'Malicious insiders' undermine electronics anti-counterfeiting

The semiconductor industry's recommended counterfeit-avoidance strategy may have the unintended consequence of increasing, rather than reducing, the risk of counterfeit chips entering the supply chain, a new report has found.

The paper - titled Why a counterfeit risk avoidance strategy fails - says that despite implementing a counterfeit risk avoidance strategy, the electronics industry continues to discover counterfeit chips in the supply chain.

Counterfeits end up in the supply chain largely through procurement outside the semiconductor ecosystem with the use of independent distributors and brokers on the open market. Here chips are cheaper than those from authorised sources and authenticity and traceability controls are limited.

As such, the currently recommended counterfeit-avoidance strategy is to purchase chips from authorised sources, which would not need costly and challenging authenticity tests, they write in the paper, due to be published in the journal Computers & Security.

"Unfortunately, despite the implementation of this strategy, counterfeit chips continue to enter the semiconductor ecosystem," the report says. "In fact, preventing counterfeit chips from entering the supply chain has become a significant challenge because counterfeiters continuously increase their technological capabilities and are ever-more determined to defeat countermeasures."

While the general view was that counterfeits come from outside the ecosystem, the report noted that counterfeiting is occurring from within the authorised supply chain as a result of a "malicious insider" who has access to the system.

In this scenario, the report said the insider will divert authentic chips for unauthorised outside orders, replacing these with counterfeit chips.

"Most analyses of semiconductor supply chain risk assume a priori that problems in the supply chain lie outside of the supply chain itself, rather than within the supply chain," the report said.

"At the outset of this research, we were also inclined to accept this assumption, so we were surprised to discover that a malicious insider is required for counterfeit chips to enter the semiconductor ecosystem. Since threat environment is evolving, so too must the enterprise risk management programs of stakeholders in the semiconductor ecosystem."

The report recommends countermeasures to protect companies from malicious insiders based on a layered, risk-defence framework.

"The first layer of defence is for stakeholders to expand the boundary of their enterprise to include all entities with insider knowledge of the stakeholders' information or systems," say the authors from George Washington University in the US. This would allow the implementation of strategies, such as executing non-disclosure agreements and providing insider threat training, as well as increased detection measures.

The second and third layers of defence recommended by the report include internal traceability of chips from receipt to use and physically controlling access to chips, respectively. These layers would improve the physical security of the system and has the dual effect of deterring malicious insiders and providing early warning.

The report recommends a simple documenting system for traceability and a two-person policy for accessing chips, as well as a variety of other security measures such as biometrics or RFID.

Finally, a fourth layer of defence would include internal audits to reconcile orders, and which can provide early warnings of suspicious behaviour. While an auditing process will not necessarily prevent counterfeit chips from entering the supply chain, it would help to uncover illicit behaviour sooner.