When we think about cyber threats, we often imagine a lone attacker sitting in a dark room, furiously typing as green text spreads across the screen in order to gain access to sensitive information or assume control of some system to which they would otherwise not have access. While this sort of threat does exist, we now see a much greater threat in the form of coordinated adversaries attempting to compromise the supply chains of our industries and governments. These adversaries exploit supply chain vulnerabilities, stealing intellectual property, exploiting software vulnerabilities, surveilling and disrupting critical infrastructure, and engaging in other malicious activity. To address these vulnerabilities, we need to recognize that within each phase of product lifecycles, from design, manufacture, and transport, to provisioning, utilization, and decommission, there are serious risks.
To effectively protect our infrastructure and devices throughout product lifecycles, we must also consider the components of these products and computing systems. In the hardware supply chain, we see a specific and growing set of threats which are much more difficult for any one organization to protect against. Taken together, supply chain threats now affect a broad range of industries and organizations, from critical infrastructure, military and defense, and financial services, to consumer electronics, education, and healthcare. Mitigating or eliminating these threats is the goal of Supply Chain Security.
Adversaries infiltrate trusted suppliers and vendors to target equipment, systems, and information used every day by industry, governments, and private citizens. To protect against these threats, it is vital that every actor in the chain has security at the top of their agenda. However, this is no easy task as no single entity has end-to-end control of the modern technology supply chain. This means it is imperative that all organizations (public and private, large and small) come together to ensure security and integrity. This highlights the need for industry standards and ecosystem participation to define, implement, and uphold security guidance.
TCG has been developing Information and Communications Technology (ICT) security standards that enable construction of trusted infrastructure. The Supply Chain Security Workgroup is developing solutions that bring together these TCG technologies to address supply chain security as well as exploring new ways to mitigate the risks presented by an increasingly global, complex, and disaggregated supply chain.