Microsoft and Intel lead TCG supply chain security group

  • November 1, 2021
  • Steve Rogerson

Microsoft, Intel and Goldman Sachs are to lead a Trusted Computing Group (TCG) work group to tackle supply chain security problems.

Oregon-based TCG has set up the group that will define how its technologies can be implemented to address supply chain security. Led by representatives from Microsoft, Intel and Goldman Sachs, the group will create guidance that defines, implements and upholds security standards for the entire supply chain.

With the number of cyber attacks attempting to compromise the supply chains of industries and governments rising, the Supply Chain Security work group aims to bring together industry experts from across the technology ecosystem.

The hardware supply chain is difficult to secure due to the number of stages, organisations and individuals involved and current security methods are mostly subjective and require human intervention. As malicious and counterfeit hardware is extremely difficult to identify, most organisations do not have access to the tools, knowledge or expertise to detect it successfully. With guidance from the work group, those in the supply chain should be better equipped to protect against cyber threats.

“For nearly 20 years, TCG has guided the industry in adopting technologies that enable secure computing, with specifications for IoT and embedded systems, PCs and servers, mobile and storage,” said Dennis Mattoon, principal software development engineer at Microsoft and co-chair of the group. “The supply chain is the one thing that spans all of these verticals and experts from TCG work groups are now coming together to create industry-wide guidance that seeks to make the supply chain more secure.”

Two key areas the work group will be focusing on are provisioning, ensuring devices are genuine and from a trusted source at every step of the supply chain, and recovery, helping companies recover their systems, devices and networks quickly in the event of a cyber attack. While these can be costly to organisations in the short term, they are much more cost-effective than the alternative of a single cyber attack bringing down the entire supply chain.

TCG’s offerings, such as its cyber resilient technologies, can reduce the recovery time and costs following an attack, but they must be properly implemented at every level of the supply chain. Industry experts must come together to address the issue and provide for the whole industry, rather than creating smaller options that only address specific areas.

“Securing the hardware supply chain is no easy task, as no single company has end-to-end control of the modern technology supply chain,” said Michael Mattioli, vice president at Goldman Sachs and co-chair of the work group. “This is why the new TCG work group is so important, as we are bringing together experts from a wide range of companies to define industry guidance that can be implemented across the ecosystem.”

TCG is a not-for-profit organisation formed to develop, define and promote open, vendor-neutral, global industry specifications and standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms.