|Situation||Options to pursue|
|MEDIUM risk||Purchase from commercial suppliers with sound reputations and avoid black market suppliers.|
|Confidentiality is desired as to the specifics of what is being built, where, and for what purpose.||Use operations security methods to avoid association of components with projects to reduce systematic intentional attacks.|
|Regulations require it or a "higher level of trust" is desired.||Purchase only from vendors vetted by official bodies or certified for the purposes.|
|ALWAYS||Use detailed inspection processes to verify and validate components.|
|ALWAYS||Perform well-defined acceptance testing processes to verify proper operation.|
|ALWAYS||Specify manufactured components and verify throughly against specifications.|
|When "purity" or "security" concerns apply to the entire lifecycle,||Implement physical controls over the lifecycle of all components.|
|When sensitivity of mechanisms, intellectual property rights, or thefts are at issue,||Implement personnel controls over the lifecycle of all individuals involved in the production.|
|HIGH risk||Use an end-to-end step-wise specification and inspection process to verify all aspects of the process. AND/OR|
Use a fully captive end-to-end process entirely within "owned" facilities, people, materials, equipment, etc.
Ignore supply chain issues.
In many low consequence environments, lowest cost of acquisition is a dominant factor in decision-making. This is all the more so in cases where operations are not expected to last a very long time, or in cases when acquisition costs are limited and longevity of the effort is not known in advance. For rapid prototyping and research environments this is also often a reasonable strategy, since equipment is not typically utilized to its capacity and acquisition times are often very short to meet deadlines for projects that will not have long-term application.
Purchase from commercial suppliers with sound reputations and
avoid black market suppliers.
This is always a good idea when making "open" purchases of commodity goods, and reasonable controls of this sort should be implemented in most cases.
Use operations security methods to avoid association of
components with projects to reduce systematic intentional
This includes such methods as purchasing parts in bulk from different suppliers and mixing batches to avoid systematic exploitation, purchasing under pseudonyms associated with less "interesting" or targeted businesses, purchasing from other locations or offices, and similar methods. This is usually applied in cases where confidentiality is desired as to the specifics of what is being built, where, and for what purpose.
Purchase only from vendors vetted by official bodies or
certified for the purposes.
Examples of certification processes include such things as Trusted Computing Group (TCG) and Common Criteria (CC) certifications, purchasing from nationally restricted companies (US only manufacturers), classified personnel only makers, and so forth. Care should be taken in reviewing specifics of "approved" products, since things like the Common Criteria have protection profiles that may not suit the need. Similarly, national (e.g., US) manufacturers may use a lot of extra-national (e.g., non-US) components, and major operating systems available today (i.e., Linux, Windows, OSX) are all internationally made.
Use detailed inspection processes to verify and validate
This approach uses a wide range of inspection processes depending on what is to be assured. For example, part inspection processes (e.g., x-rays or ultrasound) may be used to assure that parts have the same internal structures present as expected from a "golden unit", packaging may be inspected to assure that seals are present and acceleration in delivery was not excessive, composites may be taken apart to verify that components are as they should be and that no components are added, removed, or replaced, weights, sizes, and other physical characteristics may be tested against specifications or previous units, and so forth.
Perform well-defined acceptance testing processes to verify
Acceptance testing should be part of any ICS effort involving non-trivial consequences. For example, component testing processes may be used to assure that parts operate to within tolerances aver specified ranges, complete tests for logical components of moderate complexity may be undertaken, test modes may be exercised to verify that known fault types are not present, component tests may be done prior to assembly in test rigs or similar test facilities, composites may be tested across a range of operating conditions, samples may be extracted for destructive testing, failure modes may be verified against test conditions to verify that failsafe modes operate properly, performance tests of various sorts may be undertaken, known samples with different known conditions may be used to verify that all identified conditions are detected and properly responded to, etc. The list goes on and on, and is usually formally managed by a process that produces test sequences that can be largely automated and repeated. Such tests are often demonstrated prior to shipment and then verified at arrival before ICS components are tested in the production environment.
Specify manufactured components and verify throughly against
In many cases, the components are specified at a level of detail to support verification of functionality as well as security properties. To the extent that protection requirements are specified, they don't often get tested to the level of specificity of the design. In some cases, the specifications are done at the circuit or even layout level, so that the manufacturing process is quite tightly specified and can be verified at a high level of precision in the delivered product.
Use an end-to-end step-wise specification and inspection
process to verify all aspects of the process.
In this process, in addition to specification and end product verification, each step in the manufacturing process is inspected (and perhaps even supervised) by the purchaser to assure that the process itself is as desired each step of the way. This requires a very close relationship between the parties and is usually used only for very high-valued contracts.
Implement physical controls over the lifecycle of all
In some cases, physical controls over components are required throughout the processes undertaken. For example, in the manufacture of sensitive military systems, fireworks, explosives, space vehicles, integrated circuits, and so forth. There are different reasons for these controls, ranging from "security" issues to purity requirements for reliability of precise manufacturing processes.
Implement personnel controls over the lifecycle of all
individuals involved in the production.
Personnel controls are usually associated with sensitivity of mechanisms, intellectual property rights, or thefts. For example, cleared personnel may be required for classified processes, in industries like cosmetics and pharmaceuticals, the formulas and processing methods are very tightly controlled to protect against intellectual property theft, and in the integrated circuit business, the circuits are worth more per ounce than gold, and controls are used to limit "shrinkage" from employees walking out with devices.
Use a fully captive end-to-end process entirely within "owned"
facilities, people, materials, equipment, etc.
This is a method used when extremely high surety is desired and the threat level or consequences of mistakes is extreme. For example, it may be used in the production of weapons of mass destruction, intelligence mechanisms, space systems, and similar arenas. Today this is extremely rare because of the enormous amount of expertise involved in complex ICS environments and the economies of scale associated with production. In most cases, pockets of expertise are in different places and work for different organizations.