

NIST Interagency Report NIST IR 8532 ipd

# Workshop on Enhancing Security of Devices and Components Across the Supply Chain

Initial Public Draft

Sanjay (Jay) Rekhi D. Richard Kuhn Kim Schaffer Murugiah Souppaya A.J. Stein Noah Waller Nelson Hastings Michael Ogata William C. Barker

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8532.ipd



# NIST Interagency Report NIST IR 8532 ipd

# Workshop on Enhancing Security of Devices and Components Across the Supply Chain

**Initial Public Draft** 

Nelson Hastings Michael Ogata Applied Cybersecurity Division Information Technology Laboratory

> William C. Barker Dakota Consulting

Sanjay (Jay) Rekhi D. Richard Kuhn Kim Schaffer Murugiah Souppaya A.J. Stein Noah Waller Computer Security Division Information Technology Laboratory

> This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8532.ipd

> > August 2024



U.S. Department of Commerce *Gina M. Raimondo, Secretary* 

National Institute of Standards and Technology Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology Certain equipment, instruments, software, or materials, commercial or non-commercial, are identified in this paper in order to specify the experimental procedure adequately. Such identification does not imply recommendation or endorsement of any product or service by NIST, nor does it imply that the materials or equipment identified are necessarily the best available for the purpose.

There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.

Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at <a href="https://csrc.nist.gov/publications">https://csrc.nist.gov/publications</a>.

#### **NIST Technical Series Policies**

Copyright, Use, and Licensing Statements NIST Technical Series Publication Identifier Syntax

#### **Publication History**

Approved by the NIST Editorial Review Board on YYYY-MM-DD [Will be added to final publication.]

#### How to Cite this NIST Technical Series Publication

Rekhi S, Kuhn DR, Schaffer K, Souppaya M, Stein AJ, Waller N, Hastings N, Ogata M, Barker WC (2024) Workshop on Enhancing Security of Devices and Components Across the Supply Chain. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency Report (IR) NIST IR 8532 ipd. https://doi.org/10.6028/NIST.IR.8532.ipd

#### Author ORCID iDs

William C. Barker: 0000-0002-4113-8861 Nelson Hastings: 0000-0003-2444-6413 D. Richard Kuhn: 0000-0003-0050-1596 Michael Ogata: 0000-0002-8457-2430 Sanjay (Jay) Rekhi: 0009-0008-8711-4030 Kim Schaffer: 0000-0003-3073-2395 Murugiah Souppaya: 0000-0002-8055-8527 A.J. Stein: 0000-0003-1092-2642 Noah Waller: 0000-0002-6979-9725

#### Public Comment Period

August 14, 2024 - September 16, 2024

#### Submit Comments

hwsec@nist.gov

National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

#### Additional Information

Additional information about this publication is available at <u>https://csrc.nist.gov/pubs/ir/8532/ipd</u>, including related content, potential updates, and document history.

All comments are subject to release under the Freedom of Information Act (FOIA).

#### 1 Abstract

- 2 NIST hosted an in-person, all-day workshop on February 27, 2024, to discuss existing and
- 3 emerging cybersecurity threats and mitigation techniques for semiconductors throughout their
- 4 life cycle. The workshop obtained valuable feedback from industry, academia, and government
- 5 to inform NIST's development of cybersecurity and supply chain standards, guidance, and
- 6 recommended practices. The discussion focused on semiconductor development and
- 7 highlighted cybersecurity measurements and metrics that utilize reference data sets to
- 8 facilitate the testing, attestation, certification, verification, and validation of semiconductor
- 9 components. It also emphasized the use of automated cybersecurity tools and techniques to
- 10 secure manufacturing environments throughout the development life cycle. This report
- 11 summarizes the content that was presented and discussed at the workshop.

#### 12 Keywords

13 cybersecurity; hardware security; measurement; semiconductors; supply chain; vulnerabilities.

#### 14 Reports on Computer Systems Technology

- 15 The Information Technology Laboratory (ITL) at the National Institute of Standards and
- 16 Technology (NIST) promotes the U.S. economy and public welfare by providing technical
- 17 leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test
- 18 methods, reference data, proof of concept implementations, and technical analyses to advance
- 19 the development and productive use of information technology. ITL's responsibilities include
- 20 the development of management, administrative, technical, and physical standards and
- 21 guidelines for the cost-effective security and privacy of other than national security-related
- 22 information in federal information systems.

### 23 Table of Contents

| 24 | 1. Introduction1                      |
|----|---------------------------------------|
| 25 | 2. Workshop Sessions                  |
| 26 | 2.1. Hardware Development Life Cycle3 |
| 27 | 2.1.1. Speaker Viewpoints             |
| 28 | 2.1.2. Key Highlights4                |
| 29 | 2.2. Metrology                        |
| 30 | 2.2.1. Speaker Viewpoints5            |
| 31 | 2.2.2. Key Highlights6                |
| 32 | 2.3. Hardware/Silicon Testing         |
| 33 | 2.3.1. Speaker Viewpoints             |
| 34 | 2.3.2. Key Highlights8                |
| 35 | 2.4. Vulnerability Management9        |
| 36 | 2.4.1. Speaker Viewpoints9            |
| 37 | 2.4.2. Key Highlights11               |
| 38 | 2.5. Standards11                      |
| 39 | 2.5.1. Speaker Viewpoints11           |
| 40 | 2.5.2. Key Highlights13               |
| 41 | 2.6. Closing Remarks14                |
| 42 | 3. Summary and Road Ahead15           |
| 43 | Appendix A. Workshop Agenda16         |

# 44 List of Figures

| 45 | Fig. 1. Components for securing microelectronics1 |
|----|---------------------------------------------------|
| 46 | Fig. 2. Distribution of workshop participants2    |
| 17 |                                                   |

47

#### 48 **1. Introduction**

- 49 Semiconductor-based hardware is the foundation of modern-day electronics from
- 50 smartphones, computers, and telecommunications to transportation and critical infrastructure.
- 51 The semiconductor hardware supply chain is a complex network of companies that collectively
- 52 provide intellectual property, designs, and raw materials and manufacture, test, package, and
- 53 distribute products. Coordination among components of a supply chain is required at different
- 54 stages, including inception, deployment to end users, maintenance during use, and disposal or
- 55 end-of-life. Securing semiconductor-based hardware and their supply chains helps protect
- 56 sensitive information, maintain the integrity of systems, and ensure overall stability across the
- 57 infrastructure and connected world.
- 58 Securing semiconductors involves the security of the component being built as well as the
- 59 design, development, manufacturing, and distribution environments. Figure 1 illustrates the
- 60 components of achieving robust semiconductor security.



# 61

62

Fig. 1. Components for securing microelectronics

- 63 These activities range from physical protection mechanisms (e.g., tamper-resistant packaging)
- to strong encryption protocols to safeguard data. Secure boot processes ensure that only
- 65 verified firmware runs, and maintaining supply chain integrity through verification and audits
- 66 prevents counterfeit components. Life cycle management includes secure provisioning,
- 67 updates, and end-of-life processes that are complemented by rigorous security testing and
- 68 compliance with regulatory standards. Educating users on secure practices and continuously
- 69 improving security measures further fortifies defenses against evolving threats and ensures that
- 70 semiconductor devices operate securely throughout their life cycle.
- 71 The National Strategy on Microelectronics Research has emphasized the prioritization of
- 72 hardware integrity and security. In response, NIST convened its inaugural workshop,
- 73 "Enhancing Security of Devices and Components Across the Supply Chain"<sup>1</sup> on February 27,
- 74 2024, at the National Cybersecurity Center of Excellence (NCCoE) facility. At this workshop,

<sup>&</sup>lt;sup>1</sup> See <u>https://csrc.nist.gov/Events/2024/enhancing-security-of-devices-and-components</u>.

- 75 government, academia, and industry experts gathered to collaborate on research efforts, drive
- 76 innovation, and establish standards, guidance, and practical implementations in a rapidly
- 77 evolving landscape. The workshop was primarily an in-person event with a few remote speakers
- and participants. In total, there were 98 participants, with 79 participants almost evenly
- 79 distributed from government and industry. The remaining 19 attendees were from academia
- 80 and standards development organizations (SDOs). Figure 2 shows the distribution of
- 81 participants.



82 83

Fig. 2. Distribution of workshop participants

#### 84 **2. Workshop Sessions**

#### 85 2.1. Hardware Development Life Cycle

86 Semiconductor and integrated circuit (IC) development is complex, non-linear, and varies from

- one manufacturer to another. The specialization of technologies required to design modern-day
   hardware has democratized the life cycle across national boundaries. This panel discussion
- 89 focused on open security concerns that face the hardware development life cycle.
- by focused on open security concerns that face the naruware development in

#### 90 2.1.1. Speaker Viewpoints

- 91 The panel opened with Jonathan Ring, Deputy Assistant National Cyber Director for Technology
- 92 Security from the <u>Office of the National Cyber Director (ONCD</u>). Jonathan reflected that ONCD's
- 93 <u>National Cybersecurity Strategy</u> recognizes the importance of improving the cybersecurity of
- 94 the Nation's critical infrastructure, which includes restoring the production of critical goods to
- 95 the United States (US) as well as improving cybersecurity in the semiconductor/IC supply chain.
- Jonathan highlighted past achievements of the Biden-Harris Administration that overlap with
   cybersecurity in the hardware development life cycle, including:
- The notion of shifting the balance of security to those best suited to bear it, as
   represented in the Cybersecurity & Infrastructure Security Agency's (CISA) Secure by
   Design initiative
- The <u>NIST CHIPS R&D Metrology Program</u>, which outlines gaps in the semiconductor
   ecosystem
- Ongoing work through the Subcommittee for Microelectronics Leadership
- The focus on eliminating entire classes of vulnerabilities in software in their report, <u>Back</u>
   to the Building Blocks: A Path Toward Secure and Measurable Software
- 106 Furthermore, Jonathan stressed the importance and continued need for public-private
- 107 partnerships, like the Semiconductor Research Corporation and the Semiconductor Industry
- 108 Association. He also stressed the need for continued conversations concerning advanced
- 109 metrology for supply chain trust and assurance, guidelines for security analytics and
- 110 automation, vulnerability management across all product life cycles, and the use of machine
- 111 learning in chip design and manufacturing.
- 112 The second speaker for the panel was Adam Golodner, advisor to the Semiconductor Industry
- 113 Association. Adam spoke about the importance of leveraging and adapting NIST resources, like
- the Cybersecurity Framework (CSF). Adam highlighted four key reasons why a framework for
- 115 hardware security and supply chain that is similar to the CSF would be useful to the
- 116 semiconductor industry:
- Frameworks like the CSF enable thoughtful, flexible, and configurable approaches to
   security and allow enterprises to adopt the processes and maturity level that best move
   security forward for them.

