I have observed over the past few years that the lines have blurred between electronics that are counterfeit, fraudulent, tampered with, poorly made and many other descriptions of threats to product integrity. Industry, academic research and US Government activities addressing intellectual property enforcement (2011 IPEC Annual Report), cyber supply chain risk management (111th Congress H.R. 6523 § 806) and counterfeit electronic parts avoidance and detection (112th Congress H.R. 1540 § 818) often reveal similarities among threats and synergy among countermeasures. Similar challenges exist to developing and implementing standards, policies, legislation, and regulations intended to address these threats.
As subject matter experts continue to engage in these activities, it will be increasingly important to clearly identify the specific threats addressed and the sources of these threats. It will be equally important to clearly identify focus of the solutions to counter these threats and application constraints in applying these solutions. Over the past several months I have seen various approaches to this and I offer observations drawing from the best of each:
Purpose and scope of activities: Clearly identify the threat(s) the activity is intended to address. High level categories would include ‘counterfeit’ and ‘used’ [see 112th Congress H.R. 1540 § 818 (b)(1)], and ‘tampered’ or ‘tainted’ [see 111th Congress H.R. 6523 § 806 (e)(4)].
Prevailing forces: Identify the prevailing forces behind specific threats to help define parameters and limitations of solutions to counter them. Examples would include criminal activity associated with counterfeiting operations, the circulation of counterfeit goods on the open market, and the points within the supply chain where counterfeit goods are introduced. Others examples would include, targeted and malicious attacks or subversion, the skilled resources applied to them, and types of products that are vulnerable to such attacks.
Effects: The effects of specific threats should be identified to help support risk assessment activity and to evaluate the effectiveness of solutions intended to counter them. Examples would include failure modes and performance degradation associated with subcategories of counterfeit parts. Examples associated with tampering or tainting would include attempts to conduct surveillance, deny access to, disrupt, or degrade the reliability or trustworthiness of a function or system.
Application Focus for Solutions: The intended use of specific solutions to countering these threats should be defined. Examples of solution sets would include the following:
- ‘Vulnerability Assessment and Risk Management’: Methods to determine the extent to which devices and equipment are prone to specific threats and methods to determine the impact of vulnerabilities for specific applications.
- ‘Avoidance’: Proactive methods to counter specific threats, such as procurement practices directing purchases to authorized or ‘trusted’ suppliers; obsolescence management to eliminate the use of parts that are only available through risker suppliers; design approaches that may be applied as countermeasures at the chip and assembly level; tag and trace methods to identify and track authentic goods throughout the supply chain.
- ‘Detection’: Methods used to detect specific threats and reveal vulnerabilities for specific applications.
Maturity of Solutions: The maturity of specific solutions should be identified. DoD’s “Technology Readiness Assessment (TRA) Guidance” is an effective tool to apply. Considerations should include the following.
- Implementation using established and proven methods, techniques and equipment.
- Availability of suitably skilled and trained personnel to implement the solution.
- The existence of standards describing the solution and its implementation for countering a specific threat.
- The effectiveness of a solution or combination of solutions in countering a specific threat vs the consequences of an escape