Zero Trust Approach to Supply Chain Track-and-Trace
Abstract
As digitization increases, public and private organizations around the globe recognize that zero trust frameworks will be critical to protect sensitive business and consumer data and prevent potentially disastrous breakdowns in extended value chains. MOBI and its members are testing Citopia partsTRAK, the first scalable zero trust framework for supply chain track-and-trace using W3C self-sovereign identity and MOBI Supply Chain standards.
About Zero Trust Approach
Cybercrime is expected to cause $10.5 trillion in damage annually by 2025 (almost 10% of the projected 2025 global GDP) with an annual, accelerating growth rate of 15%. As cyber threats mature, legacy systems are more vulnerable to attack than ever before. Take the Colonial Pipeline hack for example, which led to fuel shortages across the eastern U.S. in 2021. It was later determined that hackers had accessed the Colonial Pipeline network through an exposed password for a VPN account. The troubling takeaway? Entire supply chains can be broken down when a single attack vector is compromised.
Today, it’s clear that traditional cybersecurity methods no longer suffice to protect critical infrastructure. The concept of zero trust security emerged out of this need to fortify digital perimeters and lower the cost of trust. Zero trust gained significant momentum following the introduction of blockchain, and later, the publication of global web identity standards by W3C. In January 2022, the White House published a Zero Trust mandate requiring federal agencies to migrate to a zero trust architecture by the end of FY 2024.
Zero trust is a security model that assumes all network traffic is untrusted until proven otherwise. It is based on the idea that organizations should not automatically trust traffic within their own networks, even if it originates from a seemingly trusted source. Instead, all traffic should be scrutinized and validated before being allowed to pass.
The goal of zero trust is to improve the security of an organization’s network by reducing the attack surface and minimizing the potential for data breaches. For more information about zero trust, visit this website.
Challenges in the EV Battery Supply Chain
The electric vehicle (EV) battery supply chain is growing rapidly as a result of increased demand for EVs around the globe. This increased demand — in addition to the proliferation of disruptions caused by geopolitical tensions and the COVID-19 pandemic — puts pressure on stakeholders to increase security, efficiency, and resiliency in the EV battery supply chain.
As proposed by policy initiatives like the European Commission’s Sustainable Batteries Regulation and CARB’s Zero-Emission Vehicle Requirements, it is critical to have digital records of the battery lifecycle and ensure ESG guidelines are met. The Sustainable Batteries Regulation also aims to mandate the implementation of battery passports, meaning it will be crucial to secure information security in the supply chain in order to be compliant.
In light of this, it is critical to standardize a secure track-and-trace solution that both minimizes disruptions in the EV battery supply chain and enables compliance with future battery passport requirements while also fortifying against any potential cyber threats.
Using SSI to Enable Zero Trust
The ability to track and trace battery components from raw material sourcing to production, use, and end-of-life will greatly enhance visibility in the value chain, enabling stakeholders to build applications for global battery passports, battery state of health (SOH) and state of charge tracking, battery second life, recall management, and many more. MOBI and its members believe that a zero trust approach is key to enabling interoperability and preserving information security in a multiparty track-and-trace ecosystem.
The use of a zero trust framework provides a crucial layer of security by ensuring that connected entities can only participate in transactions if they have a trusted, verifiable identity.
MOBI’s zero trust solution for Supply Chain Track-and-Trace is Citopia partsTRAK, a federated digital infrastructure for Web3 multiparty business automation.
In order for zero trust to scale, it is necessary to establish trusted, decentralized, self-sovereign identities. Recall that zero trust requires every participant to authenticate every other participant for every single business interaction at all times, something which is simply not possible through centralized means at scale.
Leveraging self-sovereign identity (SSI) standards in zero trust implementation will give organizations operating in extended value chains a shared framework for verifying claims and identities, which will be critical to enable seamless multiparty business automation.
Use of SSI and Zero Trust in Citopia
On Citopia, these trusted, decentralized, self-sovereign identities are called Self-Sovereign Digital Twins (SSDTs). A Citopia SSDT is a digital twin whose owner and/or controller has the ability to participate as an autonomous economic agent in trusted Web3 transactions. The SSDT stores a combination of static and real-time data to log an entity’s journey throughout its lifetime.
The Integrated Trust Network (ITN) acts as a federated Decentralized Identifiers (DIDs) registry while Citopia facilitates the onboarding of SSDTs and issuance of VCs. The use of SSDTs, VCs, and DIDs prevents data correlation.
