Securely Capitalize on the Global Supply Chain with Digital Bill of Materials

The diversity of the global supply chain that makes it critical to modern society also makes it very difficult to know where all of the components of a device came from. Who designed each part, who made it, who put it into a device, who sold it, and who bought it? Inside the sheet metal or plastic shells of our personal and business equipment is a fractal maze of assemblies and subassemblies reaching down to the nanometer scale and beyond into the virtual world.

The modern supply chain is a tempting target for attackers driven by financial, political or other motives. A solution to this problem must be found to propagate the benefits of modern supply chains – benefits that underlie the living standards and economies of the world. A Digital Bill of Materials (DBoM), a small but significant addition to the processes used in the supply chain already, may be the solution.

A Bill of Materials (BoM) is a list of everything on a pallet or box or unit of transport that moves from one set of hands to another. A Digital Bill of Materials is a list of every component inside any type of product as each moves from one set of hands to another. Creating a Digital BoM for a product is simply the act of signing a shared ledger at each step of production and consumption. With digital certificates establishing identity and a distributed ledger run by a consortium of large industry producers providing scale as well as nonrepudiation and forensic record keeping, each step of each physical and virtual product component can be documented with a high degree of surety.

The infrastructure operated by the DBoM Consortium announced jointly with Dell on October 28, 2019, will allow producers to retain the benefits of modern supply chains while providing consuming organizations the visibility they need into the components of the products they buy. Vendors will be able to maintain appropriate visibility of the “who, what, where, and when” as their products and services are developed, purchased and used. Enterprises will be able to have full visibility into the sources of their technology and purposes they are applied to. With this vital information, vendors and enterprises can better maintain systems, prevent, detect and remediate compromises, demonstrate compliance, and cooperate to build efficient and competitive processes.

Transparency and accountability are the purpose of distributed ledger technologies. The forensic foundation provided by shared visibility into all pertinent events allows vendors and consumers to build the trust necessary to support rapid digital innovation. This shared visibility establishes a virtually inexhaustible resource for valuable analytics, enabling cost and efficiency savings across all business functions.

This DBoM process will be managed under the auspices of a consortium of organizations (the DBoM Consortium) which will begin operating the DBoM shared ledger in 2020. The DBoM Consortium will define the standards and common interfaces that can be used by external sources to record data to the Consortium’s distributed ledger. Consortium members will be able to provide additional services such as Advanced Analytics or technical plugins to add value to the ecosystem.

Some of the types of records that consumers will be able to require in the DBoM of an individual device will be:

• Hardware related components (e.g. SKU#, manufacturing location, development site, etc.)
• Software related components (e.g. release related data, information regarding testing and compliances, etc.)
• Change in ownership and custodies

The information related to each step is recorded on the shared ledger maintained by the Consortium members. Each step is entered through a user interface or using automated structures such as an Enterprise Resource Planning (ERP), JIRA, Logistic Management System (LMS) or any other plugins to external applications and tools. The format of any data written to the shared ledger will be defined by the consortium.

For example, an independent contractor hired to design a chip where DBoM-compliance was a design requirement would create the design then register the design file with the DBoM Consortium distributed ledger, and sign it with their own digital certificate. Then the fabricator of a chip where DBoM compliance was also dictated as a requirement by the consumer would follow suit, fabricating a chip using a chip design already registered on the DBoM Consortium ledger, registering that chip with the Consortium ledger, and signing it. The tester of the chip would do the same. The builder of a motherboard would add the chip, register and sign the individual motherboard. The consumer of the motherboard would install it in an appliance that is sold to an enterprise with a datacenter that similarly had DBoM compliance requirements, then register and sign. For every step in the development, purchase, and use of a file, a piece of hardware, a version of code, or any other artifact, the individual’s or organization’s identity, date and location are recorded to the DBoM Consortium’s distributed ledger.

With the U.S. government banning sales or transfer of certain types of devices, technologies, Intellectual Properties or software components to some countries, the suppliers can reduce their liabilities by leveraging DBoM to autonomously control the use of their technologies and prevent their deployment by prohibited companies or countries.

As DBoMs become more widely adopted, enterprises and vendors will be able to build investigative cases that find common touchpoints, track down miscreants, issue warnings and excise bad actors from their own supply chains. The necessity to maintain the trust needed to continue selling into a supply chain will provide a strong motivation for organizations to adhere to their customers’ requirements.