The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) put a spotlight on supply chain risk management Monday with the release of its Hardware Bill of Materials (HBOM) Framework, intended to help buyers of electronics equipment identify and mitigate risks in their supply chains.

CISA’s Information and Communications Technology Supply Chain Risk Management (ICT SCRM) Task Force developed the document. The group is managed by CISA with participation from the information technology and communications sectors, both classified as critical infrastructure by the agency.

The impetus behind HBOMs is to provide a list of the names and origins of all physical materials that went into a hardware product. A single modern hardware product may contain components from dozens of separate manufacturers, and an HBOM could provide a major help for purchasers who need to verify that the parts in the items they buy come from trustworthy sources. If something goes wrong with a piece of hardware, the HBOM could more quickly help track down the source of the problem.

Consistency Across HBOMs

But while the potential value of HBOMs is clear, an inconsistent approach may make it difficult for vendors and buyers to get on the same page. CISA’s HBOM framework is meant to provide a common platform to “help organizations illuminate supply chains and support the efficient evaluation and mitigation of” hardware supply chain risks “on a voluntary and flexible basis.”

The body of the framework is organized into three key components. Appendix A sorts HBOMs into potential use cases for risks that they may face. For example, the compliance use case deals with adherence to internal and industry regulations, the security case evaluates exposure to known security vulnerabilities, and the availability case assesses potential impacts from world events and supply chain constraints.

In Appendix B, CISA provides a format that vendors and buyers can use to ensure consistency across products. The appendix also describes a method for addressing components and subcomponents acquired from third parties and tracking their potential vulnerabilities.

Appendix C lists component attributes that may be appropriate to include in an HBOM, with the goal of creating “consistency across HBOMs by defining a data field associated with each attribute.”

Appendix D suggests potential enhancements that the ICT SCRM Task Force may later add to the document.

Grid security officials have been raising the alarm about hardware supply chains for some time as the operation of the North American power grid becomes increasingly reliant on remote connectivity and electronic devices largely manufactured in China.

In 2020, then-President Donald Trump declared a national emergency regarding foreign threats to the grid and banned federal agencies, citizens and companies from certain transactions involving grid equipment developed or manufactured by entities connected with “foreign adversaries” including China, Russia, Iran and North Korea. President Biden suspended Trump’s order upon taking office but largely reinstated it after a review. (See Biden Reinstates Trump Supply Chain Order.)

CISA Identifies New China Threat

Just days after releasing the HBOM framework, CISA, along with the FBI, National Security Agency, and their counterparts in Japan, issued a joint warning that cyber actors linked to China have demonstrated the capability to modify router firmware and install custom malware in targeted computer systems. The cyber group, dubbed BlackTech by law enforcement, has targeted “a wide range of public organizations and private industries across the U.S. and East Asia,” in sectors including technology, industry, electronics and telecommunication.

BlackTech — also called Palmerworm, Circuit Panda and Temp.Overboard — has been active since 2010, the agencies said in a more detailed advisory. Like Volt Typhoon, another China-linked hacking group that CISA warned about earlier this year, BlackTech uses so-called “living off the land” techniques to hide within a target system by appearing to be legitimately installed software. (See NERC Issues Cybersecurity Data Request.)

The group targets international subsidiaries of Japanese and U.S. companies, first gaining access to the branches and then pivoting to attack the central offices and steal confidential information.

“With our U.S. and international partners, CISA continues to call urgent attention to China’s sophisticated and aggressive global cyber operations to gain persistent access and, in the case of BlackTech actors, steal intellectual property and sensitive data,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity. “We encourage all organizations to review the advisory, take action to mitigate risk, report any evidence of anomalous activity and continue to visit [CISA’s China page] for ongoing updates about the heightened risk posed by PRC cyber actors.”