Counterfeit Mitigation Component Program - Resion

Protect Your Assets with Resion's Counterfeit Mitigation Component Program! We are well aware of industry problems and offer the best solutions to tackle them. We specialize in providing exceptional supply chain solutions for industries such as aerospace, military, defense, and medical. Call us now at 516-742-6300 to learn more about what we can do for you!

How Intel Dealers Support the Supply Chain of Intel Products

Intel Corporation is a proud member of the chip and semiconductor industry, having been in operation since 1968 and continually innovating in the field. This is why you can find so many Intel chips in everything from the PC’s kids love to use for online gaming to aerospace components and electronic healthcare products. 

As the largest semiconductor chip manufacturer by revenue, Intel works with numerous Intel dealers USA services to maintain a robust and reliable supply chain. At AERI, we act as an independent Intel distributor, often filling in the gaps in the supply chain by locating and supplying hard-to-find and obsolete electronic components.

Intel Corporation is well aware a key pillar of success for its company rests on the current supply chain management it utilizes. Maintaining the flow of goods to all national and international clients takes a lot of work and logistical management. Intel focuses on a resilient supply chain that mitigates risks, improves product quality, and ensures better performance for both the company's down-channel clients. 

Intel dealers USA services like ours at AERI work by ensuring customers receive crucial parts in a timely manner to lower any downtime or financial losses. However, we go a step further by utilizing a multi-layered authentication process. Our experienced electrical engineers follow an IDEA-STD-1010 -certified process to test any and all parts moving through our international network of suppliers. This ensures customers only receive authentic and verified parts while eliminating poor quality or counterfeit items from entering the market.

AERI is a proud member of ERAI and GIDEP with numerous certifications like the AS9120, IDEA-QMS-9090, and AS6081, the last of which deals explicitly with counterfeit parts program protections. This adherence to ethical sourcing practices (something we apply to all our international suppliers) is crucial to delivering only genuine Intel products. 

Our strict vendor approval process, continuous supplier management, and the ability of our Search Experts to locate hard-to-find parts are why we are an essential part of the Intel dealers USA supply chain. We also can provide storage for Last Time Buy orders and Just in Time needs for clients, offering cost-saving programs for our clients. 

All our parts are backed by a one-year guarantee and a Liability + Errors & Omissions insurance policy for your peace of mind. There are simply too many parts, products, and projects being powered by Intel chips to allow for any errors in your supply chain. We want you to shop with confidence, knowing that the next delivery you receive will be authentic parts to keep your operations moving smoothly. 

Intel dealers USA providers like us at AERI are crucial to the overall capabilities of Intel moving forward. We partner with companies and brands of this level, helping match buyers to obsolete parts that would otherwise go unnoticed and not provide any income. The more Intel continues to grow and innovate with product lines, the greater the need for companies like us to help customers of all sizes and scopes find obsolete parts needed for operations. Give us a call today and let our Search Experts be your leading resource for finding authentic and verified Intel products and parts. We look forward to being your long-term partner as a trustworthy Intel dealers USA service.

Streamlining Operations: The Crucial Role of Industrial Parts and Laboratory Equipment Suppliers!

In the intricate manufacturing ecosystem, where efficiency, precision, and reliability are paramount, the role of industrial parts suppliers and laboratory equipment providers cannot be overstated. These entities are the backbone of manufacturing operations, ensuring seamless procurement of essential components and cutting-edge equipment vital for production processes across diverse industries. From automotive to pharmaceuticals, aerospace to electronics, and the demand for reliable sourcing partners has never been greater.

Industrial parts supply companies play a pivotal role in manufacturing by offering a comprehensive range of components, from nuts and bolts to complex machinery parts. These suppliers serve as lifelines for manufacturing units, providing critical components swiftly and efficiently to ensure uninterrupted production cycles. With an emphasis on quality assurance and timely delivery, manufacturers can uphold their client commitments while maintaining optimal operational efficiency.

Similarly, laboratory equipment supplier caters to the specialized needs of industries reliant on research, development, and quality control. Whether it's precise instrumentation for pharmaceutical laboratories or cutting-edge testing equipment for automotive manufacturers, these suppliers furnish the tools necessary for innovation and quality assurance. Their offerings encompass a broad spectrum, including analytical instruments, calibration devices, and safety apparatus, empowering manufacturing facilities to adhere to stringent quality standards and regulatory requirements.

