3 Part Series: How the Semiconductor Shortage Poses Cybersecurity Risks to our Critical Infrastructure (Part 2)

Part 2: The Complexity of the Microelectronics Supply Chain

The current semiconductor shortage demonstrates the need for more resiliency and agility in our global supply chains. To more concretely understand the complexity, take the example of microelectronics used throughout critical infrastructure industries:

Today, infrastructure operators commonly manage thousands of pieces of equipment such as Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DCS), and process control systems (PCS). The connected equipment, such as programmable logic controllers (PLC), that make up these systems are generally composed of chip sets, graphic processing units (GPU), central processing units (CPU), memory, and other components, all made by independent producers and assembled into end products. Since the nature of hardware and software development is iterative, with succeeding versions relying heavily on prior designs and code, the vulnerabilities can compound across evolving versions. Manufacturers and producers don’t start with a white sheet of paper, they build upon past platforms and apps, creating genealogical patterns that ripple through subsequent versions of hardware, firmware, and software.

Exacerbating this complexity, components are mostly fabricated and assembled by a chain of manufacturers and subcontractors outside of the US. When you take a moment to recognize the sheer number of suppliers involved, combined with offshore manufacturing of the semiconductor supply chain, the inherent security risks are quite unnerving.