Supply Chain Security by:  Craig K. Harmon, Chair, ISO TC 122/104 JWG 2008-12-09
Craig K. Harmon • President & CEO Q.E.D. Systems  <ul><li>Chair, ISO TC 122/104 JWG - Supply Chain Applications of RFID (T...
ISO TC 104 (Freight Containers)
Three tags –  different purposes Electronic Seal - ISO 18185 Container ID Tag -  ISO 10891 (nee ISO 10374.2) Supply Chain ...
Freight container standards and associated frequencies  433 MHz (18000-7) 850–950 MHz* 860–960 MHz (18000-6C) 2 450 MHz (2...
Global Freight Container Band Assignment <ul><li>In May 2003 ISO TC 104 petitioned the ITU for a frequency band that would...
ISO TC 122/104 Joint Working Group (JWG) (Supply chain applications of RFID)
The Layers of Logistic Units  (Radio Frequency Identification  Item Item Item Item Item Item Item Item Item Item Item Item...
ISO TC 122/104 JWG  Project Status (2007-07-10) <ul><li>ISO 17363,   Supply chain applications of RFID - Freight container...
Border Crossing                                                      ...
Border Crossing                                                      ...
Standards <ul><li>The standards of ISO 17363, ISO 17364, ISO 17365, ISO 17366, ISO 17367, ISO 18185, and ISO 10891 are bas...
Standards <ul><li>ISO 17365 (transport unit) tags used to build 17364 pallet tags </li></ul><ul><li>ISO 17364 tags used to...
Concept of   Operations <ul><li>As supply chain pallets are being built, transport unit tags are loaded to pallet tags ide...
???
Thank you!!! Craig K. Harmon, President & CEO Q.E.D. Systems 3963 Highlands Lane, SE Cedar Rapids, IA  52403-2140  USA (V)...
 
DISCUSSION SLIDES
Social issue - Privacy <ul><li>Privacy & Convenience are much akin to Freedom & Safety, where each are at polar ends of a ...
Social issue – Privacy What Can We Do? <ul><li>Provide packaging that reflects its content; if there is an embedded RFID t...
Social issue - Security <ul><li>Security has been explained in ISO/IEC TR 24729-4 (DTR ballot closes 2008-10-19) and stand...
Social issue - Security <ul><li>Risks include: </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><ul><li>“ Pres...
Social issue - Security <ul><li>Risks include: </li></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><ul><li>“ Ensurin...
Social issue - Security <ul><li>Threats include: </li></ul><ul><ul><li>Skimming data </li></ul></ul><ul><ul><li>Eavesdropp...
Social issue - Security <ul><li>Countermeasures include: </li></ul><ul><ul><li>Wafer programming (true WORM) </li></ul></u...
A Scenario for Password Distribution Authorities Server (Departure) Digital Signature Server (Arrival) ⑦ Key Transmission ...
Social issue - Security What Can We Do? <ul><li>Remain aware of which technologies provide which levels of security. </li>...
Upcoming SlideShare
Loading in …5
×

