James Smalley, 42, of Penn Yan pleaded guilty in U.S. District Court on Wednesday to allegations that he falsified inspection reports and testing certifications while working as an engineer at PMI Industries, LLC in Rochester.

Prosecutors say Smalley worked in quality assurance and doctored at least 38 source inspection reports for space vehicle parts procured by SpaceX, affecting seven NASA space flight missions, two United States Air Force space flight missions, and one National Oceanic and Atmospheric Administration space flight mission.

Between March 2017 when Smalley started and February 2018 when NASA was notified about the falsified documents, prosecutors said an internal audit found Smalley had photocopied an inspector’s signature and cut and pasted it onto reports over a computer. The parts were for Falcon 9 and Falcon Heavy flight critical parts.

Some of those parts were going to be used for an upcoming mission called Transiting Exoplanet Survey Satellite (TESS), which launched from a SpaceX Falcon 9 rocket on April 18, 2018.

There were 76 individual piece parts that were rejected during source inspection or were never inspected, then subsequently shipped to SpaceX.

Due to the fraud, SpaceX ended its relationship with PMI, which subsequently closed.

Smalley is expected to be sentenced on May 13. He is facing up to 15 years in prison and a $500,000 fine.

Friday, January 31, 2020
On January 7, 2020, the National Aeronautics and Space Administration (“NASA”) published a proposed rule seeking to amend the NASA Federal Regulation Supplement regarding counterfeit electronic parts. The proposed rule would add new language to the NASA regulations, requiring that contractors procure electronic parts directly from manufacturers and select suppliers in an effort to lessen the use of counterfeit electronics on NASA programs.

Specifically, the proposed rule would require “covered contractors and subcontractors at all tiers” to purchase electronic parts currently in production, and that are from:

the original manufacturers of the parts,

the manufacturers’ authorized dealers, or

suppliers “who obtain such parts exclusively from the original manufacturers of the parts or their authorized dealers.”

For parts not currently in production, or if a contractor opts not to purchase electronic parts as described above, contractors must purchase the parts from either a NASA-identified or contractor-approved supplier. However, if the latter option is chosen, the contractor will “assume responsibility and be required to inspect, test, and validate the authentication of the parts.” Further, selection of a “contractor-approved” supplier will be subject to review and audit by the contracting officer. Notably, these changes will apply to “all procurements involving electronic parts, end items, components, parts, or assemblies containing electronic parts or services,” if such are to be supplied as part of the service.

The proposed rule seeks to implement Section 823(c)(2)(B) of the 2017 NASA Transition Authorization Act, Pub. L. 115-10, which cited a 2012 Congressional Committee on Armed Services investigation that discovered more than 1,800 instances of counterfeit parts being used in the Department of Defense’s supply chain, totaling over 1,000,000 counterfeit parts. According to the Act, “the presence of counterfeit electronic parts in the NASA supply chain poses a danger to the United States government astronauts, crew, and other personnel and a risk to the agency overall.” NASA was thus tasked with revising the NASA regulations “to improve the detection and avoidance of counterfeit electronic parts in the supply chain.” The proposed rule further recognizes at least one known instance of a suspected counterfeit part in the last 17 years.

NASA’s proposed rule echoes many requirements contractors currently face when selling to the Department of Defense under DFARS 252.246-7007 (Contractor Counterfeit Electronic Part Detection and Avoidance System) and 252.246-7008 (Sources of Electronic Parts). However, unlike the DFARS counterpart, the NASA proposed rule would not require a contractor to implement an electronic part detection and avoidance system. At least not yet. Ironically, the DFARS rules started out in 2014 as requiring only a counterfeit electronic part detection and avoidance system, but evolved in 2016 to require the broader DOD supply chain restrictions now in place. The NASA requirements may evolve over time, as well.

Contractors also may recall the FAR Council issued a final rule in November 2019 requiring contractors to report suspected counterfeit electronic parts to the Government-Industry Data Exchange Program (GIDEP). However, NASA’s proposed rule decidedly differs from its FAR counterpart. See also FAR 52.246-26 (Reporting Nonconforming Items).

Here are some of the key differences:

Contractors doing business with NASA are well-advised to continue closely monitoring these additional proposed counterfeit parts requirements, and ensuring that products purchased through the supply chain continue to match these evolving obligations. Comments on the proposed rule are due March 9, 2020.

*Nikole Snyder is a law clerk in Sheppard Mullin’s Washington, D.C. office.

Is your new flash memory device really new? Can you determine if it’s a recycled chip? University of Alabama engineers can.