Laboratory equipment supplier: A certified manufacturers, ensuring compliance with industry standards and specifications

One of the primary advantages of partnering with reputable industrial parts and laboratory equipment suppliers is the assurance of product quality and authenticity. Laboratory equipment supplier sources components and equipment from certified manufacturers, ensuring compliance with industry standards and specifications. By prioritizing quality assurance protocols and rigorous testing procedures, they instill confidence in manufacturers regarding the reliability and performance of the supplied products, mitigating the risks associated with substandard or counterfeit materials.

Furthermore, industrial parts supply companies and laboratory equipment providers offer their clients invaluable expertise and technical support. With a deep understanding of manufacturing processes and industry requirements, they assist manufacturers in identifying the most suitable components and equipment for their specific applications. Whether it involves recommending alternative materials for cost optimization or suggesting innovative solutions to enhance operational efficiency, these suppliers serve as trusted advisors, fostering collaborative partnerships with manufacturers.

In the realm of manufacturing sourcing, efficiency is paramount. Industrial parts supply companies leverage advanced inventory management systems and supply chain optimization techniques to streamline procurement processes. Strategic alliances with manufacturers and distributors ensure access to a diverse range of products while minimizing lead times and procurement costs. By adopting Just-In-Time (JIT) principles and implementing vendor-managed inventory programs, they enable manufacturers to optimize working capital and reduce inventory holding costs, thereby enhancing overall profitability.

In the realm of manufacturing sourcing, efficiency is paramount having advanced inventory management systems.

Similarly, laboratory equipment suppliers employ sophisticated logistics frameworks and distribution networks to facilitate prompt delivery of critical equipment and consumables. Whether it's a laboratory microscope or a batch of reagents, timely access to essential supplies is essential for maintaining uninterrupted research and production activities. These suppliers prioritize logistical efficiency and reliability, offering flexible shipping options and expedited delivery services to meet the dynamic needs of their clients.

Moreover, in an era characterized by rapid technological advancements and evolving industry trends, industrial parts supply companies and Manufacturing Supply Company plays a vital role in facilitating innovation and adaptability. By staying abreast of emerging technologies and market developments, manufacturers can access the latest advancements in materials, components, and equipment. Whether it involves integrating sensors into manufacturing processes or adopting advanced analytical instrumentation for quality control, these suppliers empower manufacturers to remain competitive in a dynamic marketplace.

In conclusion, industrial parts supply companies and laboratory equipment suppliers are indispensable partners in manufacturing sourcing. By offering a comprehensive suite of products, ensuring stringent quality standards, providing expert guidance, and optimizing procurement processes, they contribute significantly to manufacturing enterprises' operational excellence and competitiveness across diverse industries. As manufacturing landscapes continue to evolve, the role of these suppliers will remain pivotal, serving as catalysts for innovation, efficiency, and growth.

For more information about Manufacturing Supply Company, click Pacific IC Source for the best electronic components.

Safety First: The Ultimate Guide to Modern Manufacturing Plant Safety

Safety in the workplace is paramount and you cannot afford to ignore this aspect in your modern manufacturing plant. It is one of the best ways to prevent cases of illnesses, injuries, and even deaths to your team. From a business perspective, maintaining top safety standards ensures your workers are safe, committed, and productive.  This translates to reduced operational costs and seamless operations. You also want to create a safe working environment that ensures your manufacturing business is in compliance with local and national safety laws. Let’s delve in deeper and tell you more on how you can create and uphold that safe working environment in a manufacturing setup:

Conduct Thorough Risk Assessment

Before you proceed to implement any safety measures, you will first need to identify potential risks and hazards within your manufacturing plant. In this regard, you should conduct a comprehensive examination of the entire production process, from raw materials to finished products. This will help you identify potential hazards such as machinery, chemicals, electrical systems, ergonomic issues, and environmental concerns in your plant. Once you have identified the potential risks, systematically evaluate and mitigate them to safeguard your employees, assets, and reputation. Thorough risk assessments not only prevent accidents and downtime but also enhance workplace productivity and profitability by fostering a culture of safety and continuous improvement within your manufacturing facility. Additionally, risk assessment helps you to comply with legal requirements and industry standards.

