Draft Proposal- German New Work Item Proposal

Security and resilience - Authenticity, integrity and trust for products and documents – Framework
for Establishing Trustworthy Supply Chains

Contents
Foreword ................................................................................................................................................. 2
Scope ....................................................................................................................................................... 2
1 Introduction .......................................................................................................................................... 2
2 Normative references........................................................................................................................... 3
3 Terms and definitions ........................................................................................................................... 3
4 Abbreviation and acronyms ................................................................................................................. 3
5 Overview............................................................................................................................................... 3
5.1 Generic Supply Chain Scenario ...................................................................................................... 3
5.2 Trustworthiness ............................................................................................................................. 4
5.2.1 Description of “Trustworthiness for Supply Chains of Material Goods “ ............................... 4
5.2.2 Common Attributes of Trustworthiness for Material Goods Supply Chains .......................... 4
6 Guidelines for Structured Approach to achieve Trustworthiness for SC ............................................. 6
6.1 Trust Domains ............................................................................................................................... 6
6.2 Trust Interaction Point .................................................................................................................. 6
6.3 Trust Rooms/Trust Pool/ Trust Context/ Trust Consortia/Trust Session/Trust Project/Trusted
Activity… .............................................................................................................................................. 6
6.4 Root of Trust and Trust Anchor/ Secure Identities ....................................................................... 7
6.5 Trust Service Providers .................................................................................................................. 7
6.5.1 Identity Authenticating Certificate Provider (IACP) ............................................................... 7
6.5.2 Quality Certification Certificate Provider (QCCP) ................................................................... 7
7 Trustworthiness Concept ..................................................................................................................... 7
7.1 Application domains of TDs ........................................................................................................... 8
7.2 Threat and Risk Analysis ................................................................................................................ 8
7.3 Topology of Trustworthiness Concepts (Supporting Interoperability) ......................................... 8
7.3.1 Interoperability ....................................................................................................................... 8
7.3.2 Scalability ................................................................................................................................ 8
7.3.3 Substitution (if one changes over time..robustness) ............................................................. 8
7.3.4 Basis for automation .............................................................................................................. 8
 7.3.5 Means to Support Interaction at Trust Interaction Points ..................................................... 8
Trust Transitivity along the supply chain - Chain of Trust ..................................................................... 10
Annex A (informative)………………… ........................................................................................................ 10
Bibliography........................................................................................................................................... 10
Annex A : Example „Industrial Supply Chain / Industry 4.0“ ................................................................. 11

Foreword

Scope
This document provides an approach that support stakeholders in a supply chain to accomplish a
chain of trust regarding properties of identifiable material goods along a supply chain. This document
gives guidance on the identification of trust domains and their corresponding trustworthiness
attributes, and the measures to achieve the targeted trustworthiness attributes.

As a supply chain comprises of several stakeholder and numerous distinct trust domains, this
document specifies a systematic approach for identification of interaction points between trust
domains. It defines criteria for ensuring that each interaction is trustworthy and aids the
establishment of a chain of trust.

This document introduces a standardized data structure to exchange trustworthiness relevant

information. This can be used to negotiate and exchange trustworthiness properties between
different supply chain nodes. It will support several properties, such as interoperability, robustness,
accountability, transparency while preserving privacy.

This document does not interfere with any known standards. Different technologies can be leveraged
for the implementation of the approaches guided in this document. It can be used to support existing
systems. This document is technology agnostic, and the aspects specified in this document can be
implemented using various technologies such as PKI certificates, Decentralized Identifiers and
Verifiable Credentials.

1 Introduction
The standard introduces a structured way to establish and ensure trustworthiness along the supply
chain. As economies are moving towards more digital and connected supply chains, this standard
intends to support the establishment of trust, along multiple supply chain nodes, in a systematic
manner.
It develops and elaborates an approach that support stakeholders in a supply chain to identify
distinct trust domains and includes guidelines for the identification of the trustworthiness
characteristics, targeted attributes, and the measures to achieve the targeted trustworthiness
attributes.

As a supply chain comprises of several stakeholder and numerous distinct trust domains, the
standard introduces a systematic approach for identification of interaction points between trust
domains and for ensuring that each interaction is trustworthy and aids the establishment of a chain
of trust. This will serve as an enabler for automation of verifying trustworthiness along supply chains
and will support digitalization of value chains.

