"Why a Hardware Bill of Materials Is a Critical Component for Securing Electronic Products"
The ability of an organization to protect its most sensitive data comes down to ensuring that all of its bases are covered, which is difficult to do when the foundation is weak. Traditionally, the cybersecurity industry has focused on identifying and patching software vulnerabilities, but it is easy to forget that software is run on semiconductor chips, and if the hardware in a product or system is compromised, there could be harmful consequences. Because hardware security is often overlooked, transparency throughout the entire chip development cycle is more important than ever. Implementing a Hardware Bill of Materials (HBOM) not only contributes to that peace of mind but also allows for improved security and maintenance of electronic products. Chips can be found in phones, computers, automobiles, medical devices, and other devices. The US is also investing more in chip manufacturing, as evidenced by the recently passed CHIPS act, which includes $52 billion in funding to strengthen the nation's computer chip industry. Hardware, unlike software, cannot be patched, and the further into chip development, the more difficult it is to fix any flaws. When a vulnerability is discovered, it is often too late to fix, leaving organizations scrambling to determine the root cause of the problem. The "Augury" flaw impacting Apple's M1 chips demonstrates that taking a reactive approach to hardware security results in exposure to significant risk. Although an Experian-level Personally Identifiable Information (PII) security breach at the hardware level has not been seen yet, it is not a risk worth taking. Organizations need to get proactive by tracking and documenting hardware security vulnerabilities with HBOMs, which contain a detailed list of the hardware components' security, including security validation. HBOMs should include documentation of the security intention at the product planning stage based on security feature and verification requirements, the threat model that was considered during the design process, embedded security design components, and other factors. This article continues to discuss the vulnerability of semiconductor chips, the growing push for a Software Bill of Materials (SBOM), and what an HBOM should feature.