CISA HBOM Framework Doesn't Go Far Enough

The recently published hardware bill of materials (HBOM) framework from the Cybersecurity and Infrastructure Security Agency (CISA) is a much-needed step toward ensuring semiconductor chip security — but it doesn't go far enough.

The framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, which is critical for supply chain management and risk assessment. However, an HBOM must go beyond the manufacturing of semiconductor devices. It must track chips once they leave the factory, throughout their entire life cycle in the end products, in order to provide the robust security we need against emerging cyber threats.

We were reminded why this level of vigilance is important in August, when Google researcher Daniel Moghimi uncovered the Downfall vulnerability. Downfall, which affects a broad family of advanced microprocessors, can be exploited to allow attackers access to private data. But the initial chips impacted by the vulnerability were manufactured in 2015. It has been eight years since the first devices to include those semiconductors entered the market.

Even if CISA's HBOM framework had been in place back then, it would still be ineffective against Downfall because it doesn't track where and how those semiconductors are in use. That's why we need a more thorough HBOM framework, one with additional life cycle traceability, to shore up a chip's security posture once a new vulnerability is uncovered.

Existing Framework a Good Start

Despite its early shortcomings, CISA must be commended for introducing an HBOM framework, even if it calls it "voluntary and flexible." It's a meaningful action by the government to address security risks within the semiconductor supply chain.

The framework encourages businesses to detail their upstream sourcing, including a list of all suppliers and components. It also calls for traceability throughout the manufacturing process, and it outlines a consistent way to name all component attributes.

These are all worthwhile conditions because while a company may know what a chip is supposed to do, it often doesn't know how it has been designed. By spelling it out, CISA acknowledges the pivotal role that safeguarding the supply chain plays in ensuring chip security. This increased visibility is intended to marginalize high-risk vendors and minimize counterfeit or malicious parts from being introduced during production.

This framework follows another recent government effort to increase supply chain transparency — US President Joe Biden's May 2021 executive order that mandates software bills of materials (SBOMs) for federal vendors. An SBOM inventories all software components, versions, and vulnerabilities so organizations can quickly respond to security concerns as they arise. Pairing one with an HBOM would provide comprehensive, integrated, and complementary security tracking of the entire life cycle of electronic products from development to disposal.

But unlike the SBOM directive, the scope of CISA's HBOM framework conclusively ends when manufacturing is complete. There must be a record of where that chip ends up. By forgoing that same level of visibility after chips leave the factory, multiple security risks persist. We need an HBOM with an end-to-end view to help us act once we identify the Downfalls of the future.

Chips Remain Vulnerable for Years

As Downfall demonstrated, vulnerabilities may not surface until years after devices have gone to market because hardware components can have prolonged life spans and lack modern security protections. Whereas software can be patched, hardware vulnerabilities — unless they can be remediated by a firmware update — must be addressed through physical manipulation or other fixes that may reduce a device's performance or disable functionality altogether.

This is what makes a more comprehensive HBOM important. Organizations must be able to grasp which threats they face due to chip vulnerabilities, with complete visibility into the manufacturing and entire life cycle of the chip. Only the utmost transparency can provide the necessary intelligence for proactive monitoring and rapid response once flaws inevitably surface. Anything less is an unacceptable risk.