Their simple method is based on the relatively high voltages — about 20 volts — needed to program and erase flash. The more a cell is programmed and erased, the more defects will accumulate in the oxide. This leads to an increase in the amount of current that leaks through the transistor when it’s supposed to be off, and it also slows down the rate at which charge moves through the device. The result is a slowdown in the memory’s erase time as an indicator of a chip’s age.

The erase-time technique, which could allow an app on a smartphone to examine its own storage for recycled parts, was demonstrated to identify recycled flash with as little as three percent usage with 100 percent confidence.

https://www.qualitymag.com/articles/94672-risk-mitigation-for-counterfeit-electronic-parts?

IEC Electronics Analysis and Testing Laboratory once again received ISO/IEC 17025:2005 accreditation.
The scope of the ISO/IEC 17025:2005 accreditation includes several SAE AS6171 test methods for suspect/counterfeit electrical, electronic and electromechanical (EEE) parts. According to the company, IEC is the first and only electronic manufacturing services (EMS) provider with an on-site testing laboratory to receive this accreditation with the addition of SAE AS6171 test methods. The ISO/IEC 17025:2005 accreditation is the internationally accepted specification of general requirements for the competence of testing and calibration laboratories. The SAE AS6171 test methods were developed specifically for laboratories for the detection and avoidance of suspect/counterfeit parts. The company also asserts that, currently, SAE AS6171 is the only standard that provides uniform requirements, practices, and test methods, making it more stringent than other counterfeit avoidance protocols.

What is SAE AS6171?
This SAE Aerospace Standard standardizes inspection and test procedures, workmanship criteria, and minimum training and certification requirements to detect suspect/counterfeit electrical, electronic, and electromechanical (EEE) parts. The requirements of this document apply once a decision is made to use parts with unknown chain of custody that do not have pedigree back to the original component manufacturer, or have been acquired from a broker or independent distributor, or when there are other known risk elements that result in the user to have concerns about potential counterfeit parts. The tests specified by this standard may also detect occurrences of malicious tampering, although the current version of this standard is not designed specifically for this purpose. This standard ensures consistency across the supply chain for test techniques and requirements based on assessed risk associated with the application, component, supplier, and other relevant risk factors. The requirements of this document supplement the requirements of a higher level quality standard (e.g., AS9100, AS9003, AS9120, ISO 9001) and other quality management system documents. They are not intended to stand alone, supersede, or cancel requirements found in other quality management system documents, or requirements imposed by contracting authorities.

This standard should be utilized when parts are not available from sources with known traceability to the original component manufacturer (OCM), original equipment manufacturer (OEM) for electromechanical parts, or authorized manufacturer. The requirements of this document specify testing based on acceptable levels of risk for a program or customer, to identify anomalies or performance issues that may indicate suspect counterfeit and counterfeit activity. No amount of testing can confirm an item as authentic; this would require that there be a known, unbroken chain of custody to the OCM/OEM or authorized manufacturer. This standard does not apply to parts obtained directly from a trustworthy authorized supplier with traceability to the OCM/OEM or authorized manufacturer.
Why SAE AS6171?
Counterfeit electronic components have caused many challenges in the electronics industry, especially when dealing with parts supply chain obsolescence management. One method of addressing the problem has been the creation of industry standards to try and deal with it. Mark Northrup, vice president of technology for IEC Electronics Corp., emphasizes, “There are so many counterfeit avoidance documents now that it is getting hard to keep track of all of them.”

SAE, through their G19 committee, has recently released the new SAE AS6171, the bookshelf of counterfeit avoidance standards. A general overview of all of SAE G19 committee standards, and related documents, always helps those unfamiliar to make sense of it all. It all begins with an end customer, the government or private entity, placing requirements on their subcontractor to have a counterfeit risk mitigation testing plan in place. The SAE G19 committee has completed their group of counterfeit avoidance standards that take this requirement from the original contractor through the company purchasing the electronics components from the open market. OEMs that are concerned with, or are required to mitigate the risk of suspect counterfeit electronics components, can adopt and become certified to SAE AS5553, which will guide them on methods to avoid and detect suspect counterfeit electronics components. A sister standard, SAE AS6081 (QTSL), was created for independent distributors to comply with an SAE AS5553 compliant manufacturer’s requirements, thus creating complementary standards. The SAE AS6171, which is now published, provides the detailed risk evaluation instructions, as well as more detailed instructions on how to test suspect counterfeit electronic components. The ISO/IEC 17025 standard is used for accrediting test facilities, such as those performing the tests prescribed in SAE AS6171. An accreditation confirms that the test laboratory and their staff have the proper equipment and training to be able to perform specific tests. SAE AS6081 (Revision A, which the SAE G19 committee is working on finalizing) points to the now released SAE AS6171 for the required product verification tests, referred to as ‘slash sheets’, as opposed to the current procedures within SAE AS6081, which points to an embedded lot sampling plan. For example, an independent distributor will now partner with a testing laboratory that is 17025 accredited to perform the various tests required by AS6081-A.

Lori LeRoy, principal at Global IC Trading Group Inc., which is a QTSL approved company and is compliant to the existing AS6081 requirements, shared her thoughts on the pending new release of AS6081:

“Until the final release, I can only speculate on the requirements of the published document. However, the section of AS6081-A that addresses verification of product will either require testing per AS6171, or provide the organization more flexibility for which standard they use to conduct the required inspection/testing steps. If AS6171 is required, ISO 17025 accreditation will also be required. This will force independent distributors that have already made the investment in equipment and training to either obtain ISO 17025 accreditation for EACH required test, or to partner with a test facility with 17025 accreditation, such as IEC, to perform the required tests on their behalf. Currently Global IC Trading is ISO 9001, AS9120, ANSI /ESD S20.20, CCAP Certified and a DLA QTSL. I concur with Mark Northrup that all the various standards, certifications and accreditations can be confusing. It is also very costly and time consuming, and as a small business one challenge we face is balancing the costs associated with certifications and accreditations along with the requirements of customers and government contractors. We need to ensure there is a return on investment and a correlation with increased revenue.”

The October 2016 ‘Source of Electronic Parts’ DFAR 252.246.7008 states:

“Contractor-approved supplier” means a supplier that does not have a contractual agreement with the original component manufacturer for a transaction, but has been identified as trustworthy by a contractor or subcontractor.

The term ‘trusted supplier’ was introduced in 2012 NDAA, Section 818 on April 10, 2012 and the industry was optimistic that a clear definition and requirement flow down would be established to become a ‘trusted supplier’. Six years later there is still no clear definition of trusted supplier or ‘trustworthy,’ and no clear pathway to become a trusted supplier. Today there are so many more standards, certifications and accreditations to consider, making it more challenging to understand what is actually necessary. The goal for all of us is to reduce the risk of counterfeit product entering the supply chain. Certifications, accreditations and a solid education in counterfeit prevention will reduce this risk, but will not eliminate it. Another suspect counterfeit electronic component standard that has been added to the mix is the SAE AS6496, which was created for authorized distribution, and primarily utilized for the return of product from their customers. The SAE’s G19 committee has been working very hard to create all of these needed documents.
ISO/IEC 17025
ISO/IEC 17025:2005 specifies the general requirements for the competence to carry out tests and/or calibrations, including sampling. It covers testing and calibration performed using standard methods, non-standard methods, and laboratory-developed methods. It is applicable to all organizations performing tests and/or calibrations. These include, for example, first-, second- and third-party laboratories, and laboratories where testing and/or calibration forms part of inspection and product certification. ISO/IEC 17025:2005 is applicable to all laboratories regardless of the number of personnel or the extent of the scope of testing and/or calibration activities. When a laboratory does not undertake one or more of the activities covered by ISO/IEC 17025:2005, such as sampling and the design/development of new methods, the requirements of those clauses do not apply. ISO/IEC 17025:2005 is for use by laboratories in developing their management system for quality, administrative and technical operations. Laboratory customers, regulatory authorities and accreditation bodies may also use it in confirming or recognizing the competence of laboratories. ISO/IEC 17025:2005 is not intended to be used as the basis for certification of laboratories. Compliance with regulatory and safety requirements on the operation of laboratories is not covered by ISO/IEC 17025:2005. Looking forward, there is a joint effort between SAE sub-committee G-19 Counterfeit Electronic Parts Committee and the accreditation bodies (ANAB, A2LA) to develop a standard, AS6810 “Requirements for Accreditation of Test Laboratories Performing Detection of Suspect/Counterfeit EEE Parts in Accordance with AS6171 General Requirements and the Associated Test Methods.” Within this standard there is clear definition as to the expectations of the end users and laboratories that seek accreditation to conduct the AS6171 tests. The standard will emphasize the technical competence of the laboratory personnel as well any reporting requirements. This standard will be used in conjunction with ISO 17025 when laboratories seek accreditation with the AS6171 test methods within their scope of accreditation. It is anticipated that this standard will be in active in 2019.