By nature, security attacks against supply chains are becoming more and more complex, regardless
of industrial verticals or business contexts. That is especially why, it is essential to ensure and protect
chain of trust along any supply chain.

Apart from ensuring the chain of trust, the standard also supports robustness and resilience as it
supports the protected exchange of trustworthiness capabilities in a flexible and scalable manner.

The standard helps in achieving chain of trust when this is required by laws and regulations

2 Normative references
ISO 22300, ISO 22378, ISO 22380, ISO 22381, ISO 22383, ISO 22384, ISO 22385, …

3 Terms and definitions

Consider including the definition of:
- Targeted Trustworthiness attributes
- Trustworthiness for supply chains
Note to entry: The definition of reference architecture for the generic term ‘trustworthiness’
is being developed by ISO/IEC JTC 1 WG 13 [ref].
- claims

4 Abbreviation and acronyms

5 Overview

5.1 Generic Supply Chain Scenario

Supply chains are generally very complex comprising of several entities that may be located
continents apart at different geographical locations and leveraging different management systems.
Different regulations, norms and standards may apply to different supply chain entities based on the
use case, business context, country of origin, etc.
Typical actors in every supply chain are shown in the figure above. They comprise of
• Suppliers of components (software, hardware, or both) and/or services.
• Manufacturer or producer of final product that can be consumed/utilized directly by the end
customers and/or integrators that integrate one or more components to form a final product
and sell it to end consumers.
• Regulatory authorities ensure that different supply chain stakeholders and their products
and processes comply to the applicable national or international regulations.
• Certification authorities verify and certify that different supply chain stakeholders and their
products and processes comply to the applicable standards. They issue certificates that
provides a proof that the subject of the certificate has the qualities required by the relevant
standard.
• Retailers/distributors and logistics providers ensure the flow of good along the supply chain.
Supply chain actors like suppliers, manufacturers, etc., can take up the role of distribution of
their products by themselves or outsource this function to a third party.
• End customers utilize the products that have gone through the supply chain.

In this context, when several distinct and heterogeneous entities are part of a supply chain, how can
trustworthiness be established? And likewise, what exactly are the properties that define
trustworthiness for each stakeholder in a supply chain.

5.2 Trustworthiness
5.2.1 Description of “Trustworthiness for Supply Chains of Material Goods “
This standard introduces trustworthiness as:
‘Trustworthiness corresponds to the ability of a stakeholder to make its claims verifiable along
multiple nodes in a supply chain.’

Depending on the use case and on the specific product, different attributes would apply to fulfil
stakeholder’s claims. These attributes may include authenticity, integrity, resilience, availability,
confidentiality, privacy, safety, accountability, usability, etc.

5.2.2 Common Attributes of Trustworthiness for Material Goods Supply Chains

The trustworthiness attributes would differ for different use cases and business context, and they
can be understood as (Reference ISO JTC 1 WG 13):
 1. Reliability refers to the ability of an item (system/product) to perform as required and pre-
determined, without failure, for a given time interval and under given conditions.

NOTE 1: The time interval duration may be expressed in units appropriate to the item concerned,
e.g., calendar time, operating cycles, distance run, etc., and the units should always be clearly stated.

NOTE 2: Given conditions include aspects that affect reliability, such as: mode of operation,
stress levels, environmental conditions, and maintenance.

2. Availability as the property of an item (system/product) of being accessible and usable upon
demand by an authorized entity.

3. Resilience refers to the capability of an item (system/product) to maintain its functions and
structure in the face of internal and external change, and to degrade gracefully when
necessary.

4. Security is a state of being protected against the effects of threats and attacks. In IT
environments, it usually will be achieved by a combination of confidentiality, integrity and
availability.

5. Confidentiality is a characteristic of information/data that is not made available or disclosed

to unauthorized individuals, entities, or processes.

6. Privacy is defined as a right of supply chain entities to control or influence what information
related to them may be collected and stored and by whom that information may be
disclosed.

7. Safety is defined as an expectation that a system does not, under defined conditions, lead to
a state in which human life, health, property, or the environment is endangered.

