Servers & Systems: The Right Compute

HPE extends supply chain security with HPE Trusted Supply Chain initiative

HPE becomes the first major server manufacturer to address new product security issues and regulatory requirements. Get the complete details here—and learn what HPE is doing to secure product lifecycles through the supply chain and onward.

HPE-Trusted Supply Chain-blog.jpg

Many organization often believe that the security health of their IT begins once they receive, turn on, and operate their IT equipment. What they do not realize is the security journey of their IT products begins prior to their possession—in transit when it’s being shipped to them, or even on the factory floor where it’s being built.

There have been growing concerns that products delivered to a customer’s data center from supply bases that are not properly vetted can contain rogue tiny chips, malware, or compromised code.  

Without having assurance of where their new IT products came from, or who had access to them, customers are now focusing on critical processes—including the manufacturing, distribution, and delivery aspects of a product’s lifecycle— for assurance that products delivered to their data centers are free from unauthorized activity

Securing product lifecycles through the supply chain and onward

Putting security at the heart of our products is our priority at HPE. To expand on that commitment, we have extended secure capabilities from within the server, at the silicon level, to the physical hardening of it. This protects the server from tampering and any unauthorized activity from the time it is manufactured, during distribution and shipping, and throughout its lifecycle after it's made it to a customer’s hands.

As a first step in a broader supply chain security initiative, we are proud to announce that HPE is the only major server manufacturer to ship the world’s most secure, industry-standard servers that are securely sourced from the U.S. We are further expanding and securing our supply chain with the launch of the HPE Trusted Supply Chain.

While our current supply chain processes and procedures surpass all regulatory standards for cybersecurity, such as with the National Defense Authorization Act, HPE is elevating the ability to deliver products to our customers securely—and well beyond what our competitors currently offer. For example, with the new HPE Trusted Supply Chain ProLiant DL380T that is produced through the HPE Trusted Supply Chain and has begun shipping today, we are targeting the public sector, healthcare, and financial services markets that prefer secure products, sourced from the U.S.

We plan to fully expand this offering to other HPE products and countries early next year. We have already received expressed interest in this type of offering from European customers and plan to offer a “made in Europe” product for them as well.

Increasing supply chain resiliency

If sourcing concerns were not overwhelming enough, the COVID-19 pandemic presented even more challenges which further increased scrutiny on product sourcing and supply chain processes. The impact of COVID-19 unleashed a new dimension to supply chain issues: resiliency. What if the world has become too reliant on sourcing of products from a single country? What if geo-political issues, like tariff wars or even retaliation, suppress the world’s ability to source from a single location? Having a diverse and maybe even a more localized supply chain might create more resiliency and dependability in sourcing strategies. 

A recent podcast featuring John Grosso, Vice President of Global Supply Chain Engineering at HPE, discussing these issues and how HPE, among others, is addressing them: Securing the Infrastructure Supply Chain

The new HPE Trusted Supply Chain initiative responds to these real-world challenges as it offer customers, particularly those in the U.S. public sector and government agencies, additional supply chains and options to purchase certified, made-in-USA servers. We are additionally responding to customers’ increasing concerns about supply chain security by assigning vetted U.S. HPE employees, making it improbable for any unauthorized or rogue firmware or components to be inserted in our compute products. Already having the most secure supply chain in the world, HPE is taking supply chain security to the next level, with new HPE Trusted Supply Chain products.

T is for Trusted

HPE is the only major server manufacturer to offer a supply base to produce a mainstream, high-volume product—more than 250,000 products per year—with an option for country-of-origin USA manufacturing. 

And we are taking it further than that by hardening our products, produced through the HPE Trusted Supply Chain, with a series of HPE-exclusive security features. 

These security features are an extension to our built-in and award-winning security feature, the HPE-exclusive silicon root of trust technology, which protects over 4 million lines of firmware from malware or ransomware and provides protection to more 2 million compute products around the world. 