Customer Solutions
IEC Electronics is an EMS provider that employs a team of experts who help to minimize the supply chain risk for its customers by developing custom risk mitigation test plans, performing in-house testing, and seamlessly integrating the testing into its manufacturing environment. IEC Electronics Analysis and Testing Laboratory (IATL) on-site laboratories use these advanced methodologies as requested by customers to perform sophisticated manufacturing process development and state of the art testing for components, printed circuit board assemblies, cables, and system assemblies. IEC electronics is the only EMS that has an on-site ISO 17025 AS6171 Accredited and is a DLA QTSL approved testing lab that offers the full spectrum of DPA testing per military standards. Whether it is conducting failure analysis, material evaluations, or exhaustive tests like destructive or nondestructive physical analysis IEC can provide customers a suspect counterfeit test mitigation methodology solution.

ANAB
Upon determining its scope of accreditation as its next critical step, IEC Electronics contacted ANAB’s Roger Muse for the ISO/IEC 17025 path to the SAE AS6171 accreditation.The ANSI-ASQ National Accreditation Board is one of the largest accreditation bodies in the United States. ANAB is a nonprofit, non-government accreditation body which plays an important role in ensuring the safety and quality of goods and services and in protecting the environment. ANAB accredits certification bodies, calibration and testing labs, forensic science service providers, inspection bodies, reference material producers, and proficiency test providers. ANAB conducts audits to make sure clients follow international standards and are competent to do their work. The work that it does helps facilitate international trade and eliminates the expense of redundant audits and tests.

The G19 Committee designated ANAB as one of the accreditation bodies required for registered testing laboratories (RTL) for the SAE AS6171 accreditation. ANAB has a 97% customer retention rate and is highly regarded in the accreditation community. After undergoing an accreditation assessment, IEC Electronics Analysis and Testing Laboratory recognized ANAB assessor Steve Dale for his skills and knowledge as well ashis ability to engage in a courteous and meaningful manner.

How Best to Mitigate Suspect Counterfeit Electronics
One of the challenges facing the electronics industry has been how best to mitigate suspect counterfeit electronic components from entering supply chain product reliability. “Routinely, IEC Electronics Analysis and Testing Laboratory is asked by customers about suspect counterfeit electronics components risk mitigation testing methodologies,” said Northrup. The common testing methods discussed are IDEA, CCAP, QTSL (SAE AS 6081), SAE AS6171, and DLA per military standards (e.g., 202, 750, 883, and 1580). The company also mentioned many customers are confused about interpreting accreditation, certification, and suitability terminologies associated with each of these testing methods. “Each time the customer asks, we discuss testing per each one these methods requested, differences between each, and we avoid answering which one is the best. The recent evolution of the SAE AS6171 from the G19 Committee Members is another path for customers to select. Now when a customer contacts us we always convey that no amount of testing yields ‘zero risk.’”

DFARS 252.246.7008 Guidance Document
The recent DoD issued DFARS 252.246.7008 communicates new guidance on how parts can be procured regarding liability and safe harbor for government contractors and their supply chain. The three categories defined are:

Category 1: Original Equipment Manufacturer which is the preferred supplier

Category 2: Contractor Approved Supplier (CAS)

Category 3: Appropriate Inspection Test & Authentication (IT&A)

But DFAR 252.246.7008 falls short by not specifying which of the testing methods via IDEA, CCAP, QTSL (SAE AS 6081), SAE AS6171, or DLA per military standards (e.g., 202, 750, 883, and 1580) is preferred.

ANAB

(414) 501-5455

IEC Electronics Analysis and Testing Laboratory (IATL)

Albuquerque, NM

www.iec-electronics.com

3D printing has received an upgrade – it can now 3D print secure digital information such as QR codes, which could be used in anti-counterfeiting.

Introduced by Boston-based additive manufacturing firm Rize Inc, the development is the first example of Digitally Augmented Parts; essentially the printing of physical parts with digital information.

3D printing (also known as additive manufacturing), which produces a 3D object by depositing successive layers of a material on top of each other as directed by a computer-generated model, has become one of the fastest growing industries, extending into the toy, automotive, aerospace and medical device sectors, among others.

However, there are concerns that 3D printing could be a threat to brands and businesses through counterfeiting.

Rize’s technology directly addresses this concern by enabling a link between the physical 3D printed product and digital information, thereby integrating Industry 4.0 technologies such as blockchain, augmented reality and virtual reality.

According to the company, the “immutable connection…bridges the gap between the virtual and real world”.

Julie Reece, VP of manufacturing at Rize, explained the technique as embedding ‘Digital Rights Management’ into the functional 3D printed parts “for compliance, authenticity and traceability”.

