October 8, 2024
Feature

Thwarting Threats in the Supply Chain

Safeguarding our critical infrastructures

Portrait of Jess Smith

Exploding pagers, a bridge in Baltimore collapsed by a cargo ship, and hacks on a water system in rural Texas. All spotlight vulnerabilities in our complex, global supply chain.

Researchers at Pacific Northwest National Laboratory (PNNL), like Jess Smith, are familiar with the challenges and consequences. Smith is an expert in supply chain risk management (SCRM) for cyber systems who has dedicated her career looking at potential weaknesses in the nation’s infrastructures to ‘fix them before the bad guys find them.’

At PNNL, these efforts focus on taking a wider look at the system through the supply chain’s lifecycle and subcomponents to determine the big-picture risks. Researchers are developing secure cyber processes through maturity models, which identify bottlenecks and areas of improvement and enable ongoing improvement; electronic component and device verification and validation; and system resiliency analyses.

For Smith, success means assessing supply chains for cyber systems and identifying solutions that can be implemented at a national scale.

Building a fixable computer

Shortly after graduating from a technical charter high school, Smith found herself working in various computer repair shops as she moved around the country with her husband, who was in the military. She quickly realized that computers weren’t built to be easily repaired. Her frustration convinced her to go back to school to design computers that could be more easily fixed.

At the University of Idaho while studying computer engineering, a professor recommended that she take a cybersecurity class. She realized that solving cybersecurity challenges, both in class or in the real world, wasn’t about finding only the right and wrong approaches but more centered on the many different possible approaches.

“I loved it!” said Smith. “I realized I wanted to shift my focus to building things that are secure and underpin our lives, like keeping the lights on in our communities or providing people with clean water.”

Collaboration and consensus

Smith and PNNL were partnering with other national laboratories, academia, and industry 10 years before the White House issued executive orders to elevate support of supply chain and cybersecurity measures in 2021, requiring interagency compliance with SCRM.

In 2011, PNNL led the Supply Chain Integration For Integrity (SCI-FI) project that created tools to address supply chain needs for utilities, vendors, and chipset manufacturers. Focused on hardware reverse engineering, partners included Department of Energy’s (DOE’s) Lawrence Livermore National Laboratory (LLNL) and Oak Ridge National Laboratory, along with industry partners Digital Management, Inc., and Pacific Gas and Electric. Together, they developed open-source tools and technologies that touched on policy, architecture, software, firmware, and hardware.

SCI-FI was pivotal in laying the foundation for Smith’s work at PNNL and building the Laboratory’s supply chain risk management capabilities.

“I was working with David Manz as a junior cyber researcher, and he took the crazy idea I had and worked with me to turn it into a major DOE project,” said Smith. “It was my first taste of seeing a problem, finding my own solution to it, building a team, and then making that solution a reality. I’ve been addicted to it ever since!”

SCI-FI soon led to Cyber Testing for Resilient Industrial Control Systems (CyTRICS), which taps the expertise at six DOE national laboratories. Through testing and analysis, the goal is to confirm the security of the software and firmware of components used across the energy sector.

Fortunately, the heightened awareness and scrutiny on managing supply chain risks have increased collaboration among stakeholders. Smith uses the electric grid as an example with more than 40,000 different operators and companies involved across the country. To be successful, any solutions would involve partnership with all of them.

Forefront23 Workshop Participants
Smith was an invited speaker at the Forefront23 workshop for the National Nuclear Security Administration. (Photo: National Nuclear Security Administration)

Launching inaugural supply chain conference

The industry-wide collaborations have led to PNNL hosting the first Cyber Supply Chain Risk Management (CySCRM) Conference, October 29–30, 2024, in Richland, Washington.

Conference Image for CySCRM Conference 2024

CySCRM ’24 will bring together thought leaders to discuss tools, methods, and case studies related to the critical electronics in supply chains with one central goal—enabling trust in digital critical systems.

Whether the systems are critical infrastructure, military, or medical, participants will leverage the same toolsets, device integrity evaluations, and system security testing to understand and build trust.

For CySCRM ’24, PNNL is teaming with LLNL and the University of Texas at El Paso on the planning with the goal of LLNL hosting the next annual conference in 2025. NetRise is also a sponsor of this year's conference. Smith believes these interactions represent how much progress has been made in CySCRM during the past decade.

“Up until now, we haven’t had the data to be able to use more advanced tools, like artificial intelligence and machine learning, to be able to evaluate large, national-scale bottlenecks which could lead to significant negative effects on our critical infrastructure,” said Smith. “With the capabilities we are building today, we can go from finding problems in devices and systems to finding systems-level problems. Then we can leverage those advanced tools to fix them.”

###

About PNNL

Pacific Northwest National Laboratory draws on its distinguishing strengths in chemistry, Earth sciences, biology and data science to advance scientific knowledge and address challenges in sustainable energy and national security. Founded in 1965, PNNL is operated by Battelle for the Department of Energy’s Office of Science, which is the single largest supporter of basic research in the physical sciences in the United States. DOE’s Office of Science is working to address some of the most pressing challenges of our time. For more information, visit https://www.energy.gov/science/. For more information on PNNL, visit PNNL's News Center. Follow us on Twitter, Facebook, LinkedIn and Instagram.

Published: October 8, 2024