Process digitization has been one of the major tenants of industrial firms for the past two decades. However, process security remains a key problem in large engineering projects. And while most industrial processes have today moved from the paper-trail to some level of digitization, there is still much to be done in terms of true data integrity when it comes to large-scale industrial projects.
Whether it’s the falsification of vehicle emissions data, irregularities in nuclear power plants, or consumers discovering what they thought was beef is in fact horse meat, document forgery and data manipulation scandals continue to surface. Even with strong validation and robust certification processes conducted by independent auditors, manipulating critical data continues to be possible when information is processed in centrally managed project and data management tools. This is all the more relevant when the data being secured pertains massive energy, transportation and public infrastructure projects where the safety of citizens may be at stake.
Faced with this reality, the global industrial design firm Thales set out to identify technologies which would help embed traceability, integrity and accountability in critical processes. Their goal: to protect large industrial projects from malicious actors within a consortium of partnering organizations.
Thales chose to work with Stratumn to implement Proof of Process Technology (PoP Tech) in a safety document traceability application. Through this experiment, which lasted three months, Thales was able to benefit from PoP Tech’s following features:
- Real-time traceability of data in a collaborative process
- Trusted time-stamping of data in “common timeline”
- Cryptographic audit trails where companies share internal operations through proofs of data without revealing their confidential information
The Proof of Concept
The experiment led by Thales, sought to recreate the conditions of a large multi-actor infrastructure project, such as the construction of a public transport system. These projects, which span the course of several years, often involve several entities including Thales, co-contractors, sub-contractors and the client (usually a public institution such as a city or state).
To coordinate the contractual relationship between these parties, an industrial organization is set up for the duration of the project. It’s this organization that coordinates the exchange of the thousands of documents and millions of emails shared for the duration of the project. However, this configuration is far from perfect. Project management software suffers from vulnerabilities due to its centralization and documents can in theory be forged.
The application developed with Thales allows a user to submit and share documents required for a safety certification. Any document shared on the platform, as well as any action performed on those documents, are digitally signed and timestamped in a shared common timeline, or blockchain. At any point, participants of the platform have the ability to audit the integrity of the safety document’s lifecycle.
The project was demonstrated at Thales InnovDays 2017 from March 1st to 3rd in Paris to internal collaborators and their clients.
Here is an example of a document lifecycle.
A document is submitted to the platform
An engineer uploads and signs a safety document (safety certification, hazard assessment, etc). He submits the document to the platform to be approved by the next validation officer in line.
At this point, a cryptographic audit trail representing the document’s lifecycle is initiated. It contains the document’s unique identifier as well as the engineer’s digital signature.
The documents's approval is put on hold
With the document submitted, the validation officer receives a notification to approve or deny the safety document in her dashboard. Let us imagine that it is missing a critical piece of information. In that case, she can decide to put the document’s validation on hold, adding a note indicating the reason for denial.
The hold status and the validation officer’s note are digitally signed, and this action is added to the document’s cryptographic audit trail.
The document is amended
The engineer is notified that the document needs amendment. He can take appropriate actions by updating the document with the details requested by the validation officer.
The update and the engineer’s digital signature are added to the cryptographic audit trail.
The document is approved
The validation officer receives a new notification. With the document now satisfying all industry and regulatory requirements, she can sign and approve the document.
The approval and the validation officer’s signature are added to the cryptographic audit trail.
At any point in the process, the users of the platform have the ability to audit the safety case’s lifecycle by independently verifying the integrity of the cryptographic audit trail.
Proof of Process Improves Centralized Document Management Platforms
Proof of Process provides a number of advantages over centrally managed project management platforms. It does not replace centralized document management platforms, but acts as the cryptographic audit trail layer which allows participants, who do not necessarily trust one another, to collaborate with guarantees.
- Cryptographic proof
Each step of the process is secured with a cryptographic proof in order to capture:
- What data was changed in that step?
- When was the change made?
- Who made the change?
- Where (in which context) was the change made?
- Why was the change made?
- Sharing proof of data (not data)
The cryptographic proof is independently verifiable and can be made available to the customer or regulatory and compliance bodies without compromising any sensitive information.
- End-to-end audit trail
The cryptographic proof of every step add up to form an ever up-to-date audit trail for business processes in sequential and searchable ways, so decisions can be made based on the steps of a process.
- Real-time auditing
The audit trail is available in real time and does not involve parsing logs or any other sort of correlation.
- Proofs decoupled from application code
Proofs are decoupled from the application code and application itself integrates with existing solutions via REST APIs.
- Tamper proof
The audit trail captured by this solution is immutable and tamper proof as it utilizes blockchains for the common timeline underlying the business process. Blockchains allow multiple participants to agree on the state of data along a common timeline. This is what gives it its tamper resistant properties.
- Synchronization across domains
All of the stakeholders separate, private databases are synchronized with the current state of the process.
Through this proof of concept, Thales was able to demonstrate the benefits of Proof of Process Technology:
- End-to-end traceability, even in multi-party cases (internal and external)
- Chances of document forgery is greatly reduced through cryptographic audit trails
- Real-time and long term objective auditability without reliance on specific vendor tools
- Cost reduction thanks to full disintermediation of the document validation process
This fascinating experiment allowed us to demonstrate the value which Proof of Process can bring to large industrial processes with multiple participants engaged in complex contractual relationships. We’re very excited to be working with Thales and look forward to widening the scope of our collaboration to bring more transparency and accountability into their business.
Photo by @jeshoots