A New Way to Hack Military Supply Chains

SMITH BRAIN TRUST — Research firm Gartner projects 25 billion sensor devices will be connected to the Internet of Things by 2020. This includes components in U.S. military supply chains, where counterfeiters can embed sensors to compromise national security and cause extensive economic damage. Rich Fitzgerald, a graduate of the University of Maryland's Robert H. Smith School of Business and vice president for business operations for Avnet Embedded, recently wrote a guest column at Military Embedded Systems calling for the Department of Defense and its suppliers to brace for an Internet of Things revolution.

Fitzgerald gives an example of a skeptical vendor at a trade show alerting federal investigators to track and eventually prosecute a trio of Chinese nationals attempting to embed counterfeit chips in Navy submarines. “Had this individual not followed his gut and reported the peculiar activity, there is no telling how deep this counterfeit ring could have penetrated into the naval supply chain, or how many lives may have been lost as a result of the installation of those malfunctioning chips into critical defense systems,” he writes.

The risk is magnified at the Department of Defense because its supply chains are massively distributed global networks subject to constant threat and disruption by state and non-state actors. To account for such risk, “buyers must constantly be on alert, especially when sourcing from online parts brokers or from suppliers in regions that do not have the same rigid intellectual-property protections and enforcement that we take for granted in the U.S.,” Fitzgerald writes.

Smith School Supply Chain Management Center co-director and research professor Sandor Boyson says buyers in military supply chains could pursue surveillance and quality assurance activities that include: Use of unique digital signatures of hardware and software to ensure product authenticity; use of real-time location  technology such as GPS  to achieve in-transit visibility;  deployment of anti-tampering technology such as digital locks on shipment containers that can issue network alerts if compromised; and the training of receiving personnel in distribution centers to recognize and quarantine suspect products or parts.

“Ultimately, constant vigilance and continuous monitoring throughout the product life cycle are necessary,” Boyson says. “The Internet of Things will open up many more points of access and vulnerability and further drive the necessity for heightened organizational surveillance of product quality and authenticity.”

Boyson, with his Supply Chain Management Center colleagues, is leading a recently launched risk assessment project focused on commercial IT supply chains, in collaboration with the National Cybersecurity Center of Excellence, a federally funded research and development center supported by the National Institute of Standards and Technology.

Fitzgerald emphasizes the urgency of such measures. “Any organization that is honestly committed to maintaining the integrity of the electronics supply chain will take the time to scrutinize an unknown source, insist on documentation of a part’s lineage, and always test parts before installing them in a design,” he writes.