



## NIST Cybersecurity White Paper

### NIST CSWP 46

# Analyzing Collusion Threats in the Semiconductor Supply Chain

Sanjay (Jay) Rekhi  
Kostas Ambergiadis  
*Computer Security  
Information Technology Laboratory*

Abir Ahsan Akib  
Ankur Srivastava  
*Electrical and Computer Engineering  
University of Maryland, College Park*

This publication is available free of charge from:  
<https://doi.org/10.6028/NIST.CSWP.46>

June 30, 2025

Certain equipment, instruments, software, or materials, commercial or non-commercial, are identified in this paper in order to specify the experimental procedure adequately. Such identification does not imply recommendation or endorsement of any product or service by NIST, nor does it imply that the materials or equipment identified are necessarily the best available for the purpose.

**NIST Technical Series Policies**

[Copyright, Use, and Licensing Statements](#)

[NIST Technical Series Publication Identifier Syntax](#)

**Publication History**

Approved by the NIST Editorial Review Board on 2025-01-30

**How to Cite this NIST Technical Series Publication:**

Rekhi S, Ambergiadis K, Akib AA, Srivastava A (2025) Analyzing Collusion Threats in the Semiconductor Supply Chain. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Cybersecurity White Paper (CSWP) NIST CSWP 46. <https://doi.org/10.6028/NIST.CSWP.46>

**Author ORCID iDs**

Sanjay (Jay) Rekhi: 0009-0008-8711-4030

Kostas Ambergiadis: 0009-0000-7771-5002

Abir Ahsan Akib: 0000-0002-1455-6662

Ankur Srivastava: 0000-0002-5445-904X

**Contact Information**

[hwsec@nist.gov](mailto:hwsec@nist.gov)

National Institute of Standards and Technology

Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

**Additional Information**

Additional information about this publication is available at <https://csrc.nist.gov/publications/cswp>, including related content, potential updates, and document history.

**All comments are subject to release under the Freedom of Information Act (FOIA).**

## **Abstract**

This work proposes a framework for analyzing threats related to the semiconductor supply chain. The framework introduces a metric that quantifies the severity of different threats subjected to a collusion of adversaries from different stages of the supply chain. Two different case studies are provided to describe the real-life application of the framework. The metrics and analysis aim to guide security efforts and optimize the trade-offs of hardware security and costs.

## **Keywords**

collusion; security metrics; supply chain life cycle; supply chain security.

## Table of Contents

|                                                                                               |           |
|-----------------------------------------------------------------------------------------------|-----------|
| <b>1. Introduction.....</b>                                                                   | <b>1</b>  |
| <b>2. Stages of Semiconductor Supply Chain Stages .....</b>                                   | <b>3</b>  |
| <b>3. Framework for Supply Chain Threat Analysis.....</b>                                     | <b>5</b>  |
| 3.1. Identify the Intent of the Adversary .....                                               | 5         |
| 3.2. Identify Hardware Threats .....                                                          | 5         |
| 3.3. Analyze Stages of Hardware Development Life Cycle for Exploitability of the Threat ..... | 5         |
| 3.4. Analyze the Effect of Collusion Among Adversaries in Different Stages .....              | 5         |
| 3.5. Identify Security-Critical Stages for the Respective Threat.....                         | 7         |
| <b>4. Case Study .....</b>                                                                    | <b>8</b>  |
| 4.1. Hardware Infiltration .....                                                              | 8         |
| 4.2. IP Theft .....                                                                           | 9         |
| <b>5. Conclusion and Future Work.....</b>                                                     | <b>12</b> |
| <b>References.....</b>                                                                        | <b>13</b> |

## List of Figures

|                                                                                                                   |           |
|-------------------------------------------------------------------------------------------------------------------|-----------|
| <b>Fig. 1. Security challenges in the semiconductor supply chain.....</b>                                         | <b>2</b>  |
| <b>Fig. 2. Methodology for supply chain threat analysis.....</b>                                                  | <b>5</b>  |
| <b>Fig. 3. Threat severity levels for colluding adversaries in the context of hardware Trojan insertion .....</b> | <b>6</b>  |
| <b>Fig. 4. Threat severity levels for colluding adversaries in context of logic obfuscation .....</b>             | <b>10</b> |

## 1. Introduction

There are numerous security challenges in the semiconductor supply chain. As most chip design companies have become fabless, they rely on offshore foundries for fabrication. This is especially true for the most advanced technology nodes, and the semiconductor supply shock in 2021 has manifested these supply chain security issues. In addition to availability uncertainty, there are many more nuanced security risks in the current semiconductor supply chain, such as IP theft, counterfeiting, Trojan insertion, and reverse engineering.

