repairing electronics

Spotlight Podcast: Intel’s Matt Areno – Supply Chain is the New Security Battlefield

In this Spotlight Podcast, sponsored by The Trusted Computing Group, we speak with Matthew Areno, a Principal Engineer in the Intel Product Assurance and Security (IPAS) group about the fast-changing landscape of cyber threats including attacks on hardware and software supply chains. [Read the full transcript]


It’s funny that one of the most controversial stories about supply chain security, Bloomberg Businessweek’s scoop on “spy chips” on motherboards by the firm Super Micro that infiltrated “more than 30 companies” is remembered less for what it said than the staunch denials it provoked.

Matthew Areno is a Principal Engineer in the Intel Product Assurance and Security (IPAS) group at Intel.

Whether or not that story was accurate, however, security experts have long agreed that the threat it describes is real – and growing. The deep reliance of the high tech industry on software and hardware supply chains that originate in nations like China has created the conditions for compromised technology to infiltrate U.S. homes, businesses and governments at all level.

Unfortunately, the information security industry has been slow to respond. Companies spend billions of dollars on information security tools and technology every year. But much of that spending is for fighting “the last war:” viruses, spam, application- and denial of service attacks and so on.

Cyber: Fighting the Last War

Our guest this week is here to tell you that those aren’t even close to being the only kinds of threats organizations need to worry about. Matthew Areno spent years conducting both offensive and defensive research at some of the most sophisticated and targeted firms in the world: Sandia National Labs in New Mexico and defense contractor Raytheon among them.

Episode 161: 3 Years after Mirai, IoT DDoS Problem may get Worse

Areno, who now works at Intel, where he is a Principal Engineer in the Intel Product Assurance and Security (IPAS) group, says his work at companies that were in the crosshairs of nation-state actors opened his eyes to “what was possible” in cyber offense. It also taught him how organizations – even sophisticated ones – often fail to discern the full spectrum of possible attacks on their security, with dire consequences. 

A Range of Supply Chain Threats

Supply chain attacks could run the gamut from degrading the performance of a sensor to exfiltrating sensitive data to denial of service attacks. “And these attacks can happen at any point in the lifecycle of these products,” Areno told me. That includes attacks on the design network that manufacturers use, attacks on shared or open source software components and – as with SuperMicro- the introduction of malicious components during manufacturing, which is an issue that Areno said is still probably more hype than reality – even if component piracy and counterfeiting is not.

“When we’re sendings our designs over the seas, how much confidence and how much trust do we have that what we sent to them is what we got back,” Areno wonders.

Spotlight Podcast: Two Decades On, Trusted Computing Group tackles IoT Insecurity

In this podcast, Matt and I talk about where the new front lines in cyber security fall and how companies need to re-think their approach to security in order to address the changing threat.

We also talk about Matt’s work with the Trusted Computing Group where he helps develop technologies that make it easier to protect against threats like attacks on device firmware and hardware supply chains by building a hardware based root of trust that can be a foundation for the security of entire products and product ecosystems. 


(*) Disclosure: This podcast and blog post were sponsored by Trusted Computing Group. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. 

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.  


Spotlight Podcast Transcript

[START OF RECORDING]

PAUL ROBERTS, SECURITY LEDGER: This Spotlight edition of The Security Ledger Podcast is sponsored by Trusted Computing Group. Through open standards and specifications, Trusted Computing Group enables secure computing. Through its member-driven work groups, TCG enables the benefits of trust in computing devices from mobile to embedded systems as well as networks, storage, infrastructure, and Cloud security. More than a billion devices include TCG technologies. You can check them out at trustedcomputinggroup.org.

INTRO: [MUSIC] Hello, and welcome to a Spotlight edition of The Security Ledger Podcast. I’m Paul Roberts, Editor in Chief at The Security Ledger. In this edition of the podcast…

MATT ARENO, INTEL: When we’re sending our designs across the sea, whether we’re sending them to a third party or even to our own facilities, how much confidence and how much trust do we have that what we sent to them was actually what we got back?

PAUL: Companies spend billions of dollars on information security tools and technology every year, but what if the money that we’re spending fights the last war while new and unseen or unimagined enemies and threats are afoot and even at our gates? Those are the kinds of questions our guest this week gets paid to answer. Matthew Areno is a principal engineer at Intel Corporation in the Intel Product Assurance and Security Group. Organizations, even sophisticated ones, often fail to discern the full spectrum of possible threats and attacks on their security, says Areno, and the consequences of that can be dire.

In this conversation, we talk about Matt’s work with the Trusted Computing Group where he helps develop technologies that make it easier to protect connected devices against threats like firmware hacks and hardware supply chain compromises by building a hardware-based root of trust that can serve as the foundation for the security of entire products and product ecosystems. To start off, I asked Matt to talk a little bit about his origin myth and how he came to work for Intel, including the formative work he did on offensive and defensive cyber at places like Sandia National Laboratories and Raytheon.

MATT: My name is Matthew Areno. I am with Intel’s Product Assurance and Security Group. I am a principal engineer in that group and working specifically in our security assurance area.

PAUL: Matt, welcome to Security Ledger Podcast.

MATT: Thank you for having me, Paul.

PAUL: As I do often with guests ñ and I think this is your first time on the podcast, so tell us just a little bit of your origin myth as it were, and how you found your way to working within Intel and working as part of the Trusted Computing Group.

MATT: I started my career, actually, at Sandia National Labs. I completed a undergrad Master’s degree at Utah State. Go Big Blue. Started working for Sandia right out of college. While I was there, I worked predominantly on what we would call red team assessments. We were offensive-oriented. We were trying to break systems, critical systems that might be used or considered for use in high-security government situations. We want to know how attackers might try to break them or misuse them and things like that, and try to prepare them for any adverse conditions that might come to play. I spent several years doing that at Sandia, got exposed to incredible capabilities.

When you’re looking at elements and nation states are capable of doing, it was just fascinating and very eye-opening. While I was there, I also was able to finish a PhD at the University of New Mexico. Go Lobos. Shortly after finishing my PhD, I actually took a position with Raytheon Cyber Solutions. While I was there, I continued doing offensive-oriented work but as is often the case, those of us who spend a lot of time doing offensive work will eventually get pulled into ñ by some of our defensive folks saying hey, can you help us shore up some of these defenses and figure out and understand from the offensive standpoint how you’re breaking these things?

Well, how can we defend against those attacks? Really kind of transitioned there, again, building defenses for high-security government systems, trying to obfuscate and protect against some of these really, really advanced threats that we have out there. But again, spent several years with Raytheon, had a great time there, but eventually I found my way over to Intel. I started at Intel last year. Throughout the course, actually, of working with Sandia, with Raytheon, and here at Intel, I’ve always been engaged with the Trusted Computing Group.

PAUL: It’s a big question and probably not a simple one to answer, but if you were to sort of sum up what you learned starting out on the offensive side and then making that transition to defensive, especially doing it at a place like Sandia where you are exposed to, [00:05:00] as you said, the real cutting-edge nation state adversaries ñ Sandia is obviously up there on the list of targets for those types of groups ñ what did you distill from that experience and what did you take with you when you were asked to come on over and help out on the defensive side?

MATT: Well, it was certainly an eye-opening experience. Working at Sandia as well as Raytheon, I think there’s a lot of things that we take for granted and assumptions that we make about what may or may not be possible. Working for a group like that where we know that these highly sophisticated nation state adversaries, we know that they have incredible capabilities, but you never really understand the complexity of what they can throw against you until you’re trying to defend against it. That was really an exceptional experience to be able to work with them and really understand that.

I’ve found as I’ve come to Intel and even to a bit at Raytheon, being able to bring that perspective is ñ has been critical for them to help them to understand the breadth and the capability of what can be done, the things that we once thought were science fiction, that this could never really take place, that someone couldn’t actually do this attack or do something this sophisticated. Well, yeah, I think we do have to worry about this. Having that background, having that understanding, having the exposure and really knowing what the state-of-the-art fully is, I think that’s probably one of the biggest challenges that many companies face, is not really fully grasping what is the state-of-the-art.

