“The Huawei factor is significant.” These are the words of Richard Edelman, president and chief executive of Edelman, a global communications firm, which recently found that Huawei dropped several points on the Edelman Trust Barometer as a result of eroding trust around the world. Huawei is only the most public such case, but several companies are facing the same kinds of issues especially in global telecom, military and high tech consumer products.
This begs the question: are you doing enough to establish a basis of trust in your partners and customers? Do you have policies and procedures in place to ensure your products aren’t being altered in the field or compromised by upstream vendors? Are you concerned about counterfeits in your components? If a customer asked you today, would you be able to trace and show the lineage of every component and raw material for a particular product?
We’re seeing an increased demand from companies and consumers for deeper understanding of the products they use. Whether it’s for increased security, marketplace differentiation, confirmation of product quality, trusted supplier evaluation and decisions, or chain of custody tracking, the capabilities now exist to answer these questions and demands.
The Trusted Technology Provider Standard
A new ISO standard, ISO 20243 (Open Trusted Technology Provider Standard), creates a framework to address the problem of maliciously tainted and counterfeit products. This standard was updated in 2018 to address a new generation of adverse scenarios which have become real threats through the global interconnectedness of our systems and increased demands for integrity.
The Standard has two main sections with both focused on laying out processes and implementation proof points to address the concerns of customers, integrators, suppliers, and auditing and regulatory organizations. In addition, the standard is coupled with a framework of guidelines and best practices for implementation.
The first section addresses the needs of the design, sourcing, and build parts of the technology development lifecycle by turns expecting verifiable processes for software/firmware/hardware design and following through with evidence-based verification of configuration management, product engineering and development, quality and test management, and product sustainment management (for the in-use section of a lifecycle). Additionality, the standard calls for:
- increased security in threat analysis and mitigation;
- enhanced run-time protections methods;
- vulnerability analysis and response;
- product patching and remediation;
- improving security in engineering practices;
- and recognizing the need for ongoing monitoring and impact analysis of the threat landscape.
The second section of the standard addresses the needs of the fulfillment, distribution, sustainment and disposal parts of the supply chain lifecycle. In this case, the expectations and associated evaluation criteria are for:
- risk management;
- physical security;
- access controls;
- addressing employee and supplier security and integrity;
- information systems security;
- creating Trusted Technology components;
- the methods for secure transmission and handling;
- a special section on open source;
- mitigating the possibility of counterfeit elements;
- and, finally, detecting malware.
Taken together, this standard combined with consistent and vigilant cybersecurity practices provides a roadmap for an enhanced market-valued solution. However, many of the elements of this standard are ongoing processes and practices which can require substantial organizational investment. Fortunately, managing verifiable chain of custody across components, materials and products can address the majority of the standard, and emerging technologies allow much of this to be automated.
Chain of Custody Solutions
The Open Trusted Technology Platform Standard lays out a framework, however it does not specify how to implement it. While it may seem there will need to be wholesale changes to your current processes, we believe most organizations can augment their systems rather than replace them in order to meet or exceed these new expectations and requirements.
In order to fulfill the requirements and get the practical benefits of the standard, organizations will have to work more closely together. This means more sharing of relevant data, improving processes between members of the value chain, and increasing the confidence level across the chain of custody for designs, components, final assembly, the logistics chain to the end user, its deployment, and finally to disposal. This also means eliminating the faxes, emails and phone calls that accompany the work across the overall lifecycle, including minimizing necessary EDI interventions. Tightening these integrations reduces the possibilities for counterfeit and tainted product as the standard intends with the by-product that cost and schedule may also be reduced though streamlining of existing processes while quality may also be increased. Reducing the dependence on humans to provide verifiable trust eliminates errors and increases the velocity of work activity and product output. The authors believe that such process streamlining and trust augmentation can be an appropriate place for a strategic and thoughtful implementation of blockchain technology.
ABOUT THE AUTHORS:
Tom Klein is the Managing Director of BusinessBlock which provides consulting and implementation for emerging technologies to Reinvent Business Relationships.Tom has over 30 years of industry experience in building teams, developing creative solutions, and driving operational excellence. Over his career he has led the adoption of many different technologies across the spectrum of industries. He can be reached at firstname.lastname@example.org.
Scott Harper is the CEO of BoxBit, a developer of integrated supply chain software, specialized on providing digitized document production and blockchain verification. Scott is an expert in manufacturing and supply chain software, especially the implementation of serialization or lot traceability. He is very interested in the evolving standards and verification of trust in institutional or multilateral settings.
Jim Barkley is the CEO of Ekta, a Chicago-based tech company that provides technology advisory and execution services. Jim is an industry veteran, and has partnered with organizations large and small, helping them clarify their purpose and leverage technology to actualize it. His open-source roots and passion for engineering fuel his interest in R&D and emergent technologies.