- A hardware security and supply chain framework can benefit from the recognition and adoption that the CSF has already earned.
- The CSF and NIST have global reach and acceptance. Similarly, establishing an
   internationally recognized set of best practices will enhance security and innovation in a
   global hardware and supply chain environment.
- 125 4. NIST has the pedigree for getting security "right."
- Furthermore, Adam reflected that while security is core to many company brands, quantifyingits return on investment is a C-suite and Board of Directors issue.
- 128 The last panel member was Matthew Areno, Senior Principal Engineer for Intel Corporation.
- 129 Matthew admitted that there is no industry standard to describe the phases of the supply chain
- 130 for ICs. However, his expertise and history with the industry have enabled him to develop his
- 131 own conceptual model that is divided into seven stages: concept, development, integration,
- 132 manufacturing, test, provisioning, and deployment. During his time at Intel, Matthew has
- 133 worked to develop a threat model for Intel's supply chain. Intel discovered that each of their
- 134 teams approached the exercise of threat modeling in different ways, which made it difficult and
- time-consuming for them to exchange information. As a result, Intel has been developing and
- 136 deploying a unified Threat Modeling Tool that utilizes vulnerability resources like <u>MITRE</u>
- 137 <u>Common Weakness Enumeration (CWE)</u> to automatically make design-based suggestions on
- potential vulnerabilities and mitigations. The tool also forms a closed loop that incorporates
- 139 knowledge learned from Intel's own design processes.
- 140 Matthew also described Intel's Transparent Supply Chain Initiative, whose goal is to provide
- 141 customers with provenance and integrity data for various components during the supply chain
- 142 process. He highlighted Project Amber Intel's Trust Authority for validating execution
- 143 environments.

#### 144 2.1.2. Key Highlights

- The following key points were identified during the speakers' presentations and the Q&Aportion:
- There is a definite need for continued public/private partnerships.
- There is a need for more standards around how the supply chain process is structured.
- There is a need for more standardized methods for threat modeling.
- Quantifying the return on investment for security in the supply chain is still difficult,
   making it challenging for those who observe deficiencies to justify addressing them to
   higher-level management. Possible avenues of advancement include:
- 153 Developing more standardized security metrics
- 154 Ocontinuing to leverage and develop CSF-style resources to better communicate
   155 risk
- 156 Framing security as a service that can be used as a revenue stream

There is a tension between hardware security and software security due to the vastly
 different cost in remediating vulnerabilities at the hardware level.

#### 159 2.2. Metrology

- 160 This panel focused on open issues and concerns related to security metrology and metrics (e.g.,
- 161 metrics for design-for-trust techniques, metrology for the holistic assessment of power side-
- 162 channel leakage across the development life cycle, metrology for analog signal security) for
- 163 semiconductors and ICs throughout the hardware development life cycle.

#### 164 **2.2.1. Speaker Viewpoints**

- 165 This session began with Lok Yan from DARPA's Microsystems Technology Office (MTO), whose
- 166 portfolio includes the Automatic Implementation of Secure Silicon (AISS) program. Lok provided
- 167 a high-level overview of why the semiconductor community needs to recognize security
- 168 metrics. Meaningful metrics require assets, use cases, and threats to be clearly identified within
- 169 the context of a threat model. The value of assets, associated potential threats, and the
- 170 consequence of an asset's compromise must be quantifiable to support the design decision-
- 171 making process.
- 172 Understanding and identifying a minimum acceptable security baseline within the context of a
- 173 particular use case would help bring various security metrics together. Due to the continuously
- evolving threat space, Lok emphasized that establishing an initial set of metrics and an
- associated minimum security baseline is not a one-time process. Rather, they must be
- 176 continuously measured, monitored, and updated as assets, threats, vulnerabilities, and use
- 177 cases evolve over time. Finally, security metrics could support decisions related to the threat
- 178 and vulnerability space versus the time to test or implement countermeasures. More time must
- be allocated to implement and test countermeasures that address the most important threats
- 180 and vulnerabilities for a particular use case.
- 181 Jason Oberg, Cycuity CTO and co-founder, described how metrics can be used in the hardware
- 182 security space based on his organization's experience. Since different metrics are relevant to
- 183 different people within an organization (e.g., metrics that work for a designer or tester may not
- 184 translate to executives), there need to be different tiers of metrics based on the audience or
- user. For example, the CWE structure could be used to define security requirements that lead
- 186 to associated security metrics. Jason noted that CWEs for hardware are relatively new, starting
- around 2020, compared to CWEs' long track record for software, which started around 2006.
- 188 Since CWEs point out common root cause weaknesses that lead to vulnerabilities, they foster a
- 189 more proactive approach by allowing security issues to be discovered and mitigated earlier in
- 190 the hardware development life cycle, thus lowering the financial impact. Having good metrics
- 191 that can be used to inform design and business decisions would be helpful to the
- 192 semiconductor community.
- 193 Finally, Mark Tehranipoor from the University of Florida emphasized the importance of thinking
- about security and associated metrics in the early stages of the hardware development life
- 195 cycle. Specifically, this involves conducting a security and risk assessment and developing a

- 196 security architecture during the specification and planning phases. The dynamic nature of the IC
- 197 development process may impact the metrics that need to be developed, and a security metric
- 198 that is suitable for the register-transfer level (RTL) may not be appropriate or work at the gate
- 199 or physical level. He noted that time-to-market constraints still run on an approximately six- to
- 200 nine-month cycle, but complexity has increased, leading to the need for automation in security,
- reliability, and testing. This increased complexity also increases the number of assets to protect
- and the number of potential vulnerabilities to mitigate. Regardless of what security techniques
   and associated security metrics are used early in the development life cycle (i.e., pre-silicon),
- verification is still needed during the physical layout and post-silicon stages. Finally, he
- identified the need for the continued development of security solutions at the material,
- 206 physical, and device levels of semiconductors.

