Conditions préalables
An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker’s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed.
Compétences requises
An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced.
Atténuations
Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.
Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.
Require that provenance of COTS microelectronic components be known whenever procured.
Conduct detailed vendor assessment before acquiring COTS hardware.
Références
REF-660
Supply Chain Attack Patterns: Framework and Catalog
Melinda Reed, John F. Miller, Paul Popick.
https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html REF-439
Supply Chain Attack Framework and Attack Patterns
John F. Miller.
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf REF-662
Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC)
Jeremy Muldavin.
Soumission
Nom |
Organisation |
Date |
Date de publication |
CAPEC Content Team |
The MITRE Corporation |
2021-06-24 +00:00 |
|
Modifications
Nom |
Organisation |
Date |
Commentaire |
CAPEC Content Team |
The MITRE Corporation |
2022-02-22 +00:00 |
Updated References |
CAPEC Content Team |
The MITRE Corporation |
2022-09-29 +00:00 |
Updated Taxonomy_Mappings |