“A significant challenge in the additive manufacturing industry are parts that are non-compliant due to design changes, piracy, counterfeit and obsolescence, that adversely impact the user and customer experience and result in rework, recalls and loss of brand value,” Reece told 3DPrint.com.

The technology expands on the company’s hybrid 3D printer that it introduced about two years ago. This combines two types of printing to form a multi-material technology that is called Augmented Polymer Deposition (APD), which has been used to make industrial-strength parts such as system components and medical testing equipment.

The enhancement now means 3D printed products can be embedded with secure digital information, such as in the form of a QR code. The QR code can then be scanned and read by a smartphone app, which relays the digital information, such as product, manufacturing and supply chain details, to the user.

Rize said the development is important for 3D parts and components used in more complex, multi-part products because it secures the supply chain and ensures authenticity.

“Additive is a part of a bigger strategy for many companies, which is a digital strategy or an Industry 4.0 strategy but really that digital strategy is not fully realised because when you print the part, the digital link breaks,” Andy Kalambi, president and chief executive of Rize, told TCT Magazine. “The moment the part gets printed on the machine it’s a physical part and there is no digital element left in it. The break of the digital link is a big issue for this industry overall to realise the promise of what is called Industry 4.0.”

On Rize’s website, Kalambi said: “This is the first step towards embedding intelligent capabilities within the part and connecting them through a digital thread into the digital twin of the part. Rize is leading the integration of additive manufacturing into the digital ecosystem, which will redefine the user and customer and experience, and ultimately scale the technology to an entirely new segment of commercial and industrial users.”

The development is a significant breakthrough for industry, which has previously voiced concerns that 3D printing will herald the production of counterfeit copies, emphasising the need for anti-counterfeiting measures.

Last May, scientists from the mechanical and aerospace engineering department at New York University noted there was a need to have anti-counterfeiting features within the computer-aided design model. They suggested a unique combination of processing and printing parameters built into the product’s digital design, which if stolen, would produce a defective product.

Other anti-counterfeiting features suggested for 3D printing include novel material compositions that cannot be easily replicated, or quantum dots, which are nanoparticles embedded in the 3D-printed object that can emit different wavelengths of light and provide a unique manufacturing signature.

Researchers have taken a major step in terms of preventing counterfeiting. This is through generating unique atomic-scale identifiers based on the irregularities found in 2-D materials such as graphene.

Counterfeiters of electronic goods are going to have a harder job thanks to a new method for marking electronics on the atomic scale. A new advance in quantum physics can amplify such irregularities. This means it is possible to ‘fingerprint’ each electronic system, giving a unique optical tag identifier to electronic devices.
The extent of counterfeiting electronic goods and devices is huge, running into billions of dollars worldwide. Not only does this lead to a loss of revenue for businesses many consumers unwittingly purchase substandard or dangerous (in terms of health and safety) devices. As Internet of Things expands the risks from one device can no longer be self-contained; one faulty device connected to others can do greater damage.
Imagine, for example, what would happen if the technology designed to control autonomous cars was fake? If the item controlled the brake pads then the consequences could be catastrophic.
Scientists from Lancaster University have developed the solution and it is based on atomic-scale identifiers that relate to the types of irregularities found in two-dimensional materials, such as the ‘wonder material’ graphene. Graphene is an ultra- thin material (just one atom thick) and is highly conducive at conducting electricity. The material is strong, very flexible and has been used from coating power plants, to making flexible computing screens to filtering out contaminants from water.
Working at the atomic scale the researchers found the means to amplify such irregularities, making it possible to ‘fingerprint’ surfaces. This gives each electronic device its own unique identifier. The identifier can be read using a simple smartphone app that will quickly indicate whether the scanned device is the genuine article or a fake.
The scanning works by the app looking for an optical tag. The scanned information is then cross-checked with a database (which could be set up by the smartphone manufacturer). The new technology is expected to be rolled out during early 2018.
The new security method has been described in the journal 2D Materials. The research paper is titled “Increasing the light extraction and longevity of TMDC monolayers using liquid formed micro-lenses.”

The problems of components becoming obsolete are set to get more severe, warned industry experts at a major conference last week in Bristol.

The International Institute of Obsolescence Management (IIOM) saw over 100 engineers in the city looking at the challenges for systems in transport, power and industrial applications when replacement chips are no longer available. This is becoming more of a problem as recent semiconductor company mergers will see a large number of components and package styles becoming obsolete.

One example from the conference is that Boeing 747 jumbo jets still use floppy disks to transfer data from the flight desk, and airlines have to keep re-using the disks as they cannot buy more.

The shortage of parts also leads to more counterfeit parts as engineers repairing systems look to many different sources to find a replacement part.

“2015 saw a massive increase in the mergers and acquisitions in the semiconductor industry and that continued in 2016,” said Peter Marston, a consultant to Rochester Electronics, speaking at the conference. Rochester is the largest supplier of ‘end of life’ devices, buying up the last runs of chips when they are discontinued and storing them. It has a bank of 12 billion die from 70 chip makers that it then puts in a package to suit the customer.

“We think that in the next two to three years the rate of PDNs (product discontinuation notices) will be three to four times today’s number – that will go up very dramatically over the next couple of years,” he said.

He points to the recent merger of Qualcomm and NXP/Frescale Semiconductor where some iconic parts will stop being made. “With Freescale probably some of the older processors will disappear such as PowerPC and 68xxx. That’s the direction we believe the merger is going. We don’t see where they fit in in the newer growth markets,” he added.

Packages also become obsolete. “One package that has pretty well gone is the 40pin DIL (dual in line). We can’t get a subcontractor to package these so we have had to install our own packaging line,” said Marston. That also applies to PQFP plastic quad flat packs. “The higher pin count 240 packages will be first, followed by others,” he said.

The mergers also drive counterfeiting as skilled staff are laid off and specialist equipment is sold off, says Marston at Rochester. That will be more of a problem over the next few years, he predicts.

Obsolescence management

The conference also looked at the way obsolescence is managed. The transport division of Alsthom, for example, is proposing a new scheme across its divisions, management software and different European languages.

“The problem we have in rail is we talk about component lifetime of three to five years but we want the operational life to be 20, 30 or even 50 years,” said Stuart Broadbent, Obsolescence Director at Alsthom Transport (pictured above). “Equipment gets a lifetime of 10 to 15 years because it can’t always be maintained and repaired.”

Part of the problem is that French and German have different words for obsolete equipment that don’t necessarily mean the same in English. “So we need a common vocabulary with a full definition and to apply that consistently,” he said.

The idea is to give a numeric value to the different levels of the components and systems, from chips to electronic and mechanical sub-systems to signalling systems and entire trains or trams.

The Pentagon has known for years that a significant number of the replacement parts it buys for its missile guidance and satellite systems contain substandard counterfeit microchips. But finding these fakes—as they make their way through a complex global supply chain of fabrication facilities, assembly plants and parts distributors—can be like searching for a needle in a haystack (made entirely of other needles). The military estimates that up to 15 percent of all spare and replacement parts for its weapons, vehicles and other equipment are counterfeit, making them vulnerable to dangerous malfunctions.

Counterfeit microchips—integrated circuits in particular—have turned up in replacement parts for U.S. Missile Defense Agency mission computers (pdf), ship-based aviation antenna equipment and in helicopter night-vision systems. Between November 2007 and May 2010 alone, U.S. Customs officials seized 5.6 million counterfeit microchips destined for military contractors and the commercial aviation industry, and the problem has only grown since then.

Given that integrated circuits serve as the brains for so much of the military’s technology—and the failure of even a single one can cause serious problems—the U.S. Department of Defense’s research arm has launched a counterattack against counterfeiters. Its Defense Advanced Research Projects Agency (DARPA) is now leading an effort to create microscopic identification tags called “dielets” that legitimate chipmakers can implant in their circuits as they are assembled. The dielets—which DARPA also calls “chiplets”—will enable the companies that install those microchips in circuit boards and other components to check whether the integrated circuits have been altered or substituted with fakes.

Reports of catastrophic failures caused by such parts are hard to come by, but officials are obviously concerned. In December 2015 federal agents arrested three Chinese nationals for, among other things, selling 45 counterfeit Intel microchips to an undercover agent with the understanding the chips would be headed to the U.S. Navy for a project involving submarines. One of the men arrested—Jiang Guanghou Yan—had also asked the undercover agent to get him 22 military-grade Xilinx Corp. microchips—worth $37,00 apiece—for illegal export to China. “Military grade” means the electrical components are designed specifically to withstand prolonged exposure to extreme temperatures and radiation. When the agent advised Yan they would have to be stolen from a U.S. Navy base, Yan offered to cover up the crime by providing fakes to replace the stolen chips.

“If [those counterfeit chips had been] installed in a missile’s guidance system, such missile would either not function at all or would likely not proceed to its intended target, and would likely strike a completely unintended destination,” Keith Avery, a senior engineer at the U.S. Air Force Research Laboratory, testified in an affidavit used to determine the sentences of the convicted counterfeiters in June 2016.