#### 207 2.2.2. Key Highlights

- The following key points were identified during the speakers' presentations and the Q&Aportion:
- For security metrics to be meaningful, they need to be provided in the context of threat
   models, use cases, and vulnerable assets.
- Security metrics will need to be tailored based on where they are in the development
   life cycle (e.g., functional versus physical design stages) and to whom they are
   communicated (e.g., design engineer versus executive).
- Security must be on par with other design constraints (e.g., area, power, performance, and reliability), so having a community agreed-upon minimum security baseline might be a good first step.
- There is benefit in enhancing design tools to support security techniques and practices
   via automation.
- There is an opportunity to investigate the potential application of software-based
   security techniques and practices within the hardware domain.

#### 222 2.3. Hardware/Silicon Testing

Speakers from Synopsys, PQShield, and the University of Maryland shared their expertise andvision of where the industry and technology are headed.

## 225 2.3.1. Speaker Viewpoints

- 226 Mike Borza from Synopsys presented "Security Verification of SoC Hardware," an overview of
- the current status, new developments, and likely future progress in ensuring security for
- 228 system-on-chip (SoC) designs. Security has begun to drive the design requirements of SoCs,
- 229 which has resulted in tool vendors adding features for strong verification. Interoperability
- 230 needs are also driving work on standards, such as IEEE P3164, Security Annotation for Electronic
- 231 Design Interchange. Additionally, security requirements now feed into every aspect of the

- architectural specification of a new chip and subsequent RTL design and analysis. Designs must
- include features such as secure boot, secure memory and interfaces, and hardware
- countermeasures to meet the goals of avoiding vulnerabilities. Static and dynamic verification
- approaches involve concentrating on formal methods early in the design process, which is then
- 236 followed by simulation and testing that meet stringent coverage criteria. Mike also described
- tool support for all aspects of a security-focused verification platform, including the regular
- 238 functional verification of security functions, checking on-chip data propagation to secure data
- at rest or in motion, and investigating possible tampering or intrusion.
- 240 It is anticipated that tool support will be improved to guarantee high levels of coverage with an
- improved ability to reason about the physical realizations of designs rather than only abstract
- 242 descriptions. These improvements will be enhanced by developing standards to describe and
- communicate security information on designs and may eventually benefit from artificial
  intelligence/machine learning systems that incorporate knowledge of threats and potential
- 245 weaknesses.
- 246 Niels Samwel of PQShield described his company's work on "Automation for Side-Channel and
- 247 Security Testing of Hardware IP." Cybersecurity testing services provided by PQShield include
- side-channel testing and quality assurance of hardware designs. Side-channel tests can be
- conducted according to Federal Information Processing Standard (FIPS) 140-3 guidelines for
- cryptographic hardware and using Common Criteria recommendations. Using FIPS 140-3, it is
- 251 possible to provide remote operation with a sufficient quantity of tests to allow for statistically
- valid pass-fail results. Common Criteria side-channel testing capabilities are included to
- estimate the number of traces required for key recovery. These test methods also make it
- possible to target specific vulnerabilities and attack types, including template attacks, key
- recovery attacks, and both correlation power analysis and differential power analysis.
- Product quality testing services are offered for multiple phases of hardware and software
   product development. For digital circuit design, linting and automated field-programmable gate
   array (FPGA) functional testing and design implementation evaluations are provided with
   verification phase capabilities that include constrained random verification, coverage measures,
   and bounded model checking. Software assurance capabilities include static analysis and the
- automated testing of implementations. Verification phase processes include unit, integration,
- and system-level tests that also measure test coverage.
- PQShield has integrated these testing services to develop a three-level scale for security that istied to the levels defined in FIPS 140-3 and the Common Criteria:
- The Cloud Level of the PQShield scale targets safety against fuzzing and remote attacks
   and corresponds to FIPS 140-3 Level 1 or CC EAL1 and AVA\_VAN.1.
- The Edge Level of PQShield evaluates safety against "push button" physical attacks and
   corresponds to FIPS 140-3 software Level 2 and hardware Level 3 or CC EAL2 to 3 and
   AVA\_VAN.2.
- The Government Level is the highest level of the PQShield scale for safety against expert
   labs and corresponds to FIPS 140-3 software Level 2 and hardware Level 4 or CC EAL4+
   to 7 and AVA\_VAN.5.

- 273 The security-level scale and associated tests are intended to allow organizations to select
- 274 cybersecurity evaluations according to their risk management needs.
- 275 Ankur Srivastava of the University of Maryland (UMD) College Park presented research on
- 276 "Verification and Validation for Hardware Security Constructs," which focuses on design
- 277 obfuscation and trojan detection and mitigation measures. The need for design obfuscation
- arises from current practices in which a fabless IC designer outsources production of the chip to
- an offshore foundry. The potential risk of outsourced intellectual property piracy or
- 280 counterfeiting affects both defense and industry customers, as well as the company that
- created the design. Logic locking obfuscation techniques have been developed to mitigate
- these risks, but sound measures of resistance to attack are also needed. The most researched
- scenario for evaluating obfuscation resistance is the case in which an attacker has a working
- chip that enables them to infer a design from input-output pairs or sophisticated imaging.
- There is less research for cases in which attackers do not have information on the design or
- have only a library of similar designs. Researchers have developed an extensive set of
- techniques to identify potential weaknesses to zero-knowledge or partial prior knowledge ofdesigns.
- 289 Hardware trojans are another source of concern in hardware security. The potential exists for a
- 290 malicious function to be included in a chip and triggered later by an attacker who knows the key
- 291 that can be included in inputs. UMD researchers are investigating vulnerability and detectability
- analysis for trojan mitigation schemes. This work includes statistical analysis to determine
- 293 trojan triggers and a large study evaluating the trade-offs between the likelihood of detection
- and the rarity/complexity of the trojan trigger using measures such as trigger length or the size
- of a finite state machine space that must be traversed to initiate the malicious function. This is
- accomplished by stress testing a spectrum of trojan types that are implemented for evaluation
- 297 purposes. The area, power, and performance overheads of trojans must be evaluated because
- of the limits on detecting trojans by testing. Ankur emphasized the value of a strategic, layered
- approach to vulnerability analysis and the need for sound mathematical models (e.g., those
   separating trojans from bugs) to consider an attacker's different levels of access, knowledge,
- 301 and control. UMD is also developing sound metrics for hardware security constructs and
- 302 security strategies for heterogeneous integration.

# 303 2.3.2. Key Highlights

- The session speakers identified several needs and near-term expectations. A common theme
   was the need for an integrated approach to hardware security that includes advanced
   capabilities for all aspects of the problem. In particular, the industry should be focusing on:
- Better tool support to ensure more complete design coverage. Tool advances should
- also include formal approaches to reason about the physical realizations of designs
   beyond the current formal methods that focus on abstract representations and
- 310 hardware description languages (HDLs).

- More standardized interoperability of tools and input/output. Currently, semiconductor
   companies tend to have their own collections of specialized tools, which makes it
   difficult to share information with others in the industry.
- Improved data collection and understanding of vulnerabilities. This will allow for better
   risk management that aligns organizational risk tolerance with appropriate levels of
   analysis and testing. FIPS 140-3 and the Common Criteria are useful for analyzing test
   and assurance approaches for deterring particular attack classes and vulnerabilities.
- Better design obfuscation techniques, as well as vulnerability and detectability analysis
   of malicious insertions in fabricated designs. Among the most significant risks in today's
   offshoring environment are the loss of intellectual property and the potential for
   adversaries to compromise chips with hardware trojans. Given the limitations of
   detecting such vulnerabilities through testing alone, hardware analyses that include
   power and performance overheads are essential for identifying trojans and other chip
   malware.

#### 325 2.4. Vulnerability Management

- 326 Hardware vulnerability management shares similar challenges with well-established software
- 327 vulnerability management practices and also faces its own unique challenges. The panel
- discussion presented three perspectives around this theme: Qualcomm's present-day
- 329 experience performing vulnerability management at scale, a Battelle researcher's futurist view
- of defending and attacking hardware with generative AI techniques, and NIST's view on the
- 331 past and present of bug classification as it applies to hardware.

#### 332 2.4.1. Speaker Viewpoints

- 333 Dan O'Loughlin described how the security work of the architecture, engineering, and
- evaluation teams for Qualcomm's SoC portfolio drives their vulnerability management program.
- As he noted, Qualcomm suggested doing this at scale, thinking holistically about security and
- 336 vulnerability management. Vulnerability management is an integral part of Qualcomm's overall
- 337 security assurance process, for which they suggested maximizing the best outcome for planned
- investment. Dan recommended the categorization of the root causes for vulnerabilities
- throughout the life cycle (e.g., pre- and post-silicon) and how to feed back into ongoing
- investments and operations. The most common cause is process compliance failures, while the
- 341 second most common is specification traceability gaps. Therefore, their automation has
- 342 focused on addressing these causes.
- 343 Qualcomm suggested focusing on countermeasures for missing threat assessments, which is an
- 344 important root cause. Dan's team has made additional efforts in generating and maintaining
- automated threat models with the help of machine-readable data formats, such as SysML. This
- focus on the threat model, test plan, and supporting automation allows them to scale
- 347 important security checks throughout the life cycle with available staff. It is important to match
- 348 threat assessment and automated testing with vulnerability detection and analysis early in the