Train and Educate Your Employees

Employees can be the weakest link to their own safety and that of the plant. Therefore, you ought to ensure that all your employees are well-informed and properly trained in safety procedures. The training programs should be designed to address specific hazards present in your manufacturing plant. Ensure your employees are educated on the proper use of safety equipment, handling hazardous materials, and emergency response protocols. Invest in regular training sessions and drills to keep safety knowledge fresh in the minds of your workforce. Additionally, foster a culture of safety where your employees feel comfortable reporting potential hazards and incidents.

Source Quality Products

Sourcing quality products is paramount for the safety of your manufacturing plants. It is even better to source quality products from reputable vendors. This is because their products adhere to strict industry standards and undergo rigorous testing, reducing the risk of failures and potential hazards. A case example is electrical machines and devices like circuit breakers. A substandard circuit breaker might not disconnect the circuit in case of a fault. This means excessive current will flow through your plant power cables causing electric fire and damage to other components. This is why you should source all types of circuit breakers from a reputable vendor to avoid counterfeit electrical components that pose significant safety risks to your team. Generally speaking, reputable vendors adhere to strict quality control standards. They source and supply Ultimately, investing in quality components not only safeguards your personnel and assets but also contributes to the overall efficiency and longevity of your manufacturing business.

Provide Personal Protective Gear

Personal protective gear plays a critical role in worker safety and you cannot afford to ignore it. PPEs shield your workers against injuries, infections, and exposure to harmful substances. Generally, they protect your workforce from workplace hazards and reduce the risks of accidents. As a modern manufacturing plant, you should invest in state-of-the-art safety equipment and personal protective gear like helmets, gloves, safety glasses, ear protection, and respiratory masks, among other items. Moreover, you can leverage advanced technologies such as wearable sensors and smart helmets that have emerged in recent years to monitor workers' vital signs and detect potential health risks. These innovations provide real-time data that can help prevent accidents and ensure prompt medical attention when needed.

Safeguard your Plant Machines

Machinery is the backbone of manufacturing, and they are becoming more sophisticated. Talk about CNC machines, robots, 3D printers, conveyor systems, and laser cutting machines among others. These machines are huge and can easily pose significant safety risks like entanglement, crushing, or contact with moving parts. Therefore, you should prioritize machine-safeguarding measures to protect your workers from these accidents. Some of the best safety measures to safeguard your plant machines include machine guarding, emergency stop buttons, interlock systems, and automatic shutoff mechanisms. Also, invest in regular maintenance and inspection of your machinery to help identify and rectify potential machinery issues promptly.

Emergency Preparedness and Response

Even after you implement robust preventive measures in your manufacturing plant, accidents can still occur. Therefore, you ought to be well-prepared to respond to emergencies effectively. This includes having comprehensive emergency response plans in place. Your response plan should cover a wide range of potential incidents, from minor accidents to major disasters. Ensure all your employees are familiar with these emergency procedures, evacuation routes, and location of emergency equipment.  Again, you should do adequate training and drills to ensure that your employees know how to react in high-stress situations. These plans should be continuously revised to accommodate changes as your plant evolves.

Wrapping up

In a nutshell, safety should always come first in your manufacturing plant. Investing in safety not only protects your employees from harm but also benefits your company by reducing accidents, minimizing downtime, and enhancing overall efficiency of your processes. It is always best to take a proactive approach to create a safe and productive manufacturing environment for your team. Photo by Ümit Yıldırım on Unsplash Read the full article

The Sale of Electronic Components

Electronic components are electronic devices that affect the electrons in an electrical circuit. These devices can be purchased and sold in several ways. They can be purchased in the physical marketplace, through social media platforms, and through online stores. Check their site to know more details prodej elektronických součástek.

The global general electronic components market is estimated to grow from USD XX billion in 2015 to more than USD XX billion in 2030. This growth is expected to be driven by the rapid miniaturization of electronic devices and the increasing demand for semiconductor components. The market is segmented by type and application. Asia Pacific region is projected to account for 40% of the global general electronic components market. North America is expected to account for 34% of the global market. Europe is expected to account for the remaining 37%.

A large number of manufacturers and distributors are involved in the sale of electronic components. Manufacturers sell their products to equipment manufacturers directly, while distributors sell to other electronic equipment companies through industrial distributors. Most of these companies maintain a Counterfeit and Substandard Part Mitigation program to prevent the occurrence of counterfeit or low quality devices.

