Commerce Department sets out zero-trust security approach to microelectronics supply chain

The Department of Commerce is adopting zero trust policies for validating microelectronics to ensure their safety, according to a roadmap released Thursday.

Advanced imaging technologies and forensics for detecting counterfeit and malicious circuits, as well as component markings and tags for authentication, are part of the department’s developing hardware security strategy.

Zero-trust security traditionally refers to the government’s preferred framework for securing networks — where no person, system or service outside or inside is trusted — but DOC’s National Institute for Standards and Technology is applying the philosophy to microelectronics in everything from computers to airplanes. The effort to secure the hardware supply chain comes as the Department of Homeland Security explores ways to automate software supply chain security.

The Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Act passed in August tasked NIST with metrology research and development (R&D) supporting domestic breakthroughs in next-generation microelectronics, which are integrated devices and systems made up of semiconductor materials. NIST found in its report that enhancing the security of microelectronics across the increasingly complicated global supply chain was one of seven challenges it needs to address to that end.

“Recent chip shortages have exacerbated counterfeiting, IP theft, the reverse engineering of designs, and the production of low-quality and defective chips,” reads the report. “Without the means of verifying the provenance of the semiconductor, malicious circuits could be added anywhere along the supply chain, allowing bad actors to bypass defense mechanisms, disrupt devices and steal user information.”

Integrated chiplets may be embedded with malware, which is why NIST’s roadmap proposes implementing a combination of security analytics standards and guidelines with a broad vulnerability strategy for testing and verifying microelectronics throughout the development lifecycle. The strategy would include tracking of materials and components and detecting and mitigating trigger mechanisms using machine learning and artificial intelligence.

Department of Defense suppliers must already use the Rapid Assured Microelectronics Prototypes (RAMP) platform for microelectronics design, manufacturing and supply chain management. Companies like Microsoft, BAE Systems, Intel and Northrop Grumman are developing capabilities to support RAMP.

Modern chips contain more than 100 billion complex nanodevices, less than 50 atoms across, that must work nearly identically for functionality, and they’re only getting smaller and more complex. Therefore precise metrology is needed throughout the development life cycle, but currently the domestic semiconductor industry relies on “workarounds and insufficient tools,” per NIST’s report.

The CHIPS Act appropriated funds for NIST to accelerate metrology R&D, and the agency’s call to action highlights six other challenges:

• developing metrology for materials purity and properties;
• manufacturing future microelectronics ;
• advancing packaging to integrate separately manufactured components;
• improving tools for modeling and simulating semiconductor materials, designs and components;
• improving the manufacturing process; and
• standardizing new materials, processes and equipment.

NIST identified its seven challenges by holding Semiconductor Metrology Workshops with more that 800 participants from industry, academia and government; putting out a request for information; and receiving direct industry feedback.

“The measurement challenges impacting the U.S. semiconductor industry are at a critical stage and must be addressed if we are to ensure U.S. leadership in this important sector,” said Laurie Locascio, NIST director, in a statement. “We’ve received extensive feedback from stakeholders across industry, academia and government that will help us provide urgently needed measurement services, standards, manufacturing methods and test beds and build even stronger partnerships with this industry.”