How to Keep Device Trust Close to the Vest

U.S. federal agencies will soon be required to include platform certificates at procurement. Here’s why enterprises should take note.

Here’s a painful reality of cybersecurity: When you harden one attack surface, adversaries just move on to softer targets. As a result, we’ve seen a growing number of attempts exploiting vulnerabilities at the device level, which were once considered rare due to the technical skills needed to execute these kinds of attacks. According to a 2023 survey of global ITDMs conducted by Futurum Group, 69% of organizations report a hardware or firmware level attack. That’s up 1.5X since the 2020 study!

Breaches can happen at dozens of points along the device lifecycle, and as we saw in recent years, supply chain is a growing attack vector. The Executive Order in 2021 was an important step toward strengthening the resilience of U.S. supply chains—but there’s still much work to be done. As attackers’ methods become more sophisticated, product tampering becomes increasingly difficult to spot. How can organizations reduce the risk of tampering at the supply chain level?

With platform certificates. Let me explain.

Recently, the U.S. Department of Defense (DoD) issued a “blueprint” for the secure procurement of hardware, including laptops, desktops and servers. The guide effectively creates a new industry standard for procuring and receiving hardware that can be applied to verify authenticity. Included are the criteria for deploying an acceptance test, as well as qualifying example solutions in line with the National Institute of Standards and Technology (NIST), the Federal organization that offers guidance on standards and measurements to advance technology.

Dell Technologies was actually one of eight technology vendors that participated in developing the example with Secured Component Verification (SCV). Built to the platform attribute certificate standards developed by the Trusted Computing Group (TCG), SCV aligns with the DoD’s recent guidance. It provides a digital certificate that not only contains a list of all internal components, but also ties hardware to a specific manufacturer, model and serial number. With SCV in place, customers have assurance through the platform certificate that components are delivered to them as ordered and per spec. The DoD views Dell’s platform certificate as a critical artifact used as part of an acceptance test that should be performed when the device arrives at an organization’s receiving department.

Dell has offered SCV for some time, for both devices and servers. Two things make Dell’s platform certificate unique among others available in the market. First, Dell offers two versions of SCV for devices to account for customers’ unique IT environments. SCV on Cloud offers secure certificate storage and retrieval within Dell’s secure cloud environment. It automates the process by making the component verification easily viewable via tools such as TechDirect (Dell’s online portal), Windows Event Log and endpoint managers such as Microsoft Intune. For customers who must use air-gapped environments (i.e., those that are isolated from unsecured systems and networks), SCV on Device is also available.*

The second reason SCV is differentiated in the market: Dell manages the entire solution in-house, from collection of component information and certificate creation to storage and retrieval. That’s because root of trust (the first code that runs in a PC when it’s turned on) is foundational to Dell Endpoint Security. By taking on this end-to-end ownership and not ceding our processes or customers’ data to outside parties, we maintain tighter control on our supply chain and mitigate potential risk introduced by outside parties.

We know the DoD’s guidance will be on the minds of global organizations and federal governments as the next buying cycle approaches. To learn more about best practices in procurement, take a look at NIST’s Supply Chain Assurance Guide and view our Secured Component Verification datasheet. As always, reach out to our security specialists with any questions.

*Availability varies by region.

Tom Bentz

About the Author: Tom Bentz

Tom Bentz is an Endpoint Security Product Marketing Manager at Dell Technologies. He supports built-in hardware and firmware solutions at Dell, including products such as SafeBIOS, SafeSupply Chain and SafeID. Tom brings a long history in product management and product marketing to Dell, having held similar roles at Hewlett-Packard, Eastman Kodak, Logitech and Dassault Systemes.