One of the largest distributors of electromechanical components in Europe is TME. Another key distributor is Digi, which offers exclusive access to tools, market intelligence, and standards. Both of these providers help customers find the best prices for their components.

Electronic component businesses are a growing trend and can be lucrative. However, it is important to understand the industry and how to go about it before embarking on such a venture.

If you are interested in starting your own business, an electronic component company is a good option. There are several advantages to this, including a reliable supply of products, a diversified customer base, and the ability to grow. But, there are some disadvantages, too. For instance, the electronic component industry is a highly competitive one and requires a high level of knowledge to succeed. You might not be able to make as much money as you would like. Therefore, you should ensure that you are able to build a business plan that can attract buyers.

It is also essential to learn about the laws and regulations governing the purchase and sale of electronic devices. This is especially true for the automotive industry. Since most manufacturers are required to use only certified components, you should know the steps to avoid counterfeit devices. Besides, you can set up an account with a distributor of electronic devices so that you can place wholesale orders.

While you may be tempted to start an electronic component business, you should keep in mind that it might not be as profitable as you might hope. However, if you are patient enough to do your homework, you can still find a way to make it a successful venture. In addition, you can increase your profitability by optimizing your operations strategies.

Lastly, you should consider joining the Electronic Component Industry Association (ECI). ECI is a trade association that supports and helps the industry. Its members include manufacturers, distributors, and independent field sales representatives. By joining the association, you can access a variety of resources and opportunities to expand your business.

How to tackle the Issue of Obsolete Electronic Components?

An electronic component becomes obsolete when they no longer required in the market. Obsolete electronic components can be an issue for a manufacturer who relies on a particular component. Whereas in many industries there is still a need for such components for manufacturing like in aerospace and military. It becomes important to find an independent, reliable, and unbiased obsolete components supplier who holds an experience in this industry and have an access to end-of-life, obsolete or hard-to-find components.

One of the risks with obsolete electronic components distributor is that the quality may not be good enough or you may accidentally be given counterfeits. Green Tree consents to the developing guidelines of fake moderation and cycles. They are an obsolete components distributor with a Quality assurance department and in-house lab made them recognized as one of the industry leaders for their counterfeit mitigation program. However, the experienced supplier of obsolete electronic components will ensure product quality by full checking and testing components. Green Tree Electronics is one such distributor of obsolete electronic components consisting of all the qualities and provide you with fully inspected and tested electronic components. 

Obsolete electrical Components at Green Tree Electronics are authenticated with full traceability by customers’ required documents. The obsolescence of electronic components is not necessarily bad news if alternatives are accessible. When an electronic component becomes obsolete to ensure the function and continuation of the product Green Tree Electronics performs an electronic components testing service.

GreenTree Electronics is also a distributor of integrated circuits and expertise in micro-processor and DPS for embedded systems, networking, imaging, and video. GreenTree Electronics is known as an obsolete electronics supplier that provides unique solutions to tier-1 OEMs a CMs. They have a service license agreement with white horse laboratories. With over 20 years of experience in the industry, they are a distributor of flash memory. At last GreenTree, Electronics is a leading independent representative of component manufacturer and distributor of ICs.

RADIO FREQUENCY IDENTIFICATION (RFID)

Description

Radio Frequency Identification (RFID) refers to a wireless system comprised of two components: tags and readers. The reader is a device that has one or more antennas that emit radio waves and receive signals back from the RFID tag. Tags, which use radio waves to communicate their identity and other information to nearby readers, can be passive or active. Passive RFID tags are powered by the reader and do not have a battery. Active RFID tags are powered by batteries.

RFID tags can store a range of information from one serial number to several pages of data. Readers can be mobile so that they can be carried by hand, or they can be mounted on a post or overhead. Reader systems can also be built into the architecture of a cabinet, room, or building.

Read More

Uses

RFID systems use radio waves at several different frequencies to transfer data. In health care and hospital settings, RFID technologies include the following applications:

Inventory control

Equipment tracking

Out-of-bed detection and fall detection

Personnel tracking

Ensuring that patients receive the correct medications and medical devices

Preventing the distribution of counterfeit drugs and medical devices

Monitoring patients

Providing data for electronic medical records systems

The FDA is not aware of any adverse events associated with RFID. However, there is concern about the potential hazard of electromagnetic interference (EMI) to electronic medical devices from radio frequency transmitters like RFID. EMI is a degradation of the performance of equipment or systems (such as medical devices) caused by an electromagnetic disturbance.