PAUL: Yeah, I mean, I think on the one hand, there’s a sea of low-skill attacks and threats out there; phishing attacks and sequel injection and just ñ and there’s tons of that. My understanding is often, those are tools used by advanced adversaries as well, but then there’s this whole other level of the stuff that you haven’t even thought of. I think back to Stuxnet as pulling the covers back on that type of activity where people said wow, this is a whole level of sophistication beyond what we’ve seen in the commercial sector, right? Lo and behold, there was a good reason for that because it wasn’t the cyber-criminal group doing it. But what are ñ just to tease our audience here, what are some of the types of threats and attacks that might be low-probability but are out there and real and companies need to be focusing on?

MATT: Well, it’s a good question. I think that there’s a lot to consider when it comes to those type of threats in terms of yeah, what’s possible, what’s likely, what would they really see out there? As a tease for what some of those threats specifically could be, there’s been a lot of research into hardware Trojans, the ability for an adversary to be able to inject logic and custom code or circuitry into a component and then ship it out as a normal, functional unit. There’s been actually quite a bit of research on that. We’re still kinda ñ is this real? Are there some real-world examples of that? Counterfeiting is certainly a very hot button one. We’ve seen examples of this. This one is one that ñ that it isn’t. Is this out there? We know it’s out there.

We’ve seen it out there, where parts are usually the less sophisticated parts where they are able to completely reverse-engineer the part, figure out how it works, and then they may ñ someone might make a malicious version of that and then stamp it as a legitimate one and ship it out in the industry. We’ve seen that, where people have gotten those parts. But even the ability now to be able to remove the top off of these parts and go in and make alterations, we know now as new chips come out, you can even hire people to get these reports. There are companies out there who will take the top off ñ the lid off, as they would say, off of these components. They’ll take pictures and x-rays and things like that, and people can start reverse-engineering this stuff at a very, very low cost.

That ability to go in and modify it to perform voltage glitching, to perform probing, to perform clock and laser glitching and things like that on these products. Then you get into the whole supply chain concerns. This is certainly a hot button topic in politics today as well as many other places, and that’s the supply chain and how much can we really trust it when we’re sending our designs [00:10:00] across the sea, whether we’re sending them to a third party or even to our own facilities across the sea. How much confidence and how much trust do we have that what we sent to them was actually what we got back? Those are some of the key questions and key threats that we’re trying to look at today and understand and try to mitigate.

PAUL: Often, I think the risk scenarios that organizations sketch out are mostly around malicious access to their network; persistent access, data exfiltration, things like that. As you look at the various risk scenarios for companies and organizations who might be making connected devices or consuming those, is that it? Is it really about access and access to data and control over the endpoint or are there other threats out there as well maybe just degrading the performance of something or creating inconsistent data even if you’re ñ inconsistent performance? Are those the types of threat factors that organizations need to think about as well?

MATT: Absolutely. Fortunately or unfortunately, it really just spreads the entire gambit for these devices. What an attacker’s end goal is really can vary depending upon what it is that they’re trying to attack. As you mentioned, it may be something as simple as ‘I just need to degrade the performance of this element so that I can get something by it so that I can ñ I just need to disable a motion sensor. I just need to be able to disable a scanner so it doesn’t pick up something, or peak its processing so it’s like ñ so it misses out on something all the way from there to exfilling the data, capturing the data, and then sending it out a side channel’physi whether that’s sensitive data, cryptographic data, whatever it may be, all the way to denial-of-service. These type of attacks can really come into play at anywhere in the life cycle of these products.