- 349 life cycle. Qualcomm recommended investing heavily in this detection with fault injection, side-
- 350 channel, and other techniques for pre-silicon testing. As Dan explained, this shift-left strategy is
- 351 especially important for their products to detect and prevent vulnerabilities as early as possible
- before final certification and release to market. With all of this internal security evaluation and
- validation, Dan and his team have measured vulnerabilities and countermeasures over multiple
- 354 generations of SoCs to confirm that the severity of findings is trending down over time.
- However, publicly disclosing more detailed data is a different matter. Dan has been closely
- 356 following regulatory changes for responsible disclosure in the software industry, but hardware
- 357 vulnerability disclosure is fundamentally different. In his view, regulators and manufacturers
- 358 have very different incentives, so partnership and further discussion will be required.
- 359 Next, Jeremy Bellay talked about Battelle's research regarding the impact of context on proper
- 360 vulnerability management. Vulnerability categorization, like CWE, provides valuable
- 361 foundational context. However, higher-level, human-friendly context is still resource-intensive
- to produce and error-prone. One such example is the reachability analysis how accessible a
- target system with a given vulnerability is to an attacker. Another example is attack chain
- 364 design, where each vulnerability disclosure provides attackers more opportunities to combine
- 365 multiple vulnerabilities to fully exploit a system.
- 366 In the past, it has been difficult to organize data for higher-level contextual information using
- 367 datasets and standards from NIST, MITRE, and others. However, Jeremy's team has recently
- 368 utilized generative AI tooling to obtain this higher-level context without the additional
- 369 resources needed for conventional methods. For him, the emergence of AI tools has moved the
- industry from the "age of context" to, as he terms it, the "age of interface." With this
- perspective and tools at hand, Bellay presented his success with advanced generative AI to
- augment the development of attack chains with vulnerability information. This approach shows
- 373 promise, yet it is not devoid of risks. Jeremy presented examples of using generative AI systems
- with prompts defining strict policies that tools violated, despite being given the needed
- 375 context. Nonetheless, he is confident that they will improve in this age of interface and enable
- 376 new capabilities for attacker and defender alike.
- 377 Finally, Peter Mell presented his research on the software, hardware, and trends for
- 378 vulnerability management in the past, present, and future. Historically, claims of unbreakable
- 379 secure software were met with skepticism, while hardware was perceived to be the immutable
- root of trust. This perception persisted, even though hardware is designed and programmable
- 381 with software. As Peter put it, in some sense, "hardware is software."
- 382 To effectively compare and contrast hardware and software, more data is needed for hardware
- 383 vulnerability research. Peter compared the public infrastructure for software (e.g., CVE, NVD,
- 384 CVSS, EPSS, KEV, CWE) to the current hardware vulnerability landscape. For the categorization
- of vulnerability types (CWE), less than half have been observed with confirmed hardware bugs,
- 386 with little overlap in categories between hardware and software bugs. Additionally, Peter
- 387 pointed out that he found little public evidence of hardware bugs, as opposed to thousands a
- 388 year for software. He concedes that there are still some differences between hardware,
- 389 software, and their vulnerabilities. Nonetheless, the paucity of data demonstrates room for
- improvement and a challenge to the hardware industry as it matures vulnerability management

- 391 practices. This research did not uncover any obstacle to utilizing public software vulnerability
- 392 infrastructure for hardware vulnerability management, and he welcomes work in this area.
- 393 At the end of the panel, attendees asked questions about the tools and processes that aid in
- traceability and security. Dan described a variety of tools for security and traceability
- 395 management in existing projects and greenfield projects. He repeated his praise for model-
- based systems engineering and tools. Jeremy agreed that those tools were helpful. There were
- also questions regarding the presenters' views and techniques for resourcing the experts and
- 398 funding needed for outcome-focused vulnerability management. Dan explained that Qualcomm
- 399 prefers actuarial methods. Peter and Jeremy emphasized the importance of methods for
- 400 higher-level context and how to encourage more research in that area to support outcome-
- 401 focused vulnerability management.

### 402 2.4.2. Key Highlights

- The following are some key takeaways for future work based on the presentations, feedback,and questions from the audience:
- Hardware vulnerability management could leverage public software vulnerability
   infrastructure, but more dialogue is needed to understand how to use it to meet
   hardware vendors' needs.
- 408 Automation-friendly traceability techniques are necessary to scale the prevention and
   409 detection of vulnerabilities.
- Model-based systems engineering tools, techniques, and standards are in use, but it still
   needs to be determined how to measurably expand their use and incentivize industry.
- 412 More comprehensive vulnerability data is needed to improve the taxonomies of
   413 hardware bugs that are understood and to predict those that are not.

#### 414 **2.5. Standards**

This session explored various aspects of hardware security standards related to semiconductormanufacturing.

#### 417 **2.5.1. Speaker Viewpoints**

- 418 Jeremy Muldavin represented the SAE G-32 committee and was the first presenter. He began
- 419 by pointing out that while there are incentives for CHIPS fabricators to build in the US, there is
- 420 currently very little market preference for an assured supply. If not corrected, the market will
- 421 revert to focusing on buying cheaply, which will lead to a loss of investment. By creating
- 422 standards that integrate assurance through traceability and provenance into systems
- 423 engineering, the market can understand, measure, and adapt to the demand for a long-term
- 424 assured supply. Jeremy stated that when the US promoted "Buy US, Build US," European
- 425 customers were interested in a US supply chain, but when there appeared to be no teeth
- 426 behind it, interest was lost.