The dielets that DARPA is developing as part of its Supply Chain Hardware for Electronics Defense (SHIELD) program are essentially microscopic tags embedded in each integrated circuit. An integrated circuit is made up of large numbers of transistors and other tiny electrical components arranged to perform a specific task—signal switching or amplification, for example—and packaged together into a chip that plugs into a larger circuit board used to control a particular electronic device. Under DARPA’s plan the integrated circuit’s manufacturer would affix a dielet inside the case that encloses the integrated circuit. Each chiplet will itself have up to 100,000 transistors and include a two-way radio, data encryption engine and way to detect tampering—all while consuming under 50 microwatts (50 millionths of a watt) and costing less than one penny each.

Identifying information on each dielet would be read using a penlike probe plugged into a smartphone. Rather than containing its own power source a dielet would be inductively powered by the probe, which would communicate via radio frequency signals when placed within a half millimeter of the chiplet. The probe would relay encrypted information to an app on the smartphone, which would then connect via the internet with a database to confirm the dielet’s serial number. It would also read the dielet’s GPS location to make sure the chip is where it is supposed to be as well as check other unique characteristics. If the probe gets no response or if there are inconsistencies between the chip’s data and that stored in the integrated circuit inventory database—along with any device in which it might be installed—the circuit would be put aside for further inspection.

To prevent counterfeiters from easily discovering these implants, they will be about 10 microns thick and no larger than 100 microns per side—roughly the size of the head on the statue inside the Lincoln Memorial depicted on the “tails” side of a penny, according to DARPA. The dielets’ tiny size helps them meet several DARPA requirements—for example, they should be too fragile to remove from their integrated circuits (to be reverse-engineered and themselves counterfeited) without being damaged.

Integrated circuits are especially difficult to protect from counterfeiting because they might come from an overseas manufacturer and be resold by several subcontractors before a large military supplier like Lockheed Martin or Boeing embeds them in technology that it sells to the U.S. government. The global growth of the supply chain that lets electronics manufacturers tap less-expensive suppliers in China, Japan, Singapore, South Korea and Taiwan has proved very difficult to police. Electronic waste from the U.S. is another key contributor to counterfeit integrated circuits, as trashed circuit boards from computers discarded in some countries are often taken apart, refurbished, relabeled, repackaged and resold as new to electronics manufacturers.

“The net of the thing is that we don’t have as much control over the authenticity and integrity of the systems we use,” says Kerry Bernstein, program manager of DARPA’s Microsystems Technology Office and head of the four-year, $50-million SHIELD program overseeing dielet development. “The counterfeit problem appears at first glance to be intractable.”

Former Pres. Barack Obama stepped up efforts to crack down on counterfeiting in late 2011 when he signed the National Defense Authorization Act, which required the secretary of defense to come up with a plan to cut down on the military’s use of counterfeit parts. The Defense Department has since been testing and using special inks laden with plant DNA to uniquely mark and later identify electronic components in its supply chain.

DARPA launched SHIELD as a more sophisticated approach that could provide immediate identification of knockoff electrical components. The agency is managing the development effort but much of the work is being done by Northrop Grumman Mission Systems, SRI International and a number of subcontractors. The dielets’ microscopic size keeps their cost down, as millions of them can be made from a single silicon wafer. Northrop and SRI have already demonstrated prototype dielets to DARPA that meet most SHIELD criteria, Bernstein says. The Pentagon plans to test the mettle of these chiplet ID tags by inserting them into a test supply chain by 2019—the next salvo in the military’s battle against counterfeiters and knockoffs that potentially place their personnel and the public in harm’s way.

The defense industry’s concerns regarding microelectronics is expanding beyond counterfeit components and into the realm of cybersecurity, according to a report issued this month by the Defense Science Board Task Force. Thanks in part to the defense department’s reliance on commercial electronics components, the task force found defense equipment can be susceptible to cyber attacks at almost any point during its considerable lifespan.

At the heart of the problem is the rapid pace of component obsolescence and practices in the electronics supply chain. The lifespan of some commercial components can be measured in months; defense equipment is designed to last decades. Even if a component is free of cyber-vulnerabilities when it’s manufactured, parts set aside as replacements often sit on a warehouse shelf for years. These same devices may change hands several times during their tenure in the supply chain. Software, malware or malicious programming could be introduced into components at any time during their lifespan and then subsequently sold to the Department of Defense (DoD) or a contractor as a replacement part.

In the typically long DoD acquisition process, approximately 70 percent of electronics in a weapons system are obsolete or no longer in production prior to system [being deployed into the field], the report noted.