At Intel, we have a couple of initiatives that we’re working on with this. One of them is our Compute Lifecycle Assurance which is looking over the entire lifespan of the product from the point that it’s developed to it’s being built, it’s being deployed, and then eventually being retired. When you zoom in on those, one of our other areas that we’re working on is what we’re calling our transparent supply chain. We’re zooming into that development phase. When you look at that, there’s so many different places where attackers can come in; as you mentioned, attacking the design network, attacking third party plugins and malicious plugins for these tools that we use to develop this technology. What validation is going into those modules? What’s going into those plugins to make sure that it’s not malicious in any way?

Ensuring the protection of those design networks to make sure that that information isn’t being exfilled and sent out to a third party unintentionally or even maliciously and then going, again, through the assembly, through the tests, the verification, putting these products together, validating with the design and everything is secure and exactly what you expect it to be all the way through and that it hasn’t been compromised with. All of that is things that companies have to worry about. Now, it is a question of trying to figure out well, which one is the biggest threat? Where do I get the biggest bang for my buck in terms of trying to mitigate these threats? Because it’s a lot. It’s a lot to mitigate on these companies. Being able to make those assessments, being able to figure out where their biggest threats are, how much money they can allocate to it, and what they can do to fix them, that’s the key questions we have to ask ourselves.

PAUL: You’re listening to a Spotlight edition of The Security Ledger Podcast sponsored by the Trusted Computing Group. When you’re talking about verifying the integrity of these devices, integrated circuit chips or system-on-chips or any of the components that companies like Intel make and a wide range of other suppliers as well, what’s involved in that? I think most people, at least on this podcast, are familiar with the types of checking and security assessments you might do on application code, looking for vulnerabilities and buffer overruns and that type of code analysis. Is it the same thing just on embedded device code or are there different methods and techniques that you need to use to verify that, for example, there isn’t a hardware Trojan or that this integrated circuit chip does exactly what it was designed to do and nothing more?

MATT: Yeah, I think the problem, for the most part ñ philosophically, [00:15:00] anyway ñ the problems are the same. The approach for how to address them is really where the difference is. For code, it’s one thing when you have the source code and you can easily scan through it, you can compare with your binary, you can compile with different compilers, see the different binaries, check the output, and look for things that might be malicious in there. With a chip, you don’t have that same capability. We don’t have the same ability to actually go back and x-ray all of the different layers and figure out ñ reverse all the circuitry and everything and make sure that everything is exactly what we expect it to be.

This has been a research problem for decades now. It was actually one of the first utilizations and purposes of PUFs, Physically Uncloneable Functions, was utilizing them as the metric for being able to determine if something had changed within these chips. Even outside of the chips, when you look at the boards, an entire motherboard, for instance as an example, that becomes rather laborious and monotonous to be able to check those. That’s where things like the Supermicro article that came out a year or two ago, that’s what that really piqued in people, was oh my gosh, now we’ve thought about this for years that wait, somebody could put a chip into these boards but we’ve never seen it.

PAUL: This is the Bloomberg article that famously had a picture of a tiny little grain-of-rice-sized component. Of course, as it turned out, that wasn’t the component they were talking about in the story or the board they were talking about. It was just stock art or something. But yeah, it scared the bejesus out of people. What is the moral of that story given that so much of the attention actually ended up being not on what the article was saying but whether the story that the article relayed was actually factual?

MATT: Yeah, I think that the primary takeaway from that article was really that it was a bit of a wake-up call for the entire industry. For the longest time, looking at ñ trying to figure out how to inspect a motherboard, for instance; if you just take the problem of a motherboard and you put all these pieces together, I mean, that whole process is automated. You have pick-and-place machine that go in and they solder the components down and you put in complex designs and it figures out the right parts and puts everything down. But you typically don’t have someone there that’s visually looking at the board for these extraneous parts. This was also where the counterfeit parts came in.

PAUL: Nor would humans be very good at that job anyway, right?

MATT: No, and if you can just imagine for yourself someone sitting at a desk and visually inspecting thousands of these boards…

PAUL: I think of the guys they have at the door at Costco as you’re going out, right, who take your receipt and then look at your cart and try and figure out the diff between your receipt and your cart. It’s like…

MATT: Exactly. Take that list ñ at Costco, you might have a list of twenty, thirty, forty items on there. Now…

PAUL: Small Costco run. You might have that many.

