Professional Documents
Culture Documents
Guideline For Establishing A Trustworthy Supply Chain Draft May2022
Guideline For Establishing A Trustworthy Supply Chain Draft May2022
Security and resilience - Authenticity, integrity and trust for products and documents – Framework
for Establishing Trustworthy Supply Chains
Contents
Foreword ................................................................................................................................................. 2
Scope ....................................................................................................................................................... 2
1 Introduction .......................................................................................................................................... 2
2 Normative references........................................................................................................................... 3
3 Terms and definitions ........................................................................................................................... 3
4 Abbreviation and acronyms ................................................................................................................. 3
5 Overview............................................................................................................................................... 3
5.1 Generic Supply Chain Scenario ...................................................................................................... 3
5.2 Trustworthiness ............................................................................................................................. 4
5.2.1 Description of “Trustworthiness for Supply Chains of Material Goods “ ............................... 4
5.2.2 Common Attributes of Trustworthiness for Material Goods Supply Chains .......................... 4
6 Guidelines for Structured Approach to achieve Trustworthiness for SC ............................................. 6
6.1 Trust Domains ............................................................................................................................... 6
6.2 Trust Interaction Point .................................................................................................................. 6
6.3 Trust Rooms/Trust Pool/ Trust Context/ Trust Consortia/Trust Session/Trust Project/Trusted
Activity… .............................................................................................................................................. 6
6.4 Root of Trust and Trust Anchor/ Secure Identities ....................................................................... 7
6.5 Trust Service Providers .................................................................................................................. 7
6.5.1 Identity Authenticating Certificate Provider (IACP) ............................................................... 7
6.5.2 Quality Certification Certificate Provider (QCCP) ................................................................... 7
7 Trustworthiness Concept ..................................................................................................................... 7
7.1 Application domains of TDs ........................................................................................................... 8
7.2 Threat and Risk Analysis ................................................................................................................ 8
7.3 Topology of Trustworthiness Concepts (Supporting Interoperability) ......................................... 8
7.3.1 Interoperability ....................................................................................................................... 8
7.3.2 Scalability ................................................................................................................................ 8
7.3.3 Substitution (if one changes over time..robustness) ............................................................. 8
7.3.4 Basis for automation .............................................................................................................. 8
7.3.5 Means to Support Interaction at Trust Interaction Points ..................................................... 8
Trust Transitivity along the supply chain - Chain of Trust ..................................................................... 10
Annex A (informative)………………… ........................................................................................................ 10
Bibliography........................................................................................................................................... 10
Annex A : Example „Industrial Supply Chain / Industry 4.0“ ................................................................. 11
Foreword
Scope
This document provides an approach that support stakeholders in a supply chain to accomplish a
chain of trust regarding properties of identifiable material goods along a supply chain. This document
gives guidance on the identification of trust domains and their corresponding trustworthiness
attributes, and the measures to achieve the targeted trustworthiness attributes.
As a supply chain comprises of several stakeholder and numerous distinct trust domains, this
document specifies a systematic approach for identification of interaction points between trust
domains. It defines criteria for ensuring that each interaction is trustworthy and aids the
establishment of a chain of trust.
This document does not interfere with any known standards. Different technologies can be leveraged
for the implementation of the approaches guided in this document. It can be used to support existing
systems. This document is technology agnostic, and the aspects specified in this document can be
implemented using various technologies such as PKI certificates, Decentralized Identifiers and
Verifiable Credentials.
1 Introduction
The standard introduces a structured way to establish and ensure trustworthiness along the supply
chain. As economies are moving towards more digital and connected supply chains, this standard
intends to support the establishment of trust, along multiple supply chain nodes, in a systematic
manner.
It develops and elaborates an approach that support stakeholders in a supply chain to identify
distinct trust domains and includes guidelines for the identification of the trustworthiness
characteristics, targeted attributes, and the measures to achieve the targeted trustworthiness
attributes.
As a supply chain comprises of several stakeholder and numerous distinct trust domains, the
standard introduces a systematic approach for identification of interaction points between trust
domains and for ensuring that each interaction is trustworthy and aids the establishment of a chain
of trust. This will serve as an enabler for automation of verifying trustworthiness along supply chains
and will support digitalization of value chains.
By nature, security attacks against supply chains are becoming more and more complex, regardless
of industrial verticals or business contexts. That is especially why, it is essential to ensure and protect
chain of trust along any supply chain.
Apart from ensuring the chain of trust, the standard also supports robustness and resilience as it
supports the protected exchange of trustworthiness capabilities in a flexible and scalable manner.
The standard helps in achieving chain of trust when this is required by laws and regulations
2 Normative references
ISO 22300, ISO 22378, ISO 22380, ISO 22381, ISO 22383, ISO 22384, ISO 22385, …
5 Overview
In this context, when several distinct and heterogeneous entities are part of a supply chain, how can
trustworthiness be established? And likewise, what exactly are the properties that define
trustworthiness for each stakeholder in a supply chain.
5.2 Trustworthiness
5.2.1 Description of “Trustworthiness for Supply Chains of Material Goods “
This standard introduces trustworthiness as:
‘Trustworthiness corresponds to the ability of a stakeholder to make its claims verifiable along
multiple nodes in a supply chain.’
Depending on the use case and on the specific product, different attributes would apply to fulfil
stakeholder’s claims. These attributes may include authenticity, integrity, resilience, availability,
confidentiality, privacy, safety, accountability, usability, etc.
NOTE 1: The time interval duration may be expressed in units appropriate to the item concerned,
e.g., calendar time, operating cycles, distance run, etc., and the units should always be clearly stated.
NOTE 2: Given conditions include aspects that affect reliability, such as: mode of operation,
stress levels, environmental conditions, and maintenance.
