Bill of Material (BOM), Vulnerability for Supply Chain Attacks

Introduction

On 25 Jun 2024 the Ministry of Defence (MoD) through its Department of Defence Production (DDP) issued a directive warning against use of Chinese Parts in Military Drones, even mentioning the names of two companies that were involved. There are reports of similar queries having been raised in the year 2016 with respect to usage of Chinese parts for Defence related equipment. Then the Lebanon Pager and Walkie Talkie blasts occurred on 16^th & 17^th Sep 2024, killing a few but maiming thousands and rendering out of action the entire command and control of Hezbollah Organisation. Imagine a similar scenario in a sub-conventional / conventional conflict which might lead to far reaching strategic effects. These attacks are Supply Chain Attacks, linked to the Bill of Material or BOM, and this needs to be studied, to avoid unfavourable alarming situations in the future.

Supply Chain Attacks

A Supply Chain Attack may be defined as “an intentional malicious action (e.g., insertion, substitution or modification) taken to create and ultimately exploit a vulnerability in hardware, software, firmware at any point within the supply chain, with the primary goal of disrupting a task using cyber resources.”  Supply Chain Attacks can have significant military / non-military implications with National Security Risks, some of these are: –

• Compromised Security.  
• Operational Disruption.  
• Intelligence Gathering by Adversary.
• Financial Costs.
• Trust Erosion on Own Equipment & Systems.

Understanding the Bill of Material (BOM)

 A BOM is a document with all-inclusive list of components, assemblies, and sub-assemblies required to assemble a product. It is a blueprint for the production process and includes detailed information about each item, such as part numbers, descriptions, quantities, specifications and merchant information from where these have been procured. Amongst all documents that a procurement project produces, for security reasons it is the most important one. The assembly of the BOM is the final product i.e. the Defence Equipment that will go in the field for Operations. There are different BOMs that make a military system in the current high-end technology spectrum, these are: –

• Hardware BOM. Catalogues physical components and embedded devices which contributes towards Supply chain risk, asset lifecycle, firmware integrity.
• Software BOM. Tracks software components, dependencies, and vulnerabilities for Cybersecurity, compliance, patching and supply chain integrity. The SBOM also now identifies with the following: –  
• Quantum BOM.
• Cryptographic BOM.
• Artificial Intelligence AI BOM.

Supply Chain Attacks and the BOM.

We have till now understood what are Supply Chain Attacks and what is the BOM (all types). We need to now understand how Supply Chain Attacks are closely linked to the BOM. The BOM lists all components, materials, software etc required to build a product and more important, from where these are sourced. Attackers use this information to identify points of vulnerability to target specific suppliers of hardware and / or software for a particular HBOM or SBOM that is critical to the final product. They exploit the complexity of the HBOM or SBOM and introduce malicious elements which are not likely to be detected, compromising the equipment / system, to make it malfunction or even destroy itself.

Supply Chain Attacks Examples. Let us see a few known and suspected Supply Chain Attacks in the World, there are many more but these give a fair idea of what can be made to happen by a compromised BOM (HBOM and or SBOM): –

• Stuxnet 2010. A Malware attack via USB targeting Siemens Programmable Logic Controllers which destroyed Centrifuges used by Iran for its Nuclear Programme.
• Colonial Pipeline Ransomware (2021). An attack that compromised the fuel pipeline operator via a third-party vendor’s outdated VPN shutting down the US East Coast’s largest fuel supply line
• Predatory Sparrow Gas Station Disruptions (2021 and 2023). Carried out by infecting the software and Fuel controllers incapacitating about 70% of Iran’s gas stations twice.
• Predatory Sparrow Steel Factory Attacks (2022). Production in three Iranian Steel Factories were stopped by a malware attack, molten steel was spilled causing fires.
• Hezbollah Pager and Walkie-Talkie Explosions (2024). The supply chain for communication devices was compromised and both the pagers and walkie talkie were actually procured from an Israeli company masquerading as a Hungarian Shell company. We see HBOM involvement as the devices were filled with explosives which on exploding killed and injured most of Hezbollah’s command structure.