MATT: Yeah, very true. Now you’re expanding that to hundreds of items and it’s not like all of these items just have a nice little Vizio TV label on them that makes it easy to identify.

PAUL: Yeah. Right, exactly.

MATT: So, that type of thing is ñ it’s really ñ it’s impossible for a human being to be able to visually do that. You’ve got to develop the tools to be able to capture that, use image processing to look for those type of things, and I think up until this article came out, there was really no need ñ there was perceived to be no need for this. It was still a head-in-the-sky, sure, something like this could conceivably happen, but we’re putting in place this mitigation and that mitigation that were good mitigations. They were the right thing to do, but the question was whether they were sufficient or not. I think that that’s what this article really helped to highlight for people.

It shone a light on the fear that maybe what we’re doing up to this point isn’t sufficient enough. I think that probably was true. It’s unfortunate, but it is something now that we have to look at. It’s something that we have to explore and consider. Really, a huge issue with that is all these parts come from so many different places that in order to address this problem, in order to really come up with a comprehensive solution that’s gonna work for all of industries ñ gonna take everyone coming together which is something I loved about TCG. That was an organization where we can come from all these different groups, you know.

I sit down with folks from Arm and AMD and we collaborate on things and it’s great, [00:20:00] and we’re not competitors when we’re sitting in these organizations. We’re coworkers with the unified goal of trying to fix a problem. That’s really what it’s gonna take to fix this and I think that articles like that, that’s what they’re doing, is that they’re highlighting our insecurities and our assumptions that we’ve been making from a hardware standpoint and showing us that we can’t make those assumptions anymore and it’s time to step it up.

PAUL: Yeah, and I mean, you’ve been in the industry for a long time so I’m sure you’ve noticed this too, but it is often the cutting edge independent researchers and then maybe the media as well kind of trumpeting what they do; who are the canaries in the coalmine for so many of these things. I can remember seeing Defcon and black hat sessions on point of sale vulnerabilities years before we started hearing about major POS attacks and hacks, right? Unfortunately, the retail industry was not listening very closely to those presentations although as they would have said, holy cow, we’ve got a huge risk here that we need to address. It is often the vanguard of researchers and then the reporters who cover what they do, I think, who start getting attention to these problems even if the risk ñ the perception of risk is not that high.

MATT: It’s a great observation, Paul. I think we really depend upon, in many ways, the media to help with this and to bring and call attention to this. I’ve always looked at security as a ñ well, I guess my view ñ I call it the M&Ms, the morals versus the monies aspect of security ’cause security researchers, most of us are in this position because we feel a moral obligation to provide the greatest security, the greatest enhancements, the greatest protections that we can to the end customer, to our business, to our products. But at the same time, you’ve got to be able to balance that with the monetary aspect of it. You’ve got to be able to understand the return on investment of the security that you’re providing. You can’t spend ten million dollars to provide a security enhancement to a problem that nobody’s seeing out there that hasn’t been exposed, that hasn’t been brought to light, that hasn’t been exploited by anyone.

Yeah, it might be the greatest security technology and capability in the world, but if no one’s exploiting the issue that it’s trying to protect, then you can’t justify the expense. I think that’s where folks like the media, folks like these independent security researchers, academia, this is the real benefit that they provide to us, is that they really help us to understand what is the current state-of-the-art? What really is the greatest and most current threats that we need to be looking at and addressing? Working with them before these things start to happen really helps us to get those security patches out early, it helps us get the security technologies out, and really help us to beef up the security so that when these things do become much more mainstream, we already have a solution out there that’s gonna help fix it.

PAUL: Talk to us about some of the projects you’re working on within Intel and within Trusted Computing Group. Obviously, the challenge that Trusted Computing Group has to address has changed a lot from when it was first set up in the late 90s. The computing environment’s changed, the challenges and needs have changed, so what are some of the things you’re working on?

