that enable construction of trusted infrastructure.  The Supply Chain Security Workgroup is developing solutions that bring together these TCG technologies to address supply chain security as well as exploring new ways to mitigate the risks presented by an increasingly global, complex, and disaggregated supply chain.

Chairs

Dennis Mattoon
Principal Software Development Engineer
Microsoft Research
Dennis Mattoon is a Principal Software Development Engineer for Microsoft Research. As one of the founding members of the Security and Privacy Research and Engineering team in MSR, he and his team have spent the last 10 years focused on advances in trusted computing and system security. His most recent work has been on the Device Identifier Composition Engine Specification and Architectures (TCG DiceArch), Robust and Resilient IoT (RIoT), and the Cyber-Resilient Platform Initiative. (https://aka.ms/CyRes). Dennis has previously represented Microsoft on TCG efforts including the D-RTM specification, development of the TPM 2.0 reference implementation, and was responsible for Microsoft partner enablement/adoption of TPM 2.0.  Dennis also maintains the TPM Software Stack from Microsoft Research (https://github.com/Microsoft/TSS.MSR) and worked with the TSS work group in TCG during its development.
Michael Mattioli
Principal Engineer, Hardware Engineering
The Goldman Sachs Group, Inc.
Michael leads the Hardware Engineering team within Goldman Sachs. He is responsible for the design and engineering of the firm’s digital experiences and technologies. He is also responsible for the overall strategy and execution of hardware innovation both within the firm and within the broader technology industry.
Jun Takei
Intel Corporation