Vulnerability that Threatens Critical Assets

From these incidents, we can see that Supply Chain Attacks are a new method of compromising / destroying / rendering inoperable entire systems. In a conflict in future, at the time of the adversaries choosing, it will result in dreadful tactical setbacks, leading to strategic consequences compromising National Security.

Vendor’s Plight. The plight of the vendor who has agreed to participate in a Defence Procurement Project, is that he has to not only provide Military Grade Equipment, he also has to ensure that his prices are competitive to win the contract. In addition to this, globalisation has ensured that sourcing for the Bom (HBOM & SBOM) remains a challenge, forcing a vendor to navigate a complex landscape of merchants, balancing cost, availability, and technological requirements.

The Vulnerability. The SBOM and HBOM contain information of Supply Chains to the Final Product. These documents are entirely with the Vendor, and therein lies the vulnerability, enhanced with private players having come into the Indian Defence & Aerospace Sector. This information can be exploited for a Supply Chain Attack.

Mitigating the Threats Posed by BOM for Supply Chain Attacks

To summarise till now, Supply Chain Attacks exploit vulnerabilities in the supply chain to introduce malicious malware / components into military equipment. The Vendor’s Bill of Materials (HBOM / SBOM) is a crucial document in this context as it lists all software and components used in a Defence Product and from where they are sourced (Supply Chains). Adversaries may use the HBOM / SBOM to identify vulnerabilities in these “Supply Chains”, to target specific components or introduce malware where they are less likely to be detected. understanding.

Supply Chain Integrity and Traceability. By maintaining Supply Chain Integrity and traceability of hardware components and software, a supply chain attack may be stopped by identification of compromised software / hardware components.  Proactive engagement will be needed to ensure: –

• Operational Edge
  • Resilience Against System Disruptions.
  • Sustained Strategic & National Security

Indian Computer Emergency Response Team (CERT-In). CERT-In Ministry of Electronics and Information Technology Government of India has come out with extensive guidelines Version 2.0 on 09 Jul 2025. These are extensive in nature covering all aspects of BOM (HBOM & SBOM) with Recommendations and Best Practices. However, how these are to be implemented needs to be thought about by all who are in the procurement chains, and even during exploitation of Equipment by the Armed Forces / Other Government Agencies.

Structured Approach for Execution

Criticality Assessment. This needs to be carried out for all in-service equipment and those in the pipeline.

• Identify Critical Assets.
• Carry out Impact Analysis of Supply Chain Attack, and ensure Redundancy.
• Prioritise Critical Assets for Enhanced Scrutiny against HBOM / SBOM attacks.

Comprehensive Audit of BOM (HBOM / SBOM) for Critical Defence Assets. This may seem a humongous task but with National Security at stake, this exercise will need to be carried out at the earliest. Also ensure that similar assets only get into service after passing similar Deep Examination.

Constitute a Regulatory Body. In the long run, there may be a need to constitute a regulatory body with the task to audit the integrity, traceability, and security of all components used in critical defence equipment from procurement till the end of the equipment’s lifecycle. 

Policy Recommendations

• The BOM of Critical Defence Equipment should be treated as a document classified as ‘secret’, ‘top secret’ and ‘confidential’ as per “Manual of Departmental Security Instructions, 1994”, and thereafter handled as per the laid down procedures.

• Those involved with the BOM in the Vendor’s organisation, be identified and made to come under the Official Secret Act 1923.

Conclusion

Supply Chain Attacks represent an asymmetric risk to National Security, and the information in HBOM / SBOM is a vulnerability. This can be exploited to create an unfavourable Tactical Situation, leading to Strategic Consequences. As the Private Partnership in Defence Sector increases, there is a need to secure the supply chains and maintain their integrity. Identification of Critical Assets and enforcing BOM integrity proactively are essential steps for National Security. While the CERT-In document provides a foundational framework for regulatory oversight, there is a need to invoke Official Secret Act 1923 and treat the BOM as a confidential document. This calls for Proactive actions to be implemented, driven in a mission mode to prevent Supply Chain Attacks.