- 427 With the amount of R&D invested in the National Semiconductor Technology Center (NSTC) and
- similar efforts, value must be added through assurance, or else cheaper products will take over
- the market again. Without knowing how to build programs that are directly tied to
- 430 semiconductor manufacturing and show measurable assurance, research investments are being
- 431 wasted. Agreed-upon measurable assurance requires believable standards that illuminate
- 432 supply chains, identify market risks, create a basis for monetizing supply and security, and
- measure the impacts of assured supply. They also need to identify methods for immutable
   physical traceability, validate roots of trust, and identify ways to develop consumer-level
- 434 physical traceability, validate roots of trust, and identify ways to develop consumer-level
- traceability tools. The assurance is needed early, when the chips are inexpensive. The payoff isat the product and services end, where the applications have a far greater revenue stream.
- 437 Semiconductor manufacturing harvests a significant amount of data. Jeremy stated that Global
- 438 Foundries accumulated about 12 terabytes of data per day. There must be an analytic
- 439 environment to take advantage of that data through an "observe, orient, decide, and act"
- 440 (OODA) loop to develop assurance and awareness capabilities (e.g., supply chain and digital
- twins capabilities) and support the stress testing of manufacturing supply disruptions in a way
- similar to the 2008 financial crisis bank stress testing. This would enable the transition from a
- trust framework of people watching people make assessments to using digital twins to model
- sensors and data to monitor the supply chain in a manner that creates value by establishing
- 445 provenance and traceability.
- 446 Andrew Seward introduced the Semiconductor Manufacturing Cybersecurity Consortium
- 447 (SMCC) efforts that Semiconductor Equipment and Materials International (SEMI) is
- 448 implementing. SEMI is an international organization that has focused on the semiconductor
- industry since 1970 and provides global advocacy and technical leadership. It currently meets
- 450 the cybersecurity needs of the industry, from material and equipment suppliers to end users. In
- 451 November 2023, the SMCC and NIST met to identify key areas and seek volunteers for both
- internal leadership and action. Those attending the meeting made a good representation of all
- 453 semiconductor-related industries. Starting with about 40 in-person and almost 70 online
- 454 attendees, the volunteers from that group have grown to about 50+ since January 2024 and
- 455 have support from several CSOs from major organizations.
- 456 Jennifer Lynn continued the SEMI presentation and stated that the SMCC is gaining momentum.
- 457 The two days of whiteboard sessions at the November 2023 meeting established seven working
- 458 groups: 1) factory cybersecurity implementation, 2) compliance readiness, 3) supply chain
- 459 cybersecurity, 4) regulation and other specs, 5) threat sharing, 6) cybersecurity pre-standards
- 460 engineering, and 7) outreach. Jennifer is leading working group 4, which will co-author the
- industry profile to map SEMI requirements to CSF 2.0. Anyone who wishes to aid in these
- 462 efforts is encouraged to email <u>cybersecurity@semi.org</u> to talk to the working group leads and
- discuss how you might help. This work will establish the requirements for moving forward as
- 464 well as how the existing structure can be protected for the rest of its lifetime.
- 465 The SAE G-32 is working on integrating cybersecurity assurance into a CPS systems engineering
- 466 and product-focused process. The SEMI SMCC will transition the design and manufacturing
- 467 floor to one that incorporates auditable cybersecurity.

- 468 A comment from the audience suggested that the SEMI standards for traceability at the wafer
- level and IPC's standards on traceability for manufacturing are a good basis for forming a liaison
- 470 activity between SEMI, IPC, and SAE. NIST and other SDOs (e.g., IEEE) and entities (e.g., IT-ISAC)
- 471 could benefit from coordinating and participating in such efforts.
- 472 Another comment asked whether NIST would consider leading the effort to assess the
- approximately 300 related standards that already exist, potentially by employing graph
- analytics and other AI searching, learning, and parsing tools. It was agreed that a unified view of
- 475 cybersecurity standards would help many entities better understand what is available for use
- and what is needed, especially with the participation of the semiconductor-related corporations
- 477 that are working with the CHIPS program.
- 478 This opened related discussions on the use of cybersecurity standards, such as how one decides
- which standards to apply based on a product or organization. A comment was also made about
- 480 approaching the C-suite for a semiconductor business, which appears to be more interested in
- 481 a semiconductor-focused cybersecurity standard than a generic cybersecurity standard.
- 482 Another comment noted that creating a new standard for cybersecurity should leverage work
- that has been done in other areas, such as automotive or health care, and confirm applicability
- rather than "reinventing the wheel." In addition, requirements in standards need to be
- 485 measurable. This can be difficult, as requirements are often created separately from the
- 486 compliance aspect, and finding the right balance can be challenging.
- 487 A related comment focused on harmonizing the measurements in standards into a common or
- related set of metrics. In the future, it will be desirable to tailor requirements by referencing
- applicable parts of standards. The customer will need to assess their demand and available
- supply in order to verify the level of assurance required for products and services to meet their
- 491 needs.

## 492 2.5.2. Key Highlights

- 493 While IT standards have continued to mature, awareness of the need for hardware standards
- 494 and the importance of supply chain assurance, manufacturing policies, and resilience has only
- 495 begun to grow. Cost cannot be the only consideration for semiconductor manufacturing;
- 496 security and assurance value propositions and end user demand must be considered as well.
- 497 In the wider scope of current international supply chains, the integration of security and
- 498 assurance measures is primarily relegated to larger manufacturers. Additional measures need
- to be uniformly integrated for both semiconductor manufacturers and their suppliers, from
- 500 sophisticated equipment to raw materials. SEMI International has initiated an effort to gather
- all manufacturers and security and assurance experts to develop a set of standards that can be
- 502 integrated into all businesses across the supply chain, with verification being a major
- 503 component. This effort will reference existing IT and other non-semiconductor industry
- 504 standards and work with other SDOs when such standards do not exist.

#### 505 **2.6. Closing Remarks**

506 Serge Leef, the Secure Microelectronics Design, Implementation, and Fabrication Enablement

Lead at Microsoft Azure, provided closing remarks. In "Challenges and Opportunities in
 Commercializing Security Research," he addressed market barriers for hardware security

509 products and provided an overview of the market segments:

