The firmware was in the chips before VendorToWhiteListedVendor signed the delivery note. Four controls could have caught it. Any one of them breaks the chain.
Control 1 — Software Bill of Materials (SBOM)
In a supply chain context, an SBOM is simply an ingredients list for firmware. Every component, every library, every binary that makes up the firmware image — listed, versioned, and given a cryptographic hash that changes the moment anyone modifies the file.
What it would have done here: ReplacedRawPartSupplier would have been required to produce that list when they delivered the chips. VendorToWhiteListedVendor would have compared the hash on the delivered firmware against the hash on the SBOM. They would not have matched. The batch would have been rejected before a single board was assembled.
Without it, nobody had a reference document to check against. When the biomedical engineer found the anomalous hash eleven weeks later, there was nothing in the system to compare it to. The attack had no early detection point because no one had recorded what the firmware was supposed to look like.
Control 2 — Physically Unclonable Function (PUF)
In a supply chain context, a PUF gives a chip a hardware identity it cannot fake. During manufacturing, the chip generates a unique fingerprint from the microscopic physical variations in its own silicon — variations that occur naturally, cannot be replicated, and cannot be read out and copied. That fingerprint becomes a verifiable credential tied to that specific chip.
What it would have done here: Every chip from ReplacedRawPartSupplier would have carried a credential issued by ReplacedRawPartSupplier's manufacturing process. VendorToWhiteListedVendor's goods-in check would have verified that credential against WhiteListedVendorCo's approved supplier list. ReplacedRawPartSupplier was never approved. Their credentials would not have matched. The chips would not have entered the assembly line.
Without it, a chip from an unknown source looks identical to a chip from a trusted one. There is no hardware-level way to tell them apart.
Control 3 — Supply Chain Risk Management (SCRM)
In a supply chain context, SCRM is the programme that makes the tiers below Tier 1 visible and governable. It is the set of contractual and operational requirements that ensure a hospital knows who is building its devices, who is supplying the components inside them, and what happens when any of those relationships change.
What it would have done here: WhiteListedVendorCo would have been contractually required to disclose that VendorToWhiteListedVendor existed. VendorToWhiteListedVendor would have been required to disclose OriginalRawPartSupplier as their component source. When OriginalRawPartSupplier became unavailable, VendorToWhiteListedVendor would have been required to notify WhiteListedVendorCo before making any substitution. WhiteListedVendorCo would have been required to notify HopingToGetCareHospital. The hospital would have assessed ReplacedRawPartSupplier before a single chip was ordered.
Without it, the hospital approved one company and received a product built by four. ReplacedRawPartSupplier was onboarded by one email because no contract said that was insufficient.
Control 4 — Secure Root of Trust (SROT)
In a supply chain context, an SROT is the device's ability to verify its own firmware every time it powers on. During manufacturing, the expected firmware hash is locked into a protected area of hardware that cannot be overwritten after production. On every boot, the device measures the firmware it is about to run, compares it against that locked value, and refuses to start if anything does not match.
What it would have done here: The first pump powered on during incoming inspection at HopingToGetCareHospital would have measured the modified firmware, compared it against the hash provisioned at manufacture, found a mismatch, and refused to boot. The entire batch would have been flagged before any pump reached a ward.
Without it, the pump had no way to question its own firmware. It powered on, loaded whatever code was on the chip, and began operating. The tampered firmware and the legitimate firmware were indistinguishable to the device itself.
The Real Failure
All four controls were available. None were required — not in HopingToGetCareHospital's procurement policy, not in WhiteListedVendorCo's supplier contracts, not in VendorToWhiteListedVendor's goods-in process.
The technical controls do not implement themselves. Someone has to write the contract clause that demands an SBOM. Someone has to specify PUF attestation in the component requirements. Someone has to make supplier change notification a breach condition. Someone has to include SROT verification in the commissioning checklist.
Administrative controls precede technical ones. In this supply chain, neither existed.
1,200 pumps pulled. Three wards disrupted. Patients on manual monitoring. Because one procurement manager sent one email and placed one order — and nothing in the system said that was not enough.