In order to counteract these security risks, many types of solutions have been proposed, ranging from design to test phases of the supply chain. Numerous government-funded research programs have been established to develop countermeasures, such as the Defense Advanced Research Projects Agency (DARPA) Automated Implementation of Secure Silicon (AISS) program [1], the DARPA Structured Array Hardware for Automatically Realized Applications (SAHARA) program [2], the Naval Surface Warfare Center (NSWC) Crane State-of-the-Art Heterogeneous Integration Prototype (SHIP) program [3], the Air Force Research Laboratory (AFRL) Locked Electronics for Assured Design (LEAD) program [4], and the AFRL Aether Spy program [5], just to name a few, as addressing these security issues is crucial to national security. Dealing with such serious challenges necessitates directing security countermeasure initiatives in stages where the severity of the threat can be best diminished.

Supply chain threat analysis is an essential component of security research. The goals of such analysis are to 1) identify the different threats and related vulnerabilities associated with integrated circuits, 2) analyze how severe the threats become at different stages of the supply chain, and 3) quantify the severity of threats due to collusion among adversaries. The first thing to acknowledge before beginning any such analysis is that, while there are many threats and related vulnerabilities, not all of them can be exploited at every stage in the semiconductor supply chain. Threats vary in severity depending on the stage of supply chain.

For example, the risk of side-channel analysis is more common in chip use scenarios, whereas the risk of a hardware Trojan is more common in the early stages of design and manufacturing, as shown in Fig. 1.



Fig. 1. Security challenges in the semiconductor supply chain

This implies that threat analysis must consider both the type of threat and the various phases of the supply chain in which the threat is most effective. Moreover, one or more adversaries from different stages of supply chain can collaborate to compromise a hardware, which increases the severity of threats. Such insider threats are called collusion threats [6].

This document focuses on potential collusion risks in the hardware supply chain and is organized as follows:

- Section 2 outlines the different phases of a semiconductor supply chain.
- Section 3 describes a framework for analyzing supply chain threats.
- Section 4 presents two real-life examples of hardware security threats to provide a comprehensive explanation of the proposed framework.
- Section 5 concludes the discussion and provides directions for future work.

## 2. Stages of Semiconductor Supply Chain Stages

The first step in analyzing security concerns in the semiconductor supply chain is to outline the various stages of the supply chain and identify potential threats associated with each. There is no standard set of stages. However, for our analysis we will use seven stages as defined by Areno [7]. The user stage has been merged with the deployment stage since they have similar attack surfaces. An end-of-life stage has also been added to the seven stages originally defined by Areno [7]. A brief explanation of the stages is described below

1. **Concept:** Concept stage is the birthplace of an Integrated Circuit (IC). At this stage, the goals and purpose of an integrated circuit (IC) are formulated, and the scope and target of a hardware component are discussed. Customers, the design, planning, finance teams, and other key stakeholders are involved at this stage.
2. **Design:** Design stage gives a form to the ideas generated in the concept stage. This is the stage where prototypes of the concept are created with the help of different Computer Aided Design (CAD) tools and analysis of whether the goals identified during the concept stage are met. This stage also includes the use of third-party software and hardware prototyping.
3. **Integration:** Integration is the stage where different design components from designers and third parties are integrated together. This phase is crucial since many design elements already have tested solutions, so not everything needs to be created from the ground up. It is more feasible to purchase these solutions from third parties and integrate them into the design.
4. **Manufacturing:** After the IC's design is finished, the manufacturing phase begins. This stage includes several processes, including fabrication and packaging. Due to the high cost of building and maintaining manufacturing facilities, many design houses are fabless and outsource their designs to manufacturers located elsewhere.
5. **Testing:** Testing is the stage at which manufactured Integrated Circuits (ICs) are tested to ensure that they perform properly. Following the completion of fabrication, each IC undergoes testing. An IC's functionalities are tested here to make sure they adhere to design specifications.
6. **Provisioning:** Provisioning is the stage where standard and sensitive data are loaded into the manufactured IC. Standard data are generic and mostly available open source, but the sensitive data are anything whose disclosure would compromise IP or security. For example, keys of crypto modules or logic locking keys are sensitive data.
7. **Deployment and Use:** This stage includes delivering the IC to customers and using the IC. Many hardware vulnerabilities are exploited at this stage.
8. **End of Life:** End-of-life for an IC is the stage where the manufacturer no longer sells or manufactures IC [8]. This is often because of technological advancements when new ICs exhibiting better performance have been launched. When a chip reaches its end-of-life, the deployed chips are gradually replaced and discarded. These discarded chips are

often reused or recycled into new hardware compromising their quality and performance.