Each of the security capabilities further lock down the server and ensures the product is secure, not only during the supply chain process, but also during run-time operations. The new HPE ProLiant DL380T will ship with these five security features activated at the U.S. factory:

  1. Placing severs in high security mode—Our servers always ship to customers in production mode, but the ProLiant DL380T will be placed into high security mode at the HPE factory in the US. This feature, invoked through iLO commands, actually reduces the attack surface for cyberattackers, making it more difficult to insert compromised code or malware into the server firmware. This mode locks down the host and requires specific authentication through encryption before any user can log into the server. Naturally, this makes it much more difficult for cyberattackers to gain access to our ProLiant DL380T.
  2. Enabling the UEFI Secure Boot feature—For customers who ask HPE to load their operating system at the factory, another option is to enable the UEFI Secure Boot, which connects the HPE Silicon Root of Trust to the OS.  An industry-recognized feature, affixing the UEFI firmware to the boot loader insures the genuine and authenticated OS is initialized.  If the customer chooses to load the OS on their own, this feature may be engaged once the ProLiant DL380T is delivered to the end-user location.  Any anti-virus software actually runs in the OS, but cannot detect hackers or an intrusion until the OS is fully running. Some astute bad actors try to compromise the OS before its anti-virus tools have a chance to start. The HPE UEFI Secure Boot insures that doesn’t happen. 
  3. HPE Server Configuration Lock—This actually takes cryptographic measurements, or images, of all the ProLiant DL380T firmware, hardware components, and options. This feature, which is unique to and only offered by HPE, will create a log inside the server. If any firmware, hardware, or options are altered, registers an immediate alert at boot-up.  Enabling this feature at the HPE factory essentially prevents any and all tampering or compromise to the server composition, no matter how slight. This feature uses a password, created by HPE, to lock down the server configuration at the factory. That password is then transmitted securely to the customer, who will unlock the server once it arrives. For customers who need to create some additional configuration to the server, perhaps through a reseller or partner, that password can unlock and then relock the server before it ships to the final destination. Thus, HPE is providing the ultimate security along with flexibility for customers simultaneously.   
  4. The HPE Chassis Intrusion Detection device—This mechanism protects the ProLiant DL380T from physical intrusion. Complementing and reinforcing the protection from the Server Configuration Lock, the Chassis Intrusion Detection Device registers an alert if the top of the server chassis is removed. Like an electronic deadbolt on your door, it logs an audit alert in the iLO firmware, even if the server does not have power. If any cyberattacker or unauthorized personnel ever open the server chassis, our customers will know someone has potentially been tampering with the server.
  5. Specialized delivery services—These will actually provide a dedicated truck and driver, if requested, to deliver the DL380T safely right from the HPE factory to the end-user location. At an additional service, delivery options available to customers are the express service and the premiere service. Through these options, customers may also request that HPE deliver, set up, and operationalize our HPE products in their data center. Once again, HPE is offering the highest levels of security, without sacrificing the flexibility customers need in their diverse and sometimes remote IT locations. 

Focusing on public/federal, financial services, and healthcare markets

The new ProLiant DL380T will be most appropriate for the highly security conscientious customers. Many of those users are in the public or federal sector and currently must comply with numerous regulations like the Defense Federal Acquisition Regulation Supplement (DFARS), and the Federal Acquisition Regulation Supplement (FARS), along with National Defense Authorization Act (NDAA). The financial services industry is also under numerous requirements for safeguarding the privacy of personal and monetary information they keep. Finally, the healthcare industry has some of the most onerous certification requirements, like HIPAA, requiring absolute patient information protection. 

Our U.S.-made products deliver on the need for not only building security in from the ground up but also on our guarantee to manufacture and deliver products securely through our supply chain to the end user location. Cybersecurity concerns generally transcend all market segments. No one wants to be the next big retail outlet or manufacturing company to have a breach, like we’ve seen all too often in the past. But, we believe our new HPE Trusted Supply Chain initiative will be particularly for agencies or customers who are on the leading edge of cybersecurity protective requirements in federal, financial, and healthcare markets.  