2. Availability as the property of an item (system/product) of being accessible and usable upon
demand by an authorized entity.
3. Resilience refers to the capability of an item (system/product) to maintain its functions and
structure in the face of internal and external change, and to degrade gracefully when
necessary.
4. Security is a state of being protected against the effects of threats and attacks. In IT
environments, it usually will be achieved by a combination of confidentiality, integrity and
availability.
6. Privacy is defined as a right of supply chain entities to control or influence what information
related to them may be collected and stored and by whom that information may be
disclosed.
7. Safety is defined as an expectation that a system does not, under defined conditions, lead to
a state in which human life, health, property, or the environment is endangered.
10. Integrity is a property whereby data have not been altered in an unauthorized manner
during transmission and storage, without being recognized. For systems, integrity refers to
the state of being not modified or manipulated by unauthorized entities.
11. Authenticity is a property that an entity is what it claims to be, especially in terms of its
originality and provenance.
12. Quality is the degree to which the characteristics of an item (system/product/data) satisfies
the stated and implied needs when used under specified conditions.
13. Usability refers to the extent to which an item (system/service/data) can be used by
intended users to achieve specified goals with simplicity, effectiveness, efficiency, and
satisfaction in a specified context of the use case.
Depending on the business context or the use case, different characteristics would be used to define
trustworthiness. For example, a sensor measuring and communicating temperature is trustworthy if
its measurements are accurate and it is reliably taking the measurements at the configured time
intervals. Therefore, the trustworthiness characteristics would be different in different use cases and
also the targeted characteristics to achieve trustworthiness with differ in different scenarios.
7 Trustworthiness Concept
The trustworthiness concept is an approach to establish trustworthiness along a supply chain in a
structured manner. The approach can be applied to new businesses and can be leveraged to
update the existing business relationships to make them more trustworthy.
Having the overall supply chain picture for the particular business contract/use case, the business
initiator must:
- Identify the trust domains in the supply chain.
- Determines its own trust domain and establish the targeted trustworthiness attributes for its
trust domain for the particular business case.
- Find out the trust domains that it needs to interact with.
- Perform Threat and Risk Assessment to identify the possible threats and risks for its business
case.
- Identify requirements that entities part of its trust domain must fulfil to achieve the
established trustworthiness targeted attributes.
- Determine and realize measures to fulfil the aforementioned requirements.
- Identify TIPs to and from its TD (define the interaction process, such as conditions, location,
method, etc.).
- Approach the other TDs that it wants to interact with for the particular business case.
- Negotiate and determine the trustworthiness targeted attributes for the interaction at the
TIP.
- Identify requirements to achieve the agreed targeted TW attributes.
- Determines and realize measures to fulfil the aforementioned requirements.
- Establish a trustworthy interaction.
-
Trustworthiness Profile
To be filled by the Buyer To be filled by the Supplier
Buyer s Information Supplier s Information
Contact Partner: Contact Partner:
*Contact Partner s Unique Identifier: *Contact Partner s Unique Identifier:
Contact Information: Contact Information:
Legal Entity Name: Legal Entity Name:
*Legal Entity Unique Identifier: *Legal Entity Unique Identifier:
*Unique Identifier Scheme: (e.g., link to LEI code repo, VATIN by DUNS, NTA by TSE, etc.) *Unique Identifier Scheme: (e.g., link to LEI code repo, VATIN by DUNS, NTA by TSE, etc.)
Country: Country:
Additional Information: Additional Information:
PSS Supplier Questionnaire Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY
Reference Request-for-work Time Stamp Reference TW Expectations Quote/Bid Reference Time Stamp
Digital Signature Digital Certificate (If required) Digital Signature Digital Certificate (If required)
In [reference], the trustworthiness profile is used bilaterally between two communicating TDs in
the supply chain (“supplier” and “buyer”). The supplier uses his QCCs to proof the capabilities of
his own valued add to the delivered component. If the buyer wants to get assurance of
capabilities of the suppliers’ value add the concept for “Chain of Trust” needs to be introduced:
In some business cases, if a proof of TW of various/all value adds along the supply chain is
desired, this white paper introduces the extended trustworthiness profile, shown in Figure 8. The
extended trustworthiness profile provides the buyer and the supplier the option to specify
expectations and prove capabilities of other entities upstream the supply chain. The supplier has
the option to attach capabilities of its suppliers to fulfil the expectations of its potential buyer.
This covers scenarios where a proof of any other communicating TD’s trustworthiness prior in
the supply chain must be provided to the buyer. A TWP, which covers proofs for the supplier’s
suppliers is shown in figure below.
Extended Trustworthiness Profile
It is considered that in certain scenarios, the supplier might not want to disclose its suppliers to
its buyer for business reasons. Therefore, different technological solutions, for e.g., leveraging
verifying credentials, can be used to preserve privacy of other TDs and to only prove certain
quality. (References….)
Annex A (informative)…………………
Bibliography
Annex A : Example „Industrial Supply Chain / Industry 4.0“
Starting with its own trust domain identification, the business initiator must consider the targeted
trustworthiness attributes of each supply chain participating entity. For instance, a bottle
manufacturer must identify itself as a trust domain and other concerned trust domains like raw
material provider, logistics handler, beverage producer(customer). Based on the business case, for
example, producing green bottles for beverages, the bottle manufacturer established its targeted TW
attributes as availability, integrity, and reliability. Once the targeted TW attributes are established,
entities in the TDs perform a TRA and identify the requirements to fulfil the targeted TW attributes.
In order to meet the identified Now the business identifier must identify TIPs with other TDs. So, for
example, it negotiates TIP’s TW targeted attributes with the beverage producer (customer) as
confidentiality, integrity and availability.