8. Accountability refers to the obligation of a system, an individual or an organization to

account for its activities, for completion of a deliverable or task, accept the responsibility for
those activities, deliverables, or tasks, and to disclose the results in a transparent manner.

9. Transparency refers to the property of a system or process to provide openness and

accountability as required by the use case.

10. Integrity is a property whereby data have not been altered in an unauthorized manner
during transmission and storage, without being recognized. For systems, integrity refers to
the state of being not modified or manipulated by unauthorized entities.

11. Authenticity is a property that an entity is what it claims to be, especially in terms of its
originality and provenance.

12. Quality is the degree to which the characteristics of an item (system/product/data) satisfies
the stated and implied needs when used under specified conditions.
 13. Usability refers to the extent to which an item (system/service/data) can be used by
intended users to achieve specified goals with simplicity, effectiveness, efficiency, and
satisfaction in a specified context of the use case.

14. Accuracy refers to the level of precision of results of observations, computations, or

estimates to the true values or the values accepted as being true.

Depending on the business context or the use case, different characteristics would be used to define
trustworthiness. For example, a sensor measuring and communicating temperature is trustworthy if
its measurements are accurate and it is reliably taking the measurements at the configured time
intervals. Therefore, the trustworthiness characteristics would be different in different use cases and
also the targeted characteristics to achieve trustworthiness with differ in different scenarios.

6 Guidelines for Structured Approach to achieve Trustworthiness for

SC
This section of the document introduces the basic components that are essential for establishing
trustworthiness in a structured manner:

6.1 Trust Domains

A trust domain (TD) can be defined as a domain with a specified authority that
determines its present and targeted trustworthiness attributes. The specified
authority or the responsible owner of the TD specifies the trustworthiness attributes
for all the entities that are part of this trust domain, which may depend on a certain
business case and the requirements of the involved stake holders, such as suppliers,
regulators, etc.
Based on this business context, a hierarchy of main and sub-trust domains or
overlapping TDs can also exist.
A supply chain comprises of several TDs that may negotiate and establish contracts
to conduct business with each other. Each TD has a defined responsible entity for
managing and establishing contracts with entities external to its TD.

6.2 Trust Interaction Point

The trust interaction point (TIP) is interaction interface between distinct trust
domains. At each TIP, the communicating TDs must exchange, negotiate, and verify
their current and expected trustworthiness attributes. In this way, the interaction
between two TDs will have its defined trustworthiness attributes and the future
interactions must be established accordingly.

6.3 Trust Rooms/Trust Pool/ Trust Context/ Trust Consortia/Trust Session/Trust

Project/Trusted Activity…
In some cases, two trust domains can have the same present and targeted
trustworthiness attributes. They can be clubbed together to a trust room (TR). The
 specified authority or the responsible owner of the TDs in a TR can be same or can be
an entirely separate entity.

6.4 Root of Trust and Trust Anchor/ Secure Identities

A typical supply chain comprises of flow of material goods and products from
different entities to the final end user/customer. The digital information regarding
these material goods and products flow is essential to manage them along the supply
chain. Therefore, a strong, persistent binding is required between the digital
information and its corresponding physical world material good or product. This
persistent binding requires at least a Trust Anchor on the product. The trust anchor
can be realized in several ways, for e.g., unique verifiable artifacts, secure elements,
etc.
The trust anchor is utilized to derive input for material good or product’s
identification and authentication as well.

6.5 Trust Service Providers

6.5.1 Identity Authenticating Certificate Provider (IACP)
A person or legal entity that verifies and authenticates identity of the entities participating in a
supply chain. They provide a number of trust services involved with the creation, validation and
preservation of e-signatures, e-seals or digital certificates.

6.5.2 Quality Certification Certificate Provider (QCCP)

A person or legal entity that assess and attests particular qualities of the entities participating in
a supply chain. The assessment is based on pre-determined criteria or applicable standards. The
QCCP issues a verifiable proof of assessment in form of a printed or digital certificate or seal.