Read More

Information for Health Care Professionals

Because this technology continues to evolve and is more widely used, it is important to keep in mind its potential for interference with pacemakers, implantable cardioverter defibrillators (ICDs), and other electronic medical devices.

Physicians should stay informed about the use of RFID systems. If a patient experiences a problem with a device, ask questions that will help determine if RFID might have been a factor, such as when and where the episode occurred, what the patient was doing at the time, and whether or not the problem resolved once the patient moved away from that environment. If you suspect that RFID was a factor, device interrogation might be helpful in correlating the episode to the exposure. Report any suspected medical device malfunctions to MedWatch, FDA’s voluntary adverse event reporting system.

FDA Actions

The FDA has taken steps to study RFID and its potential effects on medical devices including:

Working with manufacturers of potentially susceptible medical devices to test their products for any adverse effects from RFID and encouraging them to consider RFID interference when developing new devices.

Working with the RFID industry to better understand, where RFID can be found, what power levels and frequencies are being used in different locations, and how to best mitigate potential EMI with pacemakers and ICDs.

Participating in and reviewing the development of RFID standards to better understand RFID’s potential to affect medical devices and to mitigate potential EMI.

Working with the Association for Automatic Identification and Mobility (AIM) to develop a way to test medical devices for their vulnerability to EMI from RFID systems,.

Collaborating with other government agencies, such as the Federal Communications Commission (FCC), the National Institute for Occupational Safety and Health (NIOSH) and the Occupational Safety and Health Administration (OSHA) to better identify places where RFID readers are in use.

Read More

Reporting Problems to FDA

Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with RFID. If you suspect a problem, we encourage you to file a voluntary report through MedWatch: The FDA Safety Information and Adverse Event Reporting Program.

Health care personnel employed by facilities that are subject to Reporting Adverse Events (Medical Devices) requirements should follow the reporting procedures established by their facilities.

Manufacturers, distributors, importers, and device user facilities (which include many health care facilities) must notify the FDA immediately by Reporting Adverse Events (Medical Devices).

Counterfeit Mitigation Component Program

Protect your Critical Assets with the Resion’s Counterfeit Mitigation Component Program! We not only understand your problems, but we also foresaw them. As the leading independent stocking distributor of electronics parts, we have unmatched knowledge in the market. Call us now at 516-742-6300 to learn more about what we can do for you!

O-TTPS for ICT Product Integrity and Supply Chain Security - Sally Long

O-TTPS for ICT Product Integrity and Supply Chain Security A Management Guide Sally Long Genre: Reference Price: $28.99 Publish Date: January 24, 2017 Publisher: Van Haren Publishing Seller: Gardners Books Ltd This Management Guide provides guidance on why a technology provider should use the Open Trusted Technology Provider Standard (O-TTPS); Mitigating the Risk of Tainted and Counterfeit Products (approved by ISO/IEC as ISO/IEC 20243:2015) and why they should consider certification to publicly register their conformance to the standard.  The O-TTPS is the first standard with a certification program that specifies measurable conformance criteria for both product integrity and supply chain security practices. The standard defines a set of best practices that ICT providers should follow throughout the full life cycle of their products from design through disposal, including their supply chains, in order to mitigate the risk of tainted and counterfeit components. The introduction of tainted products into the supply chain poses significant risk to organizations because altered products can introduce the possibility of untracked malicious behavior. A compromised electronic component or piece of malware enabled software that lies dormant and undetected within an organization could cause tremendous damage if activated remotely. Counterfeit products can also cause significant damage to customers and providers resulting in rogue functionality, failed or inferior products, or revenue and brand equity loss. As a result, customers now need assurances they are buying from trusted technology providers who follow best practices with their own in-house secure development and engineering practices and also in securing their out-sourced components and their supply chains. This guide offers an approach to providing those assurances to customers. It includes the requirements from the standard and an overview of the certification process, with pointers to the relevant supporting documents, offering a practical introduction to executives, managers, and those involved directly in implementing the best practices defined in the standard. As the certification program is open to all constituents involved in a product’s life cycle this guide should be of interest to:  • ICT provider companies (e.g. OEMs, hardware and software component suppliers, value-add distributors, and resellers) • Business managers, procurement managers, product managers and other individuals who want to better understand product integrity and supply chain security risks and how to protect against those risks  • Government and commercial customers concerned about reducing the risk of damage to their business enterprises and critical infrastructures, which all depend heavily on secure ICT for their day-to-day operations. http://dlvr.it/R0pRkW

Supply Chain Security 101: An Expert’s View

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.

Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.

The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.

Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.

Brian Krebs (BK): Do you think Uncle Sam spends enough time focusing on the supply chain security problem? It seems like a pretty big threat, but also one that is really hard to counter.

Tony Sager (TS): The federal government has been worrying about this kind of problem for decades. In the 70s and 80s, the government was more dominant in the technology industry and didn’t have this massive internationalization of the technology supply chain.

But even then there were people who saw where this was all going, and there were some pretty big government programs to look into it.

BK: Right, the Trusted Foundry program I guess is a good example.

TS: Exactly. That was an attempt to help support a U.S.-based technology industry so that we had an indigenous place to work with, and where we have only cleared people and total control over the processes and parts.

BK: Why do you think more companies aren’t insisting on producing stuff through code and hardware foundries here in the U.S.?

TS: Like a lot of things in security, the economics always win. And eventually the cost differential for offshoring parts and labor overwhelmed attempts at managing that challenge.

BK: But certainly there are some areas of computer hardware and network design where you absolutely must have far greater integrity assurance?

TS: Right, and this is how they approach things at Sandia National Laboratories [one of three national nuclear security research and development laboratories]. One of the things they’ve looked at is this whole business of whether someone might sneak something into the design of a nuclear weapon.

The basic design principle has been to assume that one person in the process may have been subverted somehow, and the whole design philosophy is built around making sure that no one person gets to sign off on what goes into a particular process, and that there is never unobserved control over any one aspect of the system. So, there are a lot of technical and procedural controls there.

But the bottom line is that doing this is really much harder [for non-nuclear electronic components] because of all the offshoring now of electronic parts, as well as the software that runs on top of that hardware.

BK: So is the government basically only interested in supply chain security so long as it affects stuff they want to buy and use?

TS: The government still has regular meetings on supply chain risk management, but there are no easy answers to this problem. The technical ability to detect something wrong has been outpaced by the ability to do something about it.

BK: Wait…what?

TS: Suppose a nation state dominates a piece of technology and in theory could plant something inside of it. The attacker in this case has a risk model, too. Yes, he could put something in the circuitry or design, but his risk of exposure also goes up.

Could I as an attacker control components that go into certain designs or products? Sure, but it’s often not very clear what the target is for that product, or how you will guarantee it gets used by your target. And there are still a limited set of bad guys who can pull that stuff off. In the past, it’s been much more lucrative for the attacker to attack the supply chain on the distribution side, to go after targeted machines in targeted markets to lessen the exposure of this activity.

BK: So targeting your attack becomes problematic if you’re not really limiting the scope of targets that get hit with compromised hardware.

TS: Yes, you can put something into everything, but all of a sudden you have this massive big data collection problem on the back end where you as the attacker have created a different kind of analysis problem. Of course, some nations have more capability than others to sift through huge amounts of data they’re collecting.

BK: Can you talk about some of the things the government has typically done to figure out whether a given technology supplier might be trying to slip in a few compromised devices among an order of many?

TS: There’s this concept of the “blind buy,” where if you think the threat vector is someone gets into my supply chain and subverts the security of individual machines or groups of machines, the government figures out a way to purchase specific systems so that no one can target them. In other words, the seller doesn’t know it’s the government who’s buying it. This is a pretty standard technique to get past this, but it’s an ongoing cat and mouse game to be sure.

BK: I know you said before this interview that you weren’t prepared to comment on the specific claims in the recent Bloomberg article, but it does seem that supply chain attacks targeting cloud providers could be very attractive for an attacker. Can you talk about how the big cloud providers could mitigate the threat of incorporating factory-compromised hardware into their operations?

TS: It’s certainly a natural place to attack, but it’s also a complicated place to attack — particularly the very nature of the cloud, which is many tenants on one machine. If you’re attacking a target with on-premise technology, that’s pretty simple. But the purpose of the cloud is to abstract machines and make more efficient use of the same resources, so that there could be many users on a given machine. So how do you target that in a supply chain attack?