Compliance with the National Defense Authorization Act specifically

The new NDAA further reinforces the need to scrutinize sourcing, particularly of Chinese made components. The NDAA FY19 Section 889 (Act) created a two-pronged prohibition on the procurement of equipment or services or contracting with any vendor that uses the equipment or any services that rely upon the equipment of certain Chinese companies, including but not limited to Huawei, ZTE, Hytera, Hikvision, and their affiliates. None of HPE’s products contain components from these prohibited companies, but by assembling HPE’s Trusted Supply Chain DL380T in the U.S., we can provide further scrutiny locally, with US vetted US employees, to insure none of the prohibited components are installed in this product.

The NDAA does not specifically require that every single component inside a server be non-China made, but it does prohibit use of several Chinese suppliers, like ZTE and Huawei. The HPE ProLiant DL380T is in full compliance with the NDAA.  By producing this server in the U.S,. we can provide the scrutiny locally, with U.S. vetted employees, to insure none of the prohibited components are installed in this compute product. 

Additional benefit from the Cyber Catalyst designation

The HPE-exclusive silicon root of trust has been recognized for its ability to reduce risk by insurers in the Cyber CatalystSM program created by Marsh, a global leader in insurance broking and risk management. Cyber Catalyst is Marsh’s new cybersecurity evaluation program that enables customers that adopt designated technologies to be considered for enhanced terms and conditions on cyber insurance policies from participating insurers. The ProLiant DL380T has the HPE-exclusive silicon root of trust which carries this coveted designation.

The Cyber Catalyst program brings together eight of the world’s leading cyber insurers to evaluate cybersecurity products and services and identify those solutions they believe can be effective at improving cybersecurity posture and reducing cyber risk. This designation, issued by Marsh Insurance broker, may entitle our customers to enhanced terms and conditions for purchase of cyber security insurance.  In an age when most large enterprise firms pay millions of dollars every year for cyber insurance, having enhanced terms and conditions can be extremely beneficial. HPE is the only server manufacturer to have the Cyber Catalyst Designation, a further testament to our differentiated and advanced security capabilities to protect, detect, and recover products from vulnerabilities. 

Providing the ProLiant DL380T as-a-service

HPE is well on our way to providing all of our products as a service. The DL380T can also be provided to our customers as a service. This has a tremendous benefit for our customers, who have expressed concern about big public cloud providers, because of security issues. With HPE as a service model, customers know we’re managing their IT equipment securely and they know it came from a secure location. While no one really knows what kind of products big public cloud providers are currently using, or where they came from, customers can be certain that the DL380T, managed as a service by HPE, is made in the U.S., by U.S. vetted personnel, with all the additional hardened security features activated at the factory.  

As always, HPE is extending our leadership

HPE is once again, out in front when it comes to protecting our customers. Watching the prevailing trends of supply chain issues, we’ve taken security of production and supply chain to a new level. If you think the previous U.S.-China trade war caused disruption to our supply chains, that was minimal compared to the global impact of the current pandemic.

There is also always the concern about keeping products secure, importing from off-hore locations. HPE is taking a leadership position in addressing all these issues, by creating an option for U.S.-made products, with additional high security features installed right at the factory. Of course, all of the current HPE products undergo the strictest of standards for cybersecurity protection throughout our supply chain process. However, as cyberattacks escalate in today’s uncertain environment, HPE is once again extending our lead and creating the first ever, country of origin US, high-volume compute products as an option for our valued customers. 

Protecting and keeping our customers safe from cyberattackers has always been our upmost concern at HPE.

Featured articles:

Bob Moore
Hewlett Packard Enterprise

About the Author


Bob leads the partner software organization for the server division. His team is also responsible for productizing the new HPE security technologies and delivering a comprehensive approach to security across all solutions.