AI Insights
Showing results for 
Search instead for 
Did you mean: 

Secure supply chain plays key role in protecting servers


With sophisticated cybercriminals targeting server firmware, protection across the entire manufacturing process is now essential. Find out how HPE ProLiant Gen10 servers provide end-to-end supply chain security at every touch point.

Threat actors continue to get smarter and more organized, with covert groups sharing intelligence on how to breach corporate and government networks. As cyberattacks increase in sophistication, the effects of IT security failures have become far more consequential:

  • Blog_SupplyChain_Bob.jpgThe average costs to businesses from cybercrime is escalating out of control. By 2021, cybercrime will cost the global economy $6 trillion, which is more than the gross domestic product of France, Italy, and Spain combined. This represents the largest transfer of wealth in the history of mankind and is larger than the entire global illegal drug trade business.(1)
  • 720 million attack attempts occur every 24 hours. (2)
  • In 2019, a company will be infected with a ransomware virus every 14 seconds. (3)


Financial losses occur for various reasons: data destruction, reduced productivity, theft of personal and financial data, stolen intellectual property and remediation costs. There’s also the cost of reputational damage, which is difficult to measure but undoubtedly significant.

Some cybercriminals are now using a relatively new attack vector, the server firmware. Adversaries that manage to inject even a couple of lines of malicious code into firmware—in the server supply chain, at run time, or via physical access—can steal data, create denial-of-service conditions, or compromise the integrity of the entire system.

A technology stack devised specifically to protect firmware

HPE specifically devised the technology stack in HPE ProLiant Gen10 servers from the silicon layer upward to help businesses solve the problem of firmware attacks. Our approach to enterprise IT security provides industry standard-based safeguards for all your critical workloads, such as ERP and CRM databases, business analytics, and large-scale consolidation and virtualization.

The controls we integrate into the ProLiant Gen10 servers are based on the guidelines prescribed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. By utilizing technology that adheres to the NIST guidelines, our servers help you identify, protect, detect, respond, and recover from IT network security incidents.

To the heart of the matter: protection across the supply chain at every touch point

Materials suppliers. Logistics and transportation services. Manufacturing, from production to assembly. Warehouse and distribution centers. Outsource service support. Supply chain vulnerabilities at any of these touch points can result in the introduction of counterfeit parts or malicious software into the manufacturing, warehousing, transit and pre-deployment phases. This can in turn result in nation-state actors gaining access to servers and conducting espionage and denial-of-service campaigns.

To eliminate this risk, our suppliers are required to comply with several standards based on our policies and industry-wide best practices. These include ISO and the Defense Federal Acquisition Regulation Supplement. Our suppliers must also ensure their shipping and logistics processes are compliant with Customs-Trade Partnership Against Terrorism (C-TPAT) or comparable programs.

We assure supplier compliance through risk-based security audits, program monitoring and reporting, inspection and testing of electronic parts, component traceability and material control processes. We also quarantine and purge tainted components.

Building security into every aspect of our products

To eliminate compromises throughout the entire supply chain lifecycle, we have also implemented additional measures that prevent tampering and maintain product integrity:

  • Firmware protection standards—HPE adheres to standards such as the NIST BIOS Protection Guidelines for Servers and the ISO specification for supply chain security management systems. Following these standards mitigates the risks of firmware tainting, corruption, counterfeiting and substitution.
  • Provenance, sourcing, origin, and traceability—For programmable logic components, we provide complete product and part traceability—including country of origin, supplier name and conformance certification. We require our suppliers to do the same.
  • Control over custom silicon and HPE iLO firmware—We build and have complete control over the custom HPE silicon and HPE iLO controller firmware at the heart of our Silicon Root of Trust. This greatly reduces opportunities for tampering.
  • Security labeling, packaging and anti-counterfeiting—High-risk parts prone to counterfeiting in the marketplace are protected by high-tech security features. We also have world-class anti-counterfeiting investigations and intelligence capabilities at work protecting HPE and our customers.

On the backend of our supply chain, we use secure and protected clean rooms to digitally sign every piece of firmware that goes into our systems. We also build our hardware chassis completely and then put a lid on it and seal it. An internal switch then records if the chassis is ever opened, which prevents undetected tampering that some governments and nation-state actors have indulged in over the last few years. On high-risk components such as drives and memory, we use labels that are impossible to duplicate, making it easy to distinguish counterfeit products.

When it comes to supply chain security, look beyond just your organization

The reality is, organizations often fail to consider the supply chain when analyzing risks. Third-party developers and vendors are key actors in the supply chain of IT systems, hardware, and software entering our organizations.

That’s why we have to not only consider how secure is my organization, but how secure are the people connected to my organization.  One way that HPE is addressing this concern is to ensure standard information security requirements are included in our supply chain contracts. As the supply chain and manufacturing industry coalesce on standard security expectation, we can reduce the likelihood of any of our brands being impacted due to security incidents such as malware being introduced in our products and components

Risks have to be analyzed and thus requirements developed to address risk each of these touch points. For example, malware or counterfeit parts could be introduced at any of these touch points. Our expectations are for our supply chain partners to flow these security requirements down to their supply chain partners as well. Each supply chain partner has to address the same touch points for their organization.

Comprehensive views into IT security and cybercrime costs

It is also critical to understand the impact of cybercrime costs and how to strike a balance between deploying technologies that allow you to drive innovation while keeping your digital assets secure. Check out the Ponemon Institute white paper, 2016 Cost of Cyber Crime Study & the Risk of Business Innovation, to find out more.

As you build, deploy, and manage servers to run your critical application workloads, HPE is committed to making sure our technology provides standards-based safeguards. To learn about the firmware security offered HPE Gen10 servers and how we ensure data protection, we invite you to read our white paper, A comprehensive view of IT infrastructure security



0 Kudos
About the Author


Bob leads the partner software organization for the server division. His team is also responsible for productizing the new HPE security technologies and delivering a comprehensive approach to security across all solutions.