7 Trustworthiness Concept
The trustworthiness concept is an approach to establish trustworthiness along a supply chain in a
structured manner. The approach can be applied to new businesses and can be leveraged to
update the existing business relationships to make them more trustworthy.
Having the overall supply chain picture for the particular business contract/use case, the business
initiator must:
- Identify the trust domains in the supply chain.
- Determines its own trust domain and establish the targeted trustworthiness attributes for its
trust domain for the particular business case.
- Find out the trust domains that it needs to interact with.
- Perform Threat and Risk Assessment to identify the possible threats and risks for its business
case.
- Identify requirements that entities part of its trust domain must fulfil to achieve the
established trustworthiness targeted attributes.
- Determine and realize measures to fulfil the aforementioned requirements.
- Identify TIPs to and from its TD (define the interaction process, such as conditions, location,
method, etc.).
- Approach the other TDs that it wants to interact with for the particular business case.
- Negotiate and determine the trustworthiness targeted attributes for the interaction at the
TIP.
- Identify requirements to achieve the agreed targeted TW attributes.
 - Determines and realize measures to fulfil the aforementioned requirements.
- Establish a trustworthy interaction.
-

7.1 Application domains of TDs

7.2 Threat and Risk Analysis
7.3 Topology of Trustworthiness Concepts (Supporting Interoperability)
7.3.1 Interoperability
7.3.2 Scalability
7.3.3 Substitution (if one changes over time..robustness)
7.3.4 Basis for automation
7.3.5 Means to Support Interaction at Trust Interaction Points
When a TD wants to establish a link with another TD, it first establishes a TIP. For the
establishment of TIP, it is essential that both the communicating entities can identify each other
and also prove their authenticity to one another. For this purpose, technological solutions such
as X.509 PKI certificates or W3C decentralized identifiers can come into play. Usually, entities
prove their authenticity be proving possession of a private key and the corresponding public is
vetted and confirmed by a trusted third party, also called as a certificate authority in PKI.
Once the identity profile of the communicating entities is
established/verified/exchanged/negotiated/confirmed, trustworthiness targets of the TIP are
determined. Both communicating TDs, must decide on measures to achieve those
trustworthiness targets. As stated above, measure could be to ensure organizational
trustworthiness at first followed by product trustworthiness in some cases. For both TW related
transactions in figure 4 above, it is essential to identify the subject(s), i.e., the processes and
products that must be kept into consideration to establish the required trust at TIP. For e.g., a
device used in critical infrastructures must undergo extensive security testing and certification.
Therefore, the device and likewise the tests and processes that it has gone through must be
uniquely and reliable identifiable. Additionally, the information corresponding to the subject
(product or process) must have a consistent and robust link to the corresponding physical world
entity. For e.g., digital twin of a device must have a persistent link to the device and must present
accurate and up-to-date information about the device. In order to support this persistent link,
the corresponding entity must have a trust anchor that binds the subject’s identity to the
corresponding information. In this way, subject(s) essential for establishing trust at TIP can be
identified. Trust anchors can be provided by so called Secure Elements (Security ICs) or various
types of Physical Unclonable Functions (PUFs), which cannot be copied or forked easily
(reference).
Further, to achieve trustworthiness targets at the TIPs, the entities must develop certain qualities
that can be proven to the communicating TD. For e.g., while communicating to an entity in
Europe, an entity from other TD must confirm its compliance to GDPR. Generally, such proofs are
provided by compliance to certain standards or regulations, whereby the compliance is audited,
verified and attested by a trusted third party. In Industry 4.0 context, such trusted third parties
are termed as ‘Quality Certifying Certificate Provider (QCCP). These entities, such as TIC Counsil,
audit organizations, their processes, and/or products based on some pre-determined criteria
(standard) and issue a detailed report along with a compliance certificate, also called ‘Quality
Certifying Certificate (QCC)’. QCCs can be exchanged by entities of the communicating TDs to
prove their capabilities to one another.
In order to negotiate and exchange trustworthiness expectations and capabilities, a standardized
structure must be employed to ensure interoperability and scalability. Therefore, the
Trustworthiness Profile, introduced in (reference to last white paper), can be leveraged to
negotiate and exchange the trustworthiness expectations and capabilities at the TIPs.