MATT: My current efforts right now with Intel is really helping to put together threat models for our products, for our supply chain, for the Compute Lifecycle Assurance, taking the experience that I had working with some of the most sophisticated and advanced security organizations in the world and taking that experience and really applying that to our products and helping us to go back and to assess that, to really understand what the threats are and how we can address something, what we really need to be addressing right now. With the TCG, with their help and with this Compute Lifecycle Assurance and transparent supply chain that we’re doing here at Intel, really what we’re trying to do is provide assurances of the platform, assurances of what our end customers are buying, to make sure that they understand and they know exactly what they’re getting.

The analogy that I use a lot with security; someone asked me once, how do you create security? I said well, security is like trying to pack a bag for someone when you don’t know where they’re going, what they’re doing, or how long they’re gonna be there. If you can imagine being in that position and trying to ñ you’re trying to think of every possible situation, every possible contingency, every possible use that this person might have and you’re trying to cram all of that into one bag and get that to this person. [00:25:00] As a consumer, if you were going on this trip, if you ñ if you’re going with your wife on a wonderful honeymoon trip and you couldn’t see your bag, you didn’t know what was in it, and you wouldn’t even have the bag until you got to your destination, I’m willing to bet you’d be a little on-edge, a little anxious.

That’s the way these products are for people right now. This is what we really have to fix. We’ve got to be able to provide some assurances to folks that, you know, I am getting you your bag and it’s gonna have everything you need, I promise. It’s gonna have your bathing suit, it’s gonna have a tuxedo, it’s gonna have your undergarments, it’s gonna have all the stuff that you need on it, and I promise you it’s gonna get there and it will have exactly what I tell you is gonna be in there. The key problems there is really two things; one, does it have everything that I need in it, and the second is well, can I customize it? The customization would be a great discussion I’d love to chat with you more about some day.

But for right now, we’re just trying to fix the, does it have everything I promised you would be there? That’s where the TCG and these efforts that we’re doing here at Intel are trying to come in and play. We’re trying to provide those guarantees that yes, this is the part that you wanted. This is the firmware. This is the video card and the CPU and we promise ñ and we can verify to you cryptographically ñ that this is what we set it up with in our assembly place, and this is what it was when it got ñ finally got to you, and you can be sure that you have exactly what you want.

PAUL: The computing environment has changed so much. It strikes me that when Trusted Computing Group first emerged in the late 90s, it was very much a monoculture of Microsoft Windows and Intel processors. That was problematic in some ways but in other ways from a security standpoint, it meant that if Microsoft did initiatives like the Secure Computing Initiative and Trustworthy Computing, it could really be the tide that lifted all boats because they had 90% of the operating system market or 98% or whatever it was. But these days with the Internet of Things, it is a much more diverse computing environment both on the hardware side and on the software side.

I know there have been a lot of stories about vulnerable webcams and security cameras, CCTV devices, where often you have the same software provider putting their firmware into cameras for many different hardware makers. Those are just really white labeled; it’s coming out of one factory but it’s got different bezels on it from Philips and whoever else. It’s just like, oh my god, it’s like, it is truly the sausage factory when you get into actually the consumer IoT. I would imagine that makes your job much more difficult from a security perspective.

MATT: It does indeed.

PAUL: It sort of a boil-the-ocean problem; how do you impact or move the needle on security when it is that diverse a population and also where the pressure on cost and building materials is so intense?

MATT: Absolutely. I was just gonna mention that if that were the only problem by itself, maybe we could come up with something pretty quick for that. But once you add in the complexity of their cost challenges, of in-house development, of things like that that they have, the space constraints, the cost constraints that these folks are facing, it just makes it that much more difficult to create secure platforms for them. It is something that keeps me up at night both as a security researcher as well as just a consumer of these products. These are organizations that in many cases, they’re competing at cents on the dollar for contracts. Every cent that they put into creation of their product becomes a challenge for them and of course, security is never free.