### 3. Framework for Supply Chain Threat Analysis

This work proposes a framework for analyzing different threats and how collusion among adversaries can affect the severity of threats. This analysis is divided into five distinct stages that discuss adversaries' intent, access, and resources, and how their collusion affects the severity of different threats. The framework is shown in Fig. 2. The framework incorporates threats across all stages of supply chain including insider threats.



Fig. 2. Methodology for supply chain threat analysis

#### 3.1. Identify the Intent of the Adversary

Supply chain security analysis begins with identifying the adversary's objectives. For example, an adversary may wish to disrupt a hardware's functionality or steal a designer's intellectual property (IP). This analysis describes the potential attacker, the resources that must be protected, and the semiconductor supply chain stage at which mitigation is best applied.

#### 3.2. Identify Hardware Threats

The second step is identifying the threats associated with the adversary's intent. For example, if the intent is IP theft, then the IP to be protected must be identified. In this context, an attack on logic obfuscation can be characterized as a threat. Similarly, if the adversary intends to infiltrate hardware, then hardware Trojan insertion may need to be examined.

#### 3.3. Analyze Stages of Hardware Development Life Cycle for Exploitability of the Threat

At this point, one or more significant hardware threats have been identified. The following stage involves determining which stage of the semiconductor supply chain the threat can be exploited. Questions such as how much threat an adversary in the manufacturing stage poses to logic obfuscation, or whether an adversary in the provisioning stage offers threats to hardware Trojan insertion, are raised. In light of a threat, this step determines the semiconductor supply chain's security-critical phases. In addition, this step determines if a threat is unexploitable at a specific point in the supply chain.

#### 3.4. Analyze the Effect of Collusion Among Adversaries in Different Stages

Since every stage of the semiconductor supply chain is distinct, adversaries have varying degrees of access to and knowledge of the system at different stages of the semiconductor

supply chain. The effectiveness of an attack depends largely on the adversary's knowledge of the system and their level of access. Different adversaries possess varying degrees of both. For example, a manufacturer may have detailed design knowledge, while an end user typically has limited access and little insight into a system's internal functions. As a result, their capabilities differ significantly.

Thus, collusion between adversaries from different stages of the life cycle can make threats considerably more severe, which is why this stage is crucial in the context of security analysis.

At this point in the analysis, we apply a linear scale to determine the severity of threats when adversaries from different stages of the supply chain collude. This scale ranges from 0 to 10 and represents the relative threat level of a group of colluding adversaries. Fig. 3 is an example of the scale developed in the context of the threat of hardware trojan insertion. The scale begins at 10, representing the highest threat severity level. This scenario assumes that all relevant adversaries are collaborating. From this point, we progressively remove one adversary at a time from the collusion and assess the resulting threat severity for each possible combination of remaining adversaries. As adversaries are removed, the threat severity decreases, depending on the number of adversaries and their specific roles. For instance, as shown in Fig. 3, if the manufacturer is removed from the collusion, the threat severity level drops to 8. However, if the designer is removed, the threat severity level decreases to 6. This suggests that a malicious designer poses a higher risk of hardware Trojan insertion compared to a malicious manufacturer.



**Fig. 3. Threat severity levels for colluding adversaries in the context of hardware Trojan insertion**

This scale is relative, meaning it provides a context on the severity of the threat posed by different adversaries in a collusion but does not quantify the exact difference in severity. For example, Fig. 3 illustrates that a collusion between an integrator and a designer presents a more severe threat than one involving a manufacturer and a designer, but the scale does not specify how much more severe the threat is. This relative approach is intentional, as different stakeholders may prioritize different metrics for evaluating threat severity. One analyst might prioritize attack completion time, while another may focus on the likelihood of attack success. This flexibility allows analysts to develop their own customized, non-linear scales based on the metrics they deem most important. These scales can provide a more detailed understanding,