By Eric Sharret, Government/ Defense Lead, DUST Identity

Eric Sharret is the Government and Defense Lead at DUST Identity, a leader in supply chain security.  DUST Identity is the only supply-chain solution that ensures that trusted data and verifiable products are used and traced across their full lifecycle. Mr. Sharret has 17 years of project management and business development experience in the areas of Cybersecurity, Machine Learning, PKI, and Wireless Mesh Networking.  He received his undergraduate at Princeton University in Computer Science Engineering with a Minor in Finance and a certificate in Machine Learning from Stanford.

According to Symantec’s 2019 Internet Security Threat Report, supply chain attacks increased 78 percent between 2017 and 2018. The wide attack surface and the expanding threat to modern supply chains stem, in great part, from the increase in complexity and specialization of those networks. It is no longer uncommon to see a component or a part change hands over a dozen times before it is added to the final product. This provides multiple insertion points for tainted components and parts that can impact the integrity, reliability, and uptime of systems, platforms, and networks.

The problem spans industries, as was demonstrated in 2017 when Trend Micro released findings of a DoS attack on CAN-based automotive networks.  It advised that long-term solutions would require a change in regulation to include hardware protection to prevent the insertion of tainted and unauthorized devices that impact the safety of every car made after 1996.

Just as IT network security was forced to adapt to the modern mobile workforce and growth in IoT devices, causing a shift in perimeter defenses from firewalls to endpoint security and mobile device management, we too must adapt to modern distributed supply chains and the cybersecurity risks they create.  We must understand that the components that make up our products live in the wild and we can no longer rely on closed supply chains.

Recognizing this trend, Supply Chain Risk Managers (SCRM) have invested in traceability systems including distributed ledger technologies like blockchain.  These technologies aid in asset visibility and tracking of components as they move through the supply chain.  However, there is one important element that is lacking in these investments which, in its vacuum, threatens the progress that has been made towards securing our supply chains.  That element is secure binding between the physical object and the digital domain.

Physical-digital binding is the key to ensuring the provenance of components and parts.  How can we trust that a physical item is the same as the one that is digitally referenced without physical-digital binding?  How can we trust test reports or any other data that ships with an item if there is no physical-digital binding?  How can we take a dynamic, risk-based approach to supply chain security without physical-digital binding?

There are physical authentication techniques that can mark items and allow them to be tracked throughout their lifecycle.  However, many current physical authentication techniques fall short.  There is a need to approach the object identification challenge holistically.  We believe there are four key requirements for future supply chain security, and without these elements, it will be nearly impossible for organizations to take effective measures to protect their value chains and remove friction around the incorporation of security measures.

  1. Secure Unique Identifiers

For the global shipping industry, the ability to track every item in the world is no longer a dream.  Advents in networking, cloud computing, and data storage mean that we can have real-time visibility into where our packages are at all times.  For supply chain managers, this type of functionality is just as important.  For the original equipment manufacturers, it is important to track all of the downstream components in order to secure their products.  For the component manufacturers, it is important to track the upstream end products in order to plan for future production needs.

In order to track all items in the world, we cannot use a batch physical authentication technique which is primarily focused on brand protection and not cybersecurity.  The knowledge that an item was made by a specific manufacturer is not enough, we need to know information about the item itself.  Where and when was it produced?  Where has it traveled?  What do we know about it?

To provide item specific tracking we need an extremely large serialization space.  Creating a large serialization space is one thing, but making it secure is another?  If we needed large numbers, we could simply create barcodes with hundreds of digits, but then anyone could copy them.  It is not just simple techniques that are at risk either.  Any technology that is based on public-private key technology is at risk of exposure to the next wave of quantum computing.  Therefore, future physical authentication techniques must provide a large serialization space that is secure, unclonable and quantum resistant.

  1. Scalable to All Components

When we think of scalability, our minds immediately go to cost.  While cost is indeed important, there are more elements that go into scalability than cost, specifically when it comes to physical authentication techniques.  Scalability includes the people who can be involved, the level of training required and the process for marking and authenticating an item.  Scalability also includes the allowable form factors such as the size and types of items that can be marked.

Secure supply chains require a frictionless process that is applicable to all items in our supply chain.  It is untenable to use a high-cost, process intensive solution for one set of items and a low-cost, simple process for another.  This will lead to two divergent supply chain tracking systems which, as any software developer who has managed two codebases knows, is a nightmare.  Therefore, the same physical authentication technique must be able to be easily used on every item in the supply chain.

  1. Globally Distributable

We have touched on specific portions of this third required element, but it is so important that it deserves its own mention.  The primary concern with current physical authentication techniques is that the security is embedded solely in the marking material.  If the marking material is compromised, the entire supply chain is at risk.  For instance, if a currency marking material is stolen, a bad actor could start creating their own dollars.

Therefore, in order to protect the marking material, we create artificial boundaries such as limiting the people who can apply it or the locations that it can be applied.  This adds to production costs and delivery time as components must be shipped to specific third parties for marking.  Supply chains are full of trusted and untrusted partners.  If we cannot distribute the physical authentication technology freely, we will not be able to secure a global supply chain.

  1. Evidence of Tampering

As our asset protection methodologies improve, so do the bad actors’ techniques.  It is not uncommon for a bad actor to remove genuine packaging, replace the contents with non-genuine parts and replace the original packaging.  In this case, a visual inspection system might not pick up the change.  Even an x-ray examination might not be effective if the bad actor is skilled enough.

To prevent this type of attack, we need to make sure that the physical authentication technique cannot be removed and re-applied to a non-genuine component.  Additionally, it must not be possible to attach a new, stolen material that is identical to the original (i.e., batch level security).  Rather, a physical authentication technique must break down upon tampering, thereby severing the link between the physical and digital world.

Cybersecurity researchers and SCRMs are hard at work preventing the next wave of supply chain attacks.  They have developed powerful software-based tools that allow cradle to grave tracking of an item’s digital representation.  However, their success hinges on a secure physical-digital binding that will allow us to trust the data that is attached to a specific item.  Physical-digital binding, in turn, requires a physical authentication technique with a large and secure serialization space.  It also requires a technology that is scalable, globally distributable and provides clear tamper evidence.  A trusted physical-digital binding will add value to all stakeholders in the supply chain.

About the Author

Eric Sharret is the Government and Defense Lead at DUST Identity, a leader in supply chain security. DUST Identity is the only supply-chain solution that ensures that trusted data and verifiable products are used and traced across their full lifecycle. Mr. Sharret has 17 years of project management and business development experience in the areas of Cybersecurity, Machine Learning, PKI, and Wireless Mesh Networking.  He received his undergraduate at Princeton University in Computer Science Engineering with a Minor in Finance and a certificate in Machine Learning from Stanford.