That’s probably one of the biggest hindrances to widespread adoption of good security is because it’s really seen as one of those things that I pay for, but I don’t see any benefit; immediate benefit, visual benefit, financial benefit from. It’s hard to really reconcile that, and so, these companies look at security as just an added cost in a very cost-competitive market. Trying to work with these vendors to educate them on security, on best practices, trying to work with the organizations that are providing these securities to them is the key aspect on that. That’s one of the things that I actually helped with in the TCG. We recently [00:30:00] released a document on secure update procedures for IoT-based devices, trying to help them understand, because that’s one of the biggest issues right now for IoT devices, is that many of them don’t have that update capability once they’re out in the field.

Vulnerabilities are discovered, new things come out. You mentioned cameras; thermostats, door sensors, washer, dryer, refrigerator, all these things. Yeah, on their ñ by themselves, I may not be worried about my dishwasher video-recording me, but we’ve already seen examples out there where a compromised dishwasher or refrigerator or something like that could be turned into a bot to start doing ñ performing denial-of-service attacks on your local network or on other networks across the world. It just becomes this huge place for these ñ where these attackers can gain all these resources to start launching these attacks.

PAUL: I think for our conversation, there are two main parties; there are the, of course, OEMs and …their network of supply chain partners who are building these devices, and then of course there are the companies and individuals and governments who are acquiring those and deploying them. When it comes to security, where is the proper point at which to enforce security and enforce control? It strikes me that companies these days still have a really hard time just getting on top of patching, getting on top of trivial types of vulnerabilities. If you’re asking them to start thinking about and doing something about supply chain, that might be a bridge too far. How do we provide a control point around these very sophisticated and complex supply chain and component hardware-based issues?

MATT: There’s really no other way to say it but security is foundational. Once you’ve lost security, it’s really, really difficult to ever get it back. You’ve got to be able to build a strong foundation of security. Even from my perspective, while we’re looking at these hardware and supply chain attacks and we’re going oh my gosh, where ñ is any of this even possible? Are we actually seeing any of this out there? I think really opening our eyes and just saying yeah, some of these things are possible and we really need to be doing better about it because we ñ these hardware designs and this initial development, this is what is in most cases serving as your root of trust for the entire platform.

If that is compromised and everything else from that point on is compromised, we’ve got to be able to provide that foundation and security that everything else can be built upon. I do think we have to take the supply chain and hardware vulnerabilities seriously, more seriously even than we have before today. We’ve got to be able to acknowledge that things that we don’t want to believe can happen. We’ve got to acknowledge that this is something that we’re gonna have to work together as an entire industry on. We’ve got to find a way to be able to at least start by saying this platform is exactly what we anticipate it is, what we expected it will be, and we can validate that every time we boot up on this system. Once we establish that foundation of security on these platforms, I think everything else can eventually fall in line.

Clearly we have a lot of work to do and clearly, we have not done sufficient work. As you mentioned a couple of times, cross-site scripting, buffer overflows, all those things that have been around for decades now, we still haven’t completely fixed those. We’ve got to be able to do that, but all of that starts with a strong foundation, so I really do think coming together whether it’s in an organization like TCG or one of the many other organizations around the world doing incredible security work, working with them, coming together as an industry and figuring out how to solve these problems at the hardware level really has to take a critical role right now so that we can ensure the success of everything that we do from that point forward.

PAUL: Matt Areno of Intel Corporation, thank you so much for coming on and speaking to us on Security Ledger Podcast.

MATT: Thank you for having me, Paul.

PAUL: Matthew Areno is a principal engineer at Intel Corporation in Intel’s Product Assurance and Security Group. You’ve been listening to a Spotlight edition of The Security Ledger Podcast sponsored by the Trusted Computing Group. Through open standards and specifications, Trusted Computing Group enables secure computing. Through its member-driven work groups, [00:35:00] TCG enables the benefits of trust in computing devices from mobile to embedded systems as well as networks, storage, infrastructure, and Cloud security. More than a billion devices include TCG technologies. You can check them out at trustedcomputinggroup.org.

[MUSIC ENDS]

[END OF RECORDING]

Transcript by: www.leahtranscribes.com