16 October 2020
Ensuring the Security and Integrity of Supply Chains
As end-users we all want and need to be sure about the quality and origin of the goods we consume, whether it’s the food on our plates or essential commercial products such as smartphones or cars. Ensuring the quality and reliability of these goods becomes even more important for a society’s critical infrastructure, when the goods are complex components such as power generators which are produced and integrated by multiple sub-contractors. It is self-evident that a reliable and secure supply chain is a must. In addition, not only must non-compliance with standards be prevented, but also, when such violations occur, they must be detected so that the responsible parties can be held liable.
CyberSec4Europe addresses some of these requirements by developing novel approaches to model supply chains, using innovative technologies such as blockchain for the tracking and tracing of supply chain resources (e.g., parts and materials). Our approach brings several advantages:
- the ability to model and validate a supply chain process efficiently before deploying it in the real-world;
- replacing common paper-based audit trails by means of a digitised equivalent;
- avoiding out-of-band communications and sharing of information with a platform that records and tracks supply chain information;
- the reduction of costs and time needed for handling disputes; and
- replacing a centralised trust model with a distributed trust architecture, where single entities alone will not have the power to manipulate and change any information.
CyberSec4Europe is focusing on two concrete use cases:
- dispute resolution, specifically in the context of retail, and
- compliance and accountability in distributed manufacturing.
The security components and concepts developed – which will be showcased in the demonstrators – contribute to:
- reducing the likelihood of conflicts in distributed supply chain scenarios and, in case they occur, lowering the time and efforts needed to resolve them;
- monitoring and enforcing adherence to a company’s processes and guidelines as well as compliance with legal regulations
Dispute Resolution for Retail
This use case focuses on the management and reconciliation of disputes in the retail supply chain. A dispute may arise when a supplier sends a certain quantity of goods to a purchaser to fulfil an order. Let us consider a scenario where a purchaser has placed an order for a certain product quantity with a supplier. When the shipment arrives at the purchaser’s warehouse, the purchaser notices a discrepancy in the received product quantity. As the shipment contains a lesser quantity than what was ordered, the purchaser raises a dispute. The reason for the discrepancy is that the supplier had to redirect some of the product quantity to another purchaser who had a higher priority. Resolving this dispute is a costly and time-consuming process and is disruptive to both the purchaser and the supplier.
The underlying blockchain platform of the demonstrator supports fast and effective conflict resolution. All the transactions between the supplier and purchaser are recorded on the blockchain. In particular, any discrepancies such as a change in product quantities are recorded on the blockchain and visible to all the transacting parties. In this case, the supplier creates a transaction, recording the reduced quantity of goods that are being delivered to the purchaser. This change, i.e., the reduction of the delivery quantity, is immediately visible to the purchaser. To address the discrepancy, the supplier sends the remaining goods in a following shipment and, again, records this transaction on the blockchain.
Without a blockchain, the Enterprise Resource Planning (ERP) systems of the purchaser and supplier are updated separately creating inconsistencies. If these systems are siloed, a reconciliation is not possible and the transacting parties need to raise disputes to resolve the issues. A blockchain offers a consistent view of the transaction status for all the business stakeholders. This unified view leads to a lower incidence of disputes in case of supply chain discrepancies, and, if disputes do arise, then the resolution time is reduced.
Compliance and Accountability in Distributed Manufacturing
This use case focuses on the compliance and accountability of the supply chains associated with the manufacturing of the main components in power generation stations, such as power transformers. Their design and production might take up to one or two years. Yet, any malfunctioning of such components, which could require their replacement, may impact the availability of the electricity grid in the affected region for months or even years. Therefore, this scenario addresses the challenges that large manufacturers face when producing goods via complex and distributed processes. These include not only the tracking and monitoring of the location, movement, and availability of parts, but also their quality and compliance.
Generally, compliance in manufacturing implies adherence to technical and corporate requirements, as well as legal regulations and industry standards.
In order to prevent or minimise disruptions, we are researching and developing frameworks to detect the inclusion of poor-quality components or counterfeits in end-systems. Additionally, the developed mechanism can be used to determine who is responsible for non-compliant parts or resources.
The frameworks are used to model the manufacturing and compliance workflows and enforce the workflows on the actors involved. The workflow participants execute the workflow and record the resulting actions on a blockchain which provides immutability via cryptographically chained transactions and non-repudiation via transactions signed using public key infrastructure (PKI) identities. Thus, the blockchain helps manufacturers enforce compliance and standards, monitor and trace the resources in real-time, and, in case of an error, manufacturers can detect the root cause of problems with the help of the blockchain.
An essential characteristic of distributed supply chains is that different stakeholders – such as manufacturers, suppliers and sub-contractors – collaborate and contribute to the provisioning of certain goods. In case of disputes, additional actors like independent consultants or expert witnesses will get involved to solve conflicts. The demonstrator developed for this use case will employ the following:
- A web interface allowing the supply chain participants to execute a supply chain business process (or a workflow) modelled and implemented using a Petri net-based approach. The workflow represents the state and conditions that the participant needs to fulfil at a particular moment to proceed to the next step in the workflow. The main benefit of the developed framework is that compliant supply chain processes can be modelled, verified, validated and enforced. The framework includes several components such as Petri net tools, a Petri net-based workflow execution engine, and the corresponding smart contracts deployed on a blockchain.
- An immutable audit log based on distributed ledger technology, showing that any interaction in a supply chain context, like the delivery of goods with the corresponding assurance of the quality of goods (in the form of a bill of delivery), will be logged in a distributed ledger. The benefit of a distributed ledger is that information is accessible by all relevant stakeholders that provides a high level of transparency and fairness to partners. If needed, confidential information can be kept secret (e.g., manufacturing process details and recipes) and made accessible only to trusted authorities in the case of dispute handling procedures.
In the case of conflicts, smart contract-based dispute resolution procedures can be triggered. The smart contracts used for dispute handling check the history of transactions, verify constraints, and store their results on the blockchain. These smart contracts are well-defined and agreed between the various partners interacting in a distributed supply chain, so that the rules of enforcement are transparent to all.
For further information on this demonstrator use case, see here.
Prabhakaran Kasinathan and Martin Wimmer, Siemens AG