Trustworthiness Profile
To be filled by the Buyer To be filled by the Supplier
Buyer s Information Supplier s Information
Contact Partner: Contact Partner:
*Contact Partner s Unique Identifier: *Contact Partner s Unique Identifier:
Contact Information: Contact Information:
Legal Entity Name: Legal Entity Name:
*Legal Entity Unique Identifier: *Legal Entity Unique Identifier:
*Unique Identifier Scheme: (e.g., link to LEI code repo, VATIN by DUNS, NTA by TSE, etc.) *Unique Identifier Scheme: (e.g., link to LEI code repo, VATIN by DUNS, NTA by TSE, etc.)
Country: Country:
Additional Information: Additional Information:

Trustworthiness Expectations Trustworthiness Capabilities

Additional Information Expected Validity Supplier
Self 3rd party Proof/ Evidence Proof Expiry Date Additional Information
Conformance
ISO/IEC 62443-4-2 Upload/Attach Conform: Self-Assessment 3rd-Party Assessement Upload/Attach DD.MM.YYYY

ISO 27001 Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY

NIST SP 800 Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY

Common Criteria Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY

PSS Supplier Questionnaire Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY

Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY

Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY

Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY

Upload/Attach Conform: Self-Assessed 3rd-Party Assessement Upload/Attach DD.MM.YYYY

Reference Request-for-work Time Stamp Reference TW Expectations Quote/Bid Reference Time Stamp

Digital Signature Digital Certificate (If required) Digital Signature Digital Certificate (If required)

Trustworthiness Profile (TWP)

In [reference], the trustworthiness profile is used bilaterally between two communicating TDs in
the supply chain (“supplier” and “buyer”). The supplier uses his QCCs to proof the capabilities of
his own valued add to the delivered component. If the buyer wants to get assurance of
capabilities of the suppliers’ value add the concept for “Chain of Trust” needs to be introduced:
In some business cases, if a proof of TW of various/all value adds along the supply chain is
desired, this white paper introduces the extended trustworthiness profile, shown in Figure 8. The
extended trustworthiness profile provides the buyer and the supplier the option to specify
expectations and prove capabilities of other entities upstream the supply chain. The supplier has
the option to attach capabilities of its suppliers to fulfil the expectations of its potential buyer.
This covers scenarios where a proof of any other communicating TD’s trustworthiness prior in
the supply chain must be provided to the buyer. A TWP, which covers proofs for the supplier’s
suppliers is shown in figure below.
 Extended Trustworthiness Profile

It is considered that in certain scenarios, the supplier might not want to disclose its suppliers to
its buyer for business reasons. Therefore, different technological solutions, for e.g., leveraging
verifying credentials, can be used to preserve privacy of other TDs and to only prove certain
quality. (References….)

Trust Transitivity along the supply chain - Chain of Trust

• Definition of “transitivity of trust”
• explain Chain of Trust options: 3 different topologies
o A= step-by-step; Profile version 1
o B=proof of sub-suppliers’ capabilities; extended version 1 profile
o C=proof of any node capability within supply chain; “Fully trusted traceability”
• Chain of Trust Requirements:
o The issue of IPR protection (and other requirements
o Authenticity, Integrity availability of Information
o Governance for Trustworthiness
o Flexibility and applicability to different verticals
o Binding between physical and digital world
o …
• Mechanisms to support the different topologies are: … provide table
o A: profile 1, digital signatures (SCC), certificates on properties (QCC),
anticounterfeiting methods, contracts with supplier, smart contracts, distributed
ledger based solutions
o B: extended profile, contract with supplier, DID, VC, ZKPs, GTA API to support ?
o C: DID, VC, maybe ZKPs, GTA API to support proof ?

Annex A (informative)…………………

Bibliography
Annex A : Example „Industrial Supply Chain / Industry 4.0“
Starting with its own trust domain identification, the business initiator must consider the targeted
trustworthiness attributes of each supply chain participating entity. For instance, a bottle
manufacturer must identify itself as a trust domain and other concerned trust domains like raw
material provider, logistics handler, beverage producer(customer). Based on the business case, for
example, producing green bottles for beverages, the bottle manufacturer established its targeted TW
attributes as availability, integrity, and reliability. Once the targeted TW attributes are established,
entities in the TDs perform a TRA and identify the requirements to fulfil the targeted TW attributes.
In order to meet the identified Now the business identifier must identify TIPs with other TDs. So, for
example, it negotiates TIP’s TW targeted attributes with the beverage producer (customer) as
confidentiality, integrity and availability.