BK: Is there anything about the way these cloud-based companies operate….maybe just sheer scale…that makes them perhaps uniquely more resilient to supply chain attacks vis-a-vis companies in other industries?

TS: That’s a great question. The counter positive trend is that in order to get the kind of speed and scale that the Googles and Amazons and Microsofts of the world want and need, these companies are far less inclined now to just take off-the-shelf hardware and they’re actually now more inclined to build their own.

BK: Can you give some examples?

TS: There’s a fair amount of discussion among these cloud providers about commonalities — what parts of design could they cooperate on so there’s a marketplace for all of them to draw upon. And so we’re starting to see a real shift from off-the-shelf components to things that the service provider is either designing or pretty closely involved in the design, and so they can also build in security controls for that hardware. Now, if you’re counting on people to exactly implement designs, you have a different problem. But these are really complex technologies, so it’s non-trivial to insert backdoors. It gets harder and harder to hide those kinds of things.

BK: That’s interesting, given how much each of us have tied up in various cloud platforms. Are there other examples of how the cloud providers can make it harder for attackers who might seek to subvert their services through supply chain shenanigans?

TS: One factor is they’re rolling this technology out fairly regularly, and on top of that the shelf life of technology for these cloud providers is now a very small number of years. They all want faster, more efficient, powerful hardware, and a dynamic environment is much harder to attack. This actually turns out to be a very expensive problem for the attacker because it might have taken them a year to get that foothold, but in a lot of cases the short shelf life of this technology [with the cloud providers] is really raising the costs for the attackers.

When I looked at what Amazon and Google and Microsoft are pushing for it’s really a lot of horsepower going into the architecture and designs that support that service model, including the building in of more and more security right up front. Yes, they’re still making lots of use of non-U.S. made parts, but they’re really aware of that when they do. That doesn’t mean these kinds of supply chain attacks are impossible to pull off, but by the same token they don’t get easier with time.

BK: It seems to me that the majority of the government’s efforts to help secure the tech supply chain come in the form of looking for counterfeit products that might somehow wind up in tanks and ships and planes and cause problems there — as opposed to using that microscope to look at commercial technology. Do you think that’s accurate?

TS: I think that’s a fair characterization. It’s a logistical issue. This problem of counterfeits is a related problem. Transparency is one general design philosophy. Another is accountability and traceability back to a source. There’s this buzzphrase that if you can’t build in security then build in accountability. Basically the notion there was you often can’t build in the best or perfect security, but if you can build in accountability and traceability, that’s a pretty powerful deterrent as well as a necessary aid.

BK: For example….?

TS: Well, there’s this emphasis on high quality and unchangeable logging. If you can build strong accountability that if something goes wrong I can trace it back to who caused that, I can trace it back far enough to make the problem more technically difficult for the attacker. Once I know I can trace back the construction of a computer board to a certain place, you’ve built a different kind of security challenge for the attacker. So the notion there is while you may not be able to prevent every attack, this causes the attacker different kinds of difficulties, which is good news for the defense.

BK: So is supply chain security more of a physical security or cybersecurity problem?

TS: We like to think of this as we’re fighting in cyber all the time, but often that’s not true. If you can force attackers to subvert your supply chain, they you first off take away the mid-level criminal elements and you force the attackers to do things that are outside the cyber domain, such as set up front companies, bribe humans, etc. And in those domains — particularly the human dimension — we have other mechanisms that are detectors of activity there.

BK: What role does network monitoring play here? I’m hearing a lot right now from tech experts who say organizations should be able to detect supply chain compromises because at some point they should be able to see truckloads of data leaving their networks if they’re doing network monitoring right. What do you think about the role of effective network monitoring in fighting potential supply chain attacks.

TS:  I’m not so optimistic about that. It’s too easy to hide. Monitoring is about finding anomalies, either in the volume or type of traffic you’d expect to see. It’s a hard problem category. For the US government, with perimeter monitoring there’s always a trade off in the ability to monitor traffic and the natural movement of the entire Internet towards encryption by default. So a lot of things we don’t get to touch because of tunneling and encryption, and the Department of Defense in particular has really struggled with this.

Now obviously what you can do is man-in-the-middle traffic with proxies and inspect everything there, and the perimeter of the network is ideally where you’d like to do that, but the speed and volume of the traffic is often just too great.

