Can you really buy a made-in-USA rack mount server?
by Michael Bowling, on Jan 3, 2018 11:08:36 AM
When you bought your last rack mount server you probably saw a sticker that said, “Made In China” or “Made in Taiwan.”
Whether you are working on a military, government, or industrial/commercial application that utilizes sensitive information, the risks involved in utilizing a foreign-made computer in your deployment is of great concern.
Most government and military applications rely heavily on hardened computers for most of their sensitive data analysis with few, if any, assurances that the computer has not been hacked or otherwise compromised whether through installation of undocumented backdoors in hardware, firmware or software.
It may be easy to assume that there is no such thing as a hardened, rugged computer that is designed, manufactured, configured/assembled, and supported here in the USA.
In this blog, we are going to discuss viable options when looking for as much US content as possible in your computer.
Types of computer manufacturers
100% NOT made in USA
- Most computer manufacturers effectively do 100% of the above overseas. Maybe the corporate headquarters or sometimes final fulfillment (shipping and possibly minor final configuration) is based in the US. This does very little to account for security concerns at earlier, more fundamental (and thus riskier) phase of the computer design, manufacturing, assembly or support phases.
Just final assembly in USA
- There are numerous small “computer suppliers” that claim, “made in US.” However, simple investigation will reveal that they are simply doing the final assembly of the components in the USA. The sensitive and critical design and manufacturing phases are still vulnerable. They are putting a foreign designed and manufactured processor board into a foreign designed and manufactured chassis…but a US citizen is simply installing the RAM, hard drive, etc. before the computer is shipped to the customer. One advantage to this type of computer supplier is that there typically is some first level tech support available (maybe a hard drive or a fan fails). Unfortunately, if a technical issue is with a low-level or board-level component, the consumer or end user is left with little recourse. What company is going to provide direct access to the engineers who conceived, designed, laid out and validated a board design?
Just chassis design in USA
- Some companies will even go so far as to design a nice MIL-810 and/or MIL-461 chassis--these are basically US government standards that qualify requirements for shock/vibration resistance, and RF emissions. These type companies are still installing a foreign-designed and manufactured processor board into the system. Regardless of the metal around the chassis being US content, the processor board is still just as vulnerable. The technical support tends to be better than average, but once the issues gets more complicated you will quickly realize that you are dependent on a large, foreign processor board designer who may not be responsive to your needs. After all, you’re not their customer.
- A few large computer manufacturers make a lot of press about doing their design in the US. This does have the benefit of driving quality domestic jobs here in the USA. Additionally, their application-level support tends to be the most responsive; good luck asking for a root cause to a hardware issue, though. Still, the manufacturing and assembly process, where most of the labor force is employed, is being done overseas. Unfortunately, many of the countries where these processor boards are being manufactured are notorious for security concerns with government involvement, lax government regulation, and poor labor standards.
100% Made in USA!
- So what does it look like to get as much US content as possible? There are only a handful of US-owned, historic, proven-track-record, ISO 9001, and ITAR-certified companies that consistently execute every phase (design, manufacture, assembly, support) here in the US. It is critical that you ensure that all phases have as much US content as possible. Design (electrical, mechanical, BIOS), manufacturing, assembly, and support…every phase is critical when ensuring the safety and security of your computer in your mission-critical application.
Some things you must manage
It is worth noting that some components of the computer are not made in the US and may be single-sourced.
For example, the CPU is probably made outside of the US and you simply are not going to find another option.
The hard drive or DVD-ROM may only be sourced overseas as well. Note that these type of components, assuming they are purchased through approved and appropriately sourced and documented channels, are not likely to come from the supplier with a vulnerability.
Typically, the manufacturer and/or supplier knows that your application is sensitive and the CPU or hard drive supplier should not be privy to the end application.
Make sure that your computer supplier is ITAR-approved and ISO 9001 certified so that they have proper security measures in place to protect against these type of potential security concerns.
Also, most software (OS, BIOS, etc.) has much of the actual coding done overseas. Some computer manufacturers handle all customization here in the US to ensure anything beyond the standard off-the-shelf code is done domestically which should mitigate potential issues.
It is also important to consider what is likely to get hacked or infiltrated. Most people think software or application ‘bugs’ are the easiest target. However, hardware like USB ports and the BMC (IPMI system management) are just as critical—even the U.S. Navy agrees. There have been many stories about USB drives being used to steal sensitive information or install a bug or virus into a computer. Also, system management software (like IPMI) is particularly dangerous since all communication is out-of-band, outside of any software protection a system may have, and can exert control over the whole machine, down to the BIOS level. Make sure that your computer supplier physically removes all accessible USB ports (or at a minimum disables them in the BIOS and then sets a strong password on the BIOS) and securely disables the IPMI at the firmware level.
Ensure that your computer supplier has proper revision-level protections in place. Most customers that are sensitive to these types of security issues will check with their computer supplier once…but few follow up year after year to ensure that nothing has changed. Most military applications need as much product lifecycle as possible and you want to ensure that there are no form, fit, or function changes that have slipped into the computer that you had once audited and approved. Ideally, a US-based computer manufacturer will proactively inform you if changes are necessary to prolong product lifecycle.
At the end of the day your security is only as strong as the weakest link. Rest assured that there are quality, domestic computer design, manufacturing, assembly, and support companies that are engineering, quality, and security focused.
Who to turn to
Trenton Systems has been designing, building, integrating and supporting our board and system-level products in the Atlanta, Georgia area for more than 30 years.
Our workforce is 100% US citizens and we are an ITAR and ISO 9001:2008 certified organization.
Our products power mission-critical Industrial, Military and data center applications in some of the harshest environments on Earth and in Space.
Some of the largest military, aerospace, industrial, infrastructure and mainframe contractors and manufacturers turn to us for both COTS and ground-up, custom-designed board level, mechanical and software solutions to their Made in USA ruggedized computing requirements.
Contact one of our Engineers today to discuss how we help our customers meet their unique computing challenges no matter where they are located.