- Huge/large organizations for whom hardware security is a critical need and that have
   large teams of experts who develop appropriate solutions to address their needs across
   multiple high-value, large-scale products
- 513 2. Mid-size semiconductor and system companies that understand the need but lack the 514 expertise and do not see the economic value of doing things differently
- 5153. Defense contractors who have pockets of expertise that craft appropriate solutions to516meet requirements to which they are contractually obligated
- 517 4. System integrators who are always rushed to get products to market and lack expertise 518 to build in security and address it after deployment through patching and other means
- 519 Serge further stated that security automation will help 1) address the expertise gap of the mid-520 size and defense contractors and also 2) reduce overall cost and effort across all segments.
- 521 Following that, Serge provided an attack surface reference model for SoC/application-specific
- 522 integrated circuits (ASICs) that examined the overall threat space for software, hardware, and
- 523 software-hardware interfaces. He noted that security is difficult due to the lack of appropriate
- 524 standards and a connected ecosystem, which leads to a lack of urgency and essentials. He
- 525 contrasted this business problem to selling medicine: "Security is like selling vitamins much
- 526 harder than selling something like heart medication. It's largely dependent on fear (liability)
- 527 versus greed (area, speed, power). Not a good space to be in." He offered a solution to infuse
- 528 appropriate standards and regulations to tilt the equation and provided a technically
- 529 implementable solution by means of his vision. He further elaborated by examining the digital
- 530 broadcasting market ecosystem and drawing parallels to the semiconductor market space.
- 531 Serge concluded by stating, "A supply chain trusted ecosystem alliance is essential for security."

#### 532 **3. Summary and Road Ahead**

- 533 The workshop convened a diverse array of knowledgeable individuals in the field who each 534 brought unique expertise and insights. Through collaborative discussions and presentations, 535 these experts offered valuable perspectives and in-depth analyses on the subject matter. Their 536 contributions not only enriched the dialogue but also provided a comprehensive understanding 537 of the topic from various angles.
- Representatives from semiconductor companies discussed the proactive measures being taken to bolster security and instill trust within the industry. Deliberations centered on current insights, existing challenges, and the advancements sought by stakeholders.
- Academic scholars discussed emerging threats and their ongoing research endeavors
   within academic institutions. Their discourse shed light on the evolving landscape of
   potential vulnerabilities and efforts to address them.
- 5453. SDOs described their efforts dedicated to formulate robust standards that elevate546security, traceability, and reliability across various sectors.
- 547
   4. The government underscored its commitment to foster a conducive environment that
   548 effectively mitigates risks and to enact policies that recalibrate the risk equilibrium.
- 549 In consultation with relevant experts and SMEs, NIST has identified the following next steps:
- Security for Semiconductors
- 551 O Strengthen semiconductor manufacturing through the development and
   adoption of a *NIST CSF 2.0 Community Profile for Semiconductor Manufacturing* with the community (e.g., SEMI, SIA, government, academia).
- In collaboration with the community, investigate and leverage existing standards and best practices to develop a *Secure Life Cycle Framework for Semiconductors* across the supply chain, including a strategy, roadmap, appropriate
   recommendations that focus on semiconductor supply chain traceability and provenance, and the adaptation of current software vulnerability and patch management practices for semiconductors.
- Metrology Research and formulate practical *cybersecurity measurements and metrics for semiconductors* to continuously inform the verification and testing of
   countermeasures throughout the life cycle.
- 563 NIST is also investigating engagement mechanisms that leverage existing NIST and industry 564 standards, guidelines, resources, and expertise to cultivate trust in semiconductors, such as 565 public working sessions and a consortium to advance these initiatives in collaboration with 566 industry and SDOs.

# 567 Appendix A. Workshop Agenda

| Introduction and                | Overview                                                                                                                                                                        |  |  |  |
|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| 9:00 – 9:25 ET                  | Sanjay Rekhi – NIST<br><u>Kevin Stine – NIST</u>                                                                                                                                |  |  |  |
| Hardware Development Life Cycle |                                                                                                                                                                                 |  |  |  |
| 9:30 – 10:30 ET                 | Jonathan Ring – Office of the National Cyber Director<br>Adam Golodner – Advisor to the Semiconductor Industry Association<br><u>Matt Areno – Intel</u><br>Michael Ogata – NIST |  |  |  |
| 10:30 – 10:45 ET                | Break                                                                                                                                                                           |  |  |  |
| Metrology                       |                                                                                                                                                                                 |  |  |  |
| 10:45 – 11:45 ET                | <u>Lok Yan – DARPA</u><br><u>Mark Tehranipoor – University of Florida</u><br>Jason Oberg – Cycuity, Inc.<br>Nelson Hastings – NIST                                              |  |  |  |
| 11:45 – 12:45 ET                | Lunch                                                                                                                                                                           |  |  |  |
| Hardware/Silicon                | Testing                                                                                                                                                                         |  |  |  |
| 12:45 – 13:45 ET                | <u>Mike Borza – Synopsys</u><br><u>Niels Samwel – PQShield</u><br><u>Ankur Srivastava – University of Maryland</u><br>Rick Kuhn – NIST                                          |  |  |  |
| Vulnerability Man               | agement                                                                                                                                                                         |  |  |  |
| 13:45 – 14:45 ET                | Dan O'Loughlin – Qualcomm<br>Jeremy Bellay – Battelle<br><u>Peter Mell – NIST</u><br>A.J. Stein – NIST                                                                          |  |  |  |
| 14:45 – 15:00 ET                | Break                                                                                                                                                                           |  |  |  |
| Standards                       |                                                                                                                                                                                 |  |  |  |
| 15:00 – 16:00                   | <u>Jeremy Muldavin – Aerocyonics (SAE-G32)</u><br><u>Andy Seward – TEL (SEMI)</u><br>Jennifer Lynn – IBM (SEMI)<br>Kim Schaffer – NIST                                          |  |  |  |
| Next Steps                      |                                                                                                                                                                                 |  |  |  |
| 16:00 – 16:45 ET                | Serge Leef – Microsoft<br>Sanjay Rekhi – NIST                                                                                                                                   |  |  |  |