Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
NIST

NCCoE project delivers manufacturing supply chain traceability using blockchain-related technologies

April 28, 2023
NCCoE project delivers manufacturing supply chain traceability using blockchain-related technologies

The National Institute of Standards and Technology (NIST) published Thursday a draft project description that introduces the concept of a manufacturing supply chain ‘traceability chain,’ made up of a series of manufacturing traceability records written to industry-specific ecosystem blockchain-related technologies. Led by the National Cybersecurity Center of Excellence (NCCoE), the project is intended to provide supply chain visibility from end-user to original components. 

The public comment period for the NCCoE project description is now open through May 16. 

The project description document describes a Traceability Chain Minimum Viable Product (MVP) reference implementation (RI) as a starting point for further research and refinement. With MVP RI as a follow-on effort from NIST IR 8419, the NCCoE project explores the mechanics of sharing manufacturing supply chain traceability information across industries and critical end operating environments using multiple blockchain-enabled ecosystems. It also outlines that insufficient traceability information for critical components reduces the effectiveness of risk-based evaluations of security, safety, sustainability, and other compliance needs within end operating environments, including reduced ability to detect vectors of adversarial attack.

The initiative will continue building on ongoing NCCoE efforts to demonstrate the role that blockchain-related technologies may play to improve manufacturing supply chain traceability and integrity by exploring several use cases and the issues surrounding implementing supply chain traceability, resulting in a freely available NIST cybersecurity publication. Additionally, a decentralized data approach helps manufacturers and critical infrastructure sectors to secure their supply chains and end operating environments.

The NCCoE project addresses key challenges in the manufacturing supply chain, including improving visibility, integrity, and permanence of manufacturing supply chain product pedigree. “The initial claim of product authenticity by a manufacturer needs to survive the lifetime of the manufacturer through mergers, acquisitions, and dissolution,” the document added. 

It also delivers visibility and integrity of provenance across tiers of manufacturers. The existing process of tracking provenance via bi-lateral exchange of traceability information between buyer and seller is complicated, and non-permanent, where information may be lost or further obscured during mergers, acquisitions, and dissolution. 

The project also describes and delivers a reference implementation of a potential manufacturing supply chain traceability mechanism that demonstrates manufacturers’ ability to post traceability records to their respective industry ecosystem blockchains. Each traceability record written to the blockchain-related technology links to the prior traceability record(s), going back to the original traceability record(s). It also works on establishing traceability record links and forming an immutable traceability chain. Traceability records can link to multiple prior traceability records in the case of combining components in higher-order assemblies and products.

Additionally, the project showcases associating traceability records linked to relevant contexts. In addition to linking to previous traceability records, traceability records point to relevant context and additional data in external repositories as needed. It also helps with establishing traceability record links to external data as required. In addition to the minimal data in the traceability record, the traceability can link to external data as needed.

The NCCoE project delivers an MVP RI that demonstrates manufacturers joining their respective blockchain-related technology-enabled ecosystems and demonstrates manufacturers writing and linking traceability records, while also illustrating critical infrastructure operators reading the traceability chain to inform their assessment of whether to employ the manufactured product. It also uses microelectronics, industrial controls, and critical infrastructure as example domains, and positions the MVP RI as a starting point for future research and refinement. 

The project assesses that across complex manufacturing supply chains, multiple ecosystems will arise and must themselves link traceability information across the ecosystems to establish trusted and symmetric traceability data, from commodities to final assemblies used in critical infrastructure, where products include hardware, software, and services. “The resulting traceability chain across industry ecosystems provides a path (links) to follow traceability records across ecosystems. The linking of traceability records can be performed with a small number of data fields.” 

Further, “traceability records can be specialized to meet the needs of various industry sectors as needed,” the NCCoE document disclosed. “The traceability links allow for multiple source components to be combined 206 in an assembly, where the traceability record for the assembly can contain a list of constituent links back to the sourced components. This enables a tree structure of links, with a critical infrastructure acquirer ultimately receiving the root traceability record.”

It added that the root traceability record can then be followed backwards, or upstream in the product supply chain, as necessary through ecosystems and across the chain of product traceability records. 

The NCCoE project identified that the ecosystems and manufacturing stakeholders used in the MVP scenarios to illustrate the MVP traceability chain mechanism include three distinct blockchain-related technology-enabled ecosystems. This includes the microelectronic manufacturing domain, industrial control technology manufacturing domain, and critical Infrastructure domain. When it comes to manufacturing stakeholders, the three distinct components are microelectronic manufacturer, industrial control technology manufacturer, and the critical infrastructure operator. 

The MVP project includes many technical aspects of the supply chain, data, and identity technology, the NCCoE document said. “Multiple industry contributors will be required to implement the MVP in blockchain-related technologies. This project also assumes notional agreement around simplified traceability data types, which is a real industry sector adoption would be subject to negotiation and agreement, the same as any shared data standard,” it added.

The MVP implementation may be further refined and specialized by industry, academia, or other organizations, using specific data standards, and illustrating different supply chain domain contexts. The MVP implementation will demonstrate the traceability mechanics in the context of microelectronics and industrial control software used by end operating environments in critical infrastructure sectors.

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, the U.K., Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ) published joint guidance urging software manufacturers to take urgent steps necessary to ship products that are secure-by-design and secure-by-default. The move shifts the balance of cybersecurity risk by using principles and approaches for security-by-design and secure-by-default.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns