Thwarting Threats in the Supply Chain

In 2011, PNNL led the Supply Chain Integration For Integrity (SCI-FI) project that created tools to address supply chain needs for utilities, vendors, and chipset manufacturers. Focused on hardware reverse engineering, partners included Department of Energy’s (DOE’s) Lawrence Livermore National Laboratory (LLNL) and Oak Ridge National Laboratory, along with industry partners Digital Management, Inc., and Pacific Gas and Electric. Together, they developed open-source tools and technologies that touched on policy, architecture, software, firmware, and hardware.

SCI-FI was pivotal in laying the foundation for Smith’s work at PNNL and building the Laboratory’s supply chain risk management capabilities.

“I was working with David Manz as a junior cyber researcher, and he took the crazy idea I had and worked with me to turn it into a major DOE project,” said Smith. “It was my first taste of seeing a problem, finding my own solution to it, building a team, and then making that solution a reality. I’ve been addicted to it ever since!”

SCI-FI soon led to Cyber Testing for Resilient Industrial Control Systems (CyTRICS), which taps the expertise at six DOE national laboratories. Through testing and analysis, the goal is to confirm the security of the software and firmware of components used across the energy sector.

Fortunately, the heightened awareness and scrutiny on managing supply chain risks have increased collaboration among stakeholders. Smith uses the electric grid as an example with more than 40,000 different operators and companies involved across the country. To be successful, any solutions would involve partnership with all of them.

Launching Inaugural Supply Chain Conference
The industry-wide collaborations have led to PNNL hosting the first Cyber Supply Chain Risk Management (CySCRM) Conference, October 29–30, 2024, in Richland, Washington.

CySCRM ’24 will bring together thought leaders to discuss tools, methods, and case studies related to the critical electronics in supply chains with one central goal—enabling trust in digital critical systems.

Whether the systems are critical infrastructure, military, or medical, participants will leverage the same toolsets, device integrity evaluations, and system security testing to understand and build trust.

For CySCRM ’24, PNNL is teaming with LLNL and the University of Texas at El Paso on the planning with the goal of LLNL hosting the next annual conference in 2025. NetRise is also a sponsor of this year’s conference. Smith believes these interactions represent how much progress has been made in CySCRM during the past decade.

“Up until now, we haven’t had the data to be able to use more advanced tools, like artificial intelligence and machine learning, to be able to evaluate large, national-scale bottlenecks which could lead to significant negative effects on our critical infrastructure,” said Smith. “With the capabilities we are building today, we can go from finding problems in devices and systems to finding systems-level problems. Then we can leverage those advanced tools to fix them.”

Linh Truong is senior communicator at PNNL. The article was originally posted to the website of PNNL.