In this week’s Security Ledger Podcast, sponsored by Trusted Computing Group, we’re talking about securing the hardware supply chain. We’re joined by Michael Mattioli, a Vice President at Goldman Sachs who heads up that organization’s hardware supply chain security program.


When we think about cyber threats to the hardware supply chain, we often think about defense contractors making missiles and fighter jets. But these days, hardware supply chain security affects a wide range of companies – not just technology giants like Intel or cloud computing providers like Amazon and Google, but banks and financial services companies, healthcare companies, consumer electronics firms and more. 

Despite media attention to the problem, the awareness of hardware supply chain risks is still low within companies. Tools and talent to address it are hard to find and expensive. What’s a company to do? In this episode of the Podcast we welcome Michael Mattioli into the Security Ledger studio. Michael leads the Hardware Engineering team within Goldman Sachs, where he is responsible for the design and engineering of the firm’s digital experiences and technologies. He is also responsible for the overall strategy and execution of hardware innovation both within the firm and within the broader technology industry.

“Grandma deserves to know that her iPhone is genuine in the way that a corporation deserves to know if their $30,000 server is genuine.”

Michael Mattioli, Goldman Sachs

Michael is the co-author of a paper “Consumer Exposure to Counterfeit Hardware” where he notes that many of the methods used to ensure hardware supply chain integrity are manual and fallible – including visual inspection of installed parts or open source research on sellers. He’s trying to sound the alarm about the threat that hardware supply chain insecurity poses to our entire economy. Michael’s part of a new working group at Trusted Computing Group and the GSA that is working to develop standards based technology and tools to enforce hardware integrity at scale. 

In this interview, Michael and I talk about the growing risk of hardware supply chain risk and the need for coordination throughout the industry to address hardware security threats. 

To start off, I asked Michael to describe the work he does at Goldman Sachs and why a financial services company employs a hardware security expert. Goldman Sachs joined the TCG in February as it looks for partners in securing FinTech, where activities like mobile transactions are growing by leaps and bounds.  


(*) Disclosure: This podcast and blog post were sponsored by Trusted Computing Group. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

Keyboard to the internet

In this Spotlight Podcast, sponsored by The Trusted Computing Group, we speak with Matthew Areno, a Principal Engineer in the Intel Product Assurance and Security (IPAS) group about the fast-changing landscape of cyber threats including attacks on hardware and software supply chains.


It’s funny that one of the most controversial stories about supply chain security, Bloomberg Businessweek’s scoop on “spy chips” on motherboards by the firm Super Micro that infiltrated “more than 30 companies” is remembered less for what it said than the staunch denials it provoked.

Matthew Areno is a Principal Engineer in the Intel Product Assurance and Security (IPAS) group at Intel.

Whether or not that story was accurate, however, security experts have long agreed that the threat it describes is real – and growing. The deep reliance of the high tech industry on software and hardware supply chains that originate in nations like China has created the conditions for compromised technology to infiltrate U.S. homes, businesses and governments at all level.

Unfortunately, the information security industry has been slow to respond. Companies spend billions of dollars on information security tools and technology every year. But much of that spending is for fighting “the last war:” viruses, spam, application- and denial of service attacks and so on.

Cyber: Fighting the Last War

Our guest this week is here to tell you that those aren’t even close to being the only kinds of threats organizations need to worry about. Matthew Areno spent years conducting both offensive and defensive research at some of the most sophisticated and targeted firms in the world: Sandia National Labs in New Mexico and defense contractor Raytheon among them.

Episode 161: 3 Years after Mirai, IoT DDoS Problem may get Worse

Areno, who now works at Intel, where he is a Principal Engineer in the Intel Product Assurance and Security (IPAS) group, says his work at companies that were in the crosshairs of nation-state actors opened his eyes to “what was possible” in cyber offense. It also taught him how organizations – even sophisticated ones – often fail to discern the full spectrum of possible attacks on their security, with dire consequences. 

A Range of Supply Chain Threats

Supply chain attacks could run the gamut from degrading the performance of a sensor to exfiltrating sensitive data to denial of service attacks. “And these attacks can happen at any point in the lifecycle of these products,” Areno told me. That includes attacks on the design network that manufacturers use, attacks on shared or open source software components and – as with SuperMicro- the introduction of malicious components during manufacturing, which is an issue that Areno said is still probably more hype than reality – even if component piracy and counterfeiting is not.

“When we’re sendings our designs over the seas, how much confidence and how much trust do we have that what we sent to them is what we got back,” Areno wonders.

Spotlight Podcast: Two Decades On, Trusted Computing Group tackles IoT Insecurity

In this podcast, Matt and I talk about where the new front lines in cyber security fall and how companies need to re-think their approach to security in order to address the changing threat.

We also talk about Matt’s work with the Trusted Computing Group where he helps develop technologies that make it easier to protect against threats like attacks on device firmware and hardware supply chains by building a hardware based root of trust that can be a foundation for the security of entire products and product ecosystems. 


(*) Disclosure: This podcast and blog post were sponsored by Trusted Computing Group. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. 

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.