BK: Isn’t the government already doing this with the “trusted internet connections” or Einstein program, where they consolidate all this traffic at the gateways and try to inspect what’s going in and out?

TS: Yes, so they’re creating a highest volume, highest speed problem. To monitor that and to not interrupt traffic you have to have bleeding edge technology to do that, and then handle a ton of it which is already encrypted. If you’re going to try to proxy that, break it out, do the inspection and then re-encrypt the data, a lot of times that’s hard to keep up with technically and speed-wise.

BK: Does that mean it’s a waste of time to do this monitoring at the perimeter?

TS: No. The initial foothold by the attacker could have easily been via a legitimate tunnel and someone took over an account inside the enterprise. The real meaning of a particular stream of packets coming through the perimeter you may not know until that thing gets through and executes. So you can’t solve every problem at the perimeter. Some things only because obvious and make sense to catch them when they open up at the desktop.

BK: Do you see any parallels between the challenges of securing the supply chain and the challenges of getting companies to secure Internet of Things (IoT) devices so that they don’t continue to become a national security threat for just about any critical infrastructure, such as with DDoS attacks like we’ve seen over the past few years?

TS: Absolutely, and again the economics of security are so compelling. With IoT we have the cheapest possible parts, devices with a relatively short life span and it’s interesting to hear people talking about regulation around IoT. But a lot of the discussion I’ve heard recently does not revolve around top-down solutions but more like how do we learn from places like the Food and Drug Administration about certification of medical devices. In other words, are there known characteristics that we would like to see these devices put through before they become in some generic sense safe.

BK: How much of addressing the IoT and supply chain problems is about being able to look at the code that powers the hardware and finding the vulnerabilities there? Where does accountability come in?

TS: I used to look at other peoples’ software for a living and find zero-day bugs. What I realized was that our ability to find things as human beings with limited technology was never going to solve the problem. The deterrent effect that people believed someone was inspecting their software usually got more positive results than the actual looking. If they were going to make a mistake – deliberately or otherwise — they would have to work hard at it and if there was some method of transparency, us finding the one or two and making a big deal of it when we did was often enough of a deterrent.

BK: Sounds like an approach that would work well to help us feel better about the security and code inside of these election machines that have become the subject of so much intense scrutiny of late.

TS: We’re definitely going through this now in thinking about the election devices. We’re kind of going through this classic argument where hackers are carrying the noble flag of truth and vendors are hunkering down on liability. So some of the vendors seem willing to do something different, but at the same time they’re kind of trapped now by the good intentions of open vulnerability community.

The question is, how do we bring some level of transparency to the process, but probably short of vendors exposing their trade secrets and the code to the world? What is it that they can demonstrate in terms of cost effectiveness of development practices to scrub out some of the problems before they get out there. This is important, because elections need one outcome: Public confidence in the outcome. And of course, one way to do that is through greater transparency.

BK: What, if anything, are the takeaways for the average user here? With the proliferation of IoT devices in consumer homes, is there any hope that we’ll see more tools that help people gain more control over how these systems are behaving on the local network?

TS: Most of [the supply chain problem] is outside the individual’s ability to do anything about, and beyond ability of small businesses to grapple with this. It’s in fact outside of the autonomy of the average company to figure it out. We do need more national focus on the problem.

It’s now almost impossible to for consumers to buy electronics stuff that isn’t Internet-connected. The chipsets are so cheap and the ability for every device to have its own Wi-Fi chip built in means that [manufacturers] are adding them whether it makes sense to or not. I think we’ll see more security coming into the marketplace to manage devices. So for example you might define rules that say appliances can talk to the manufacturer only. 

We’re going to see more easy-to-use tools available to consumers to help manage all these devices. We’re starting to see the fight for dominance in this space already at the home gateway and network management level. As these devices get more numerous and complicated, there will be more consumer oriented ways to manage them. Some of the broadband providers already offer services that will tell what devices are operating in your home and let users control when those various devices are allowed to talk to the Internet.

Since Bloomberg’s story broke, The U.S. Department of Homeland Security and the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ, both came out with statements saying they had no reason to doubt vehement denials by Amazon and Apple that they were affected by any incidents involving Supermicro’s supply chain security. Apple also penned a strongly-worded letter to lawmakers denying claims in the story.

Meanwhile, Bloomberg reporters published a follow-up story citing new, on-the-record evidence to back up claims made in their original story.

from Technology News https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/