Electronics industry associations, including the ECIA, have made recommendations to the government and standards bodies regarding the handling and tracking of electronics components. Many of these procedures, targeted at eliminating counterfeit components from the supply chain, have been adopted. For example, the ability to trace a component back to its original manufacturer is one method that proves its authenticity. Within the past few years the ECIA has also addressed the threat of malware, noting that authentic parts are susceptible to malicious programs. “Traceability does not verify that a part is genuine; properly packaged, stored and handled; free of malware; or unused,” according to Robin Gray, the ECIA’s COO and general counsel.

cyber-attack-data-breach.jpg.2“Cyber supply chain vulnerabilities can be inserted or discovered throughout the lifecycle of a system,” according to the task force report. “Of particular concern are the weapons the nation depends upon today; almost all were developed, acquired, and fielded without formal [cyber] protection plans.”

The task force was charged, in part, with recommending methods for mitigating cyber attacks. The electronics supply chain’s focus, to date, has been avoiding the introduction of counterfeit components into defense equipment. The report notes, however, that authentic parts are not impervious to cyber-vulnerabilities:

Prominent recent examples include Volkswagen’s insertion of a “defeat device” to thwart emissions testing and insertion of embedded code into Juniper routers. Recently, FTDI, a semiconductor device company, used a Windows driver update to completely disable computers using functional clones of some component chips, demonstrating the full cycle of component insertion, subsequent activation, and effect.

Complex microelectronics will inevitably contain latent vulnerabilities. Diligent test protocols, while an essential best practice, cannot guarantee that systems will be free of such vulnerabilities.

The task force also noted the complexity of the electronics supply chain makes a defense department security practice, called Program Protection Plans (PPP), difficult. PPPs are intended to take a comprehensive approach in considering all aspects of system security, including cybersecurity, and address initial steps to safeguard unclassified program information:

The supply chain for microelectronics parts is complex and involves multiple industry sectors. Each sector sells to each of the others. Furthermore, parts may be returned to manufacturers or distributors and subsequently reenter the supply chain making both pedigree and provenance difficult to track using current procedures. This complex of industry segments feeds three supply chains: the DoD acquisition supply chain, the DoD sustainment supply chain, and the global commercial supply chain. Each supply chain is subject to attack and each offers differing costs and benefits to an attacker.

Review of the program protection processes across the Department shows that security and information system managers address security primarily after the system design has been completed. Current PPPs, however, do not carry over robustly to the sustainment phase.

By the time a defense system is fielded, microelectronic components in that system are likely to be obsolete and may be unavailable from the original equipment manufacturer (OEM) or its sub-tier suppliers. This may force DoD to purchase from distributors where pedigree is less secure and provenance is more difficult to track.

The DoD’s mechanisms for tracking inventory obsolescence and vulnerabilities in microelectronic parts are inadequate, the report added:

Microelectronics components are likely to become obsolete repeatedly during the weapons system lifecycle. Efforts to track component obsolescence lack oversight at a Department-wide level. Reporting of counterfeit and “suspect-counterfeit” microelectronics is mandatory for some, but not all prime contracts and subcontracts. Such reporting requirements are inconsistent and no DoD system at present collects event information on cyber-physical attacks of electronic components as its primary function.

To address these concerns, the task force recommended that “a shared vulnerability database and a parts application database of installed hardware could promulgate corrective actions across weapons systems. DoD will have a continuing need for access to trustworthy, state-of-the-art, application specific integrated circuits (ASICs). That need is likely to grow for systems that support intelligent or autonomous capabilities.”

The task force also recommended that the Under Secretary of Defense for Acquisition, Technology and Logistics (USD AT&L) strengthen lifecycle protection policies, enterprise implementation support, and R&D programs for defense equipment. Such efforts “will ensure that systems are designed, fielded, and sustained in a way that reduces the likelihood and consequence of cyber supply chain attacks.”

In addition, the task force recommends that USD (AT&L) direct development of sustainment Program Protection Plans for critical fielded weapons systems. Military service chiefs should designate fielded weapons systems for development of initial sustainment PPPs to demonstrate their effectiveness, it said.

In a memorandum to the report, the task forced noted that the cost of a DoD-owned trusted foundry “is not a feasible expense.” Among the businesses participating in or providing information to the task force were Intel, Qualcomm, Xilinx, IBM, Cisco, Raytheon, Google and Applied DNA Sciences.

Register to watch and ask questions regarding DFARS 252.246.7008:

Should Your Organization Be Concerned About DFARS 252.246.7008 and the Supply Chain Impact Regarding Obsolete and Counterfeit Components?