Citopia and the ITN leverage SSI and blockchain to adhere to a zero trust security framework, as entities on Citopia are constantly required to prove themselves to the network by issuing VCs verifying their own identities and claims when participating in transactions.
As a result, multiparty business automation and data sharing on Citopia is significantly simpler, more secure, compliant, and less expensive than ever before.
partsTRAK, Standards-Based Infrastructure
Citopia partsTRAK uses MOBI Standards, along with standards from W3C, ISO, IEEE, SAE, and zero-knowledge proof cryptography to ensure that the SSDTs of ecosystem stakeholders such as EV batteries, manufacturers, suppliers, and consumers are compatible, can communicate, and can transact while preserving data privacy.
Citopia partsTRAK leverages the MOBI Trusted Trip Standard to link a battery’s SSDT with its time-stamped location and pertinent metadata into verifiable trips along the supply chain. These trips, along with any transactions made along the way, are executed as Verifiable Credentials (VCs) on Citopia and stored in the battery SSDT. Trips are important in estimating carbon footprint during the distribution of material and finished batteries. Carbon footprint declaration is one of the key measures in the battery passport, as mentioned in the draft EU regulation.
VCs enable the creation of a verifiable chain of custody of the EV battery and its components from supplier to OEM, OEM to dealer, and dealer to vehicle owner. For EV batteries needing to be serviced or replaced, the pilot tracked the upstream flow of the battery and components from vehicle owner to the supplier.
Zero Trust EV Battery Track-and-Trace
In order to demonstrate the feasibility of our SSI-based zero trust approach to multiparty track-and-trace, MOBI’s Supply Chain (SC) Working Group developed a pilot around downstream and upstream traceability in the EV battery supply chain. The pilot focused on defining capabilities to enable the creation of global battery passports.
The pilot included a workflow to track and trace assets in the supply chain, demonstrating the full lifecycle of VCs from issuance, presentation, verification, and revocation. To achieve this, a Battery Birth Certificate (BBC) was issued by the supplier. The BBC (stored in a battery’s SSDT) contains key information about the battery such as its serial number, energy capacity, chemical composition, and charging & discharging characteristics.
The BBC was then transferred to different stakeholders as the battery physically changed hands along with the pertinent VCs. Once the OEM installed the battery in a vehicle, the BBC was linked with the Vehicle Birth Certificate (stored in a vehicle’s SSDT).
When dealing with faulty batteries that were returned to the supplier, W3C’s RevocationList2020 standard was used to revoke the vehicle or battery credentials if the components of the vehicle or battery were changed.
Next Steps
All of the capabilities demonstrated in the EV battery track-and-trace pilot will be integrated into the ongoing development of Battery SSDT and the battery passport. MOBI’s Battery Passport solution is standards-based, non-proprietary, and resides in the Battery SSDT to facilitate cross-border compliance.
MOBI’s SC Working Group is currently exploring use cases for the second release of Citopia partsTRAK. In light of the initial pilot’s success, the group is now looking to demonstrate security vulnerabilities in the EV battery supply chain, the conclusions of which will be elemental in defining our next steps.
Past and present Supply Chain Working Group contributors include Accenture, AIOI, Anritsu, Arxum, ASJade Tech, Aucnet, Autodata Group, AWS, Blockedge, BMW, CEVT, Dana, DENSO, DLT Labs, DMX, Fifth-9, Ford, Hitachi, Honda, IBM, IOTA, ITOCHU, Marelli, Mazda, Nara Institute, ParkMyFleet, Politecnico Di Torino, Quantstamp, R3, Reply, State Farm, Stellantis, Southeast Toyota Finance, SyncFab, Thirdware, TICO, and Vinturas.
Conclusion
As digitization increases, public and private organizations around the globe recognize that zero trust frameworks will be critical to protect sensitive business and consumer data and prevent potentially disastrous breakdowns in extended value chains. MOBI and its members are testing Citopia partsTRAK, the first scalable zero trust framework for supply chain track-and-trace using W3C self-sovereign identity and MOBI Supply Chain standards. With the first pilot completed, we look forward to fine-tuning our work on the Battery SSDT and battery passport.
Get Involved
Interested in learning more? Fill out this form or contact connect@mobi.dlt to learn how your organization can get involved!
Linkedin: Citopia
Facebook: Citopia
Youtube: Citopia
Twitter: @citopia_eco
