DISCGRID

Critical infrastructure is an attractive target for malicious actors. Successful attacks to critical infrastructure have severe impact and may result in collateral damages. An emerging attack vector used against critical infrastructure is software supply chain. Recent incidences that took advantage of the complexity of software supply chain resulted in severe damages that affected the lives of millions of people. With DISCGRID, ExcID and Guardtime will provide security and auditability mechanisms for protecting software supply chains. DISCGRID will initially focus on the firmware update process of smart grid operations technology with the ambition to expand to other segments. Using ExcID’s technology DISCGRID will demonstrate a secure, long-lasting, authentication mechanism for firmware providers, and a tamper-proof mechanism that will allow authorized entities to create “claims” about the provided firmware. Similarly, with Guardtime’s MIDA components DISCGRID demonstrates a secure, immutable, append-only log of signed claims that can be used as an accountability mechanism, and efficient methods for verifying and validating the integrity, authenticity, and provenance of the firmware to be installed.

DISCGRID’s goal is to enhance the security of smart-grid firmware supply chain. The main building block of DISCGRID approach is an append-only, immutable, Transparency Registry where information about software artifacts, related to the released firmware, is recorded.  This information can then be used to verify the validity of those artifacts. An important property of the Transparency Service is that it is auditable, hence at any time a third-party auditor can verify that information has not been removed or modified. Additionally, an auditor can notify firmware providers or DSOs for new entries in the registry: these entries may correspond to legitimate activities or to an ongoing attack. DISCGRID implements a transparency service, which includes a registry, enhanced with Guardtime’s KSI blockchain. Furthermore, it develops tools for firmware providers to securely store their artifacts signing keys, and for DSOs to easily validate the security properties of received firmware.