Supply Chain

Contribute

This category includes threats related to the device and component supply chain. To the extent that they are included, software supply chain related threats are noted within the Vulnerable Applications category.

Threat List

• SPC-0: Malicious Code in Open Source Software
• SPC-1: Hardware or Firmware Component Interception
• SPC-2: Malicious Critical Hardware Replacement
• SPC-3: Malicious Software Inserted into Software Processes or Tools
• SPC-4: Malicious Logic Introduction
• SPC-5: Malware Embedded in Critical Component
• SPC-6: Improperly Vetted or Untested Malicious Microelectronics
• SPC-7: Hardware Component Substitution During Transfer
• SPC-8: Firmware Component Substitution During Transfer
• SPC-9: Malicious Code in Custom Software
• SPC-10: Malicious Software in 3rd Party Bundling Process
• SPC-11: Vulnerable BIOS Installation
• SPC-12: Corrupted Automated Installer
• SPC-13: Hardware Design and Manufacture Compromise
• SPC-14: Countefeit Hardware Component
• SPC-15: Unsecured or Malicious 3rd Party Components
• SPC-16: Obsolete Hardware Replacement
• SPC-17: Malicious Hardware or Firmware Inserted During Integration
• SPC-18: Subassembly Malware
• SPC-19: Component Substitution during Packaging or Distribution
• SPC-20: Component Substitution During Software Upgrade
• SPC-21: Low-level Backdoor