SupplyChainSecurity_20081208__ckh2.ppt

582 views
512 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
582
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Good afternoon ladies and gentlemen. My name is Craig Harmon. I am president &amp; CEO of Q.E.D. Systems and I have the privilege to serve as the chair of the ISO TC 122/TC 104 Joint Working Group, Supply Chain Applications of RFID. I will talk today about standards, most RFID but some about optically readable media and ultimately how we might create some synergy in the area of supply chain security. 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI The most important part of this slide is at the bottom of the page where you can download a copy of this presentation in its native MS PowerPoint. Feel free to download and use the slides for your own internal purposes. Personally, I believe that plagiarism is the highest form of flattery, so please use as you see fit. A word of credit every now and then would be appreciated. I have the privilege of leading some of the efforts where there is an intersection between various forms of automatic data capture, including RFID, and the supply chain. The work of the TC 122/104 JWG (now referred to as TC 122/WG 10) brings RFID to all levels of the supply chain. The RFID Experts Group has addressed or is in the process of addressing most, if not all, of the topics of public policy. JTC 1/SC 31 has written or is writing the technology, data, and conformance standards for RFID, bar codes, and two-dimensional symbols. TC 122’s WG 4 and WG 7 of TC 122 have written the bar code and 2D symbol application standards for the supply chain. And in SC 31/WG 6 we are looking at the standardization of a convergence of portable terminals, computing technology, mobile telephony, and automatic identification technologies. Each of these have had and will have a substantial impact on the supply chain.
  • Today there are approximately 18 million freight containers in service worldwide. These freight containers are loaded and unloaded with freight an average of six times per year. This translates to an estimated 108 million trips per year. These freight containers travel to all corners of the world by ship, by rail, or by truck, with the common transit location of the port.
  • The ISO 18185 tag requires that the tag support both ISO/IEC 18000-7 and ISO/IEC 24730-2 (2450 MHz). It is conservatively estimated that the incremental cost of a tag supporting both air interfaces from a tag supporting only one of the protocols would be $10.00 (USD). Realizing that these tags are single-use, the incremental cost to the marine shipping industry of supporting both air interfaces in a single tag would be over $1 billion per year. One of the rationales behind such a dual frequency tag is that various ports have implemented one of the two technologies. A single frequency tag was not considered viable because of these historical implementations, which were based on the radio regulations of the country hosting the marine port. Fifteen months after publication (2007-04-26) there still exists no manufactured or marketed device compliant with ISO 18185.
  • The challenges of supporting multiple frequencies and multiple devices are those of both cost and regulation. The cost factor is either that of providing complex RF tags or of providing a complex infrastructure of readers, since all three tags (Container Identity, eSeal, and Supply Chain Tag) must be read at the same choke points. The regulatory challenge is because there is no common frequency on a worldwide basis that would permit power levels to support the application requirements of freight containers.   An ideal solution would be one where permanently installed battery-less tags could be read at distances and speeds required by the application requirements, while within the same infrastructure battery-powered tags could meet the longer distance and localization requirements of eSeals and Supply Chain Tags. This same air interface could be used for integrated Container Security Devices (CSDs) that would incorporate sensor input to a wireless infrastructure. In May 2003 ISO TC 104 petitioned the ITU for a frequency band that would provide a frequency hopping spread spectrum (FHSS), passive frequency; and, a narrow band, active frequency.   At that time we suggested ISO/IEC 18000-6 and ISO/IEC 18000-7, respectively.   It is unlikely that the currently in-place air interfaces would be selected for a common frequency band for freight containers, because: - 433 MHz (ISO/IEC 18000-7) is an ISM band in various regions, - 860 – 960 MHz (ISO/IEC 18000-6) is an ISM band in various regions, and - 2450 MHz (ISO/IEC 24730-2) is an ISM band in all regions.   It is recognized that a band in which freight containers are considered a primary user may require modifications of the existing standards.   With respect to evolving technologies, we would urge IMO to support harmonisation of UWB regulation through ITU in anticipation of UWB standardisation efforts within ISO.
  • I would like to speak to two more issues that I hope to be of interest to you: The work of the 122/104 JWG and an ANSI initiative on Border Crossings. When TC 122 began considering RFID we needed to bring together the standards of ISO/IEC JTC 1/SC 31, the optically readable media standards of TC 122, the pallet standards of ISO TC 51, and the freight container standards of ISO TC 104. This gave rise to the creation of the ISO TC 122/104 Joint Working Group (JWG). 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • While the supply chain is the same as for optically readable media the standards of the JWG apply to RFID. ISO 17363 – Supply chain applications of RFID – Freight containers addresses the contents or manifest of freight container contents ISO 17364 – Supply chain applications of RFID – Returnable transport items addresses the returnable transport item as both an asset and a trading partner vessel. ISO 17365 – Supply chain applications of RFID – Transport units addresses the shipping label applications of RFID. ISO 17366 – Supply chain applications of RFID – Product packaging addresses the use of RFID at the product packaging level, and ISO 17367 – Supply chain applications of RFID – Product tagging addresses the use of RFID directly attached to the product 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • ISO 17363 has already been published and 17364 through 17367 have been ready to be published for almost two years. What held up this publication were delays caused by EPCglobal. For RTIs, transport units, product packaging, and product tagging several countries, including Japan and Germany wanted a high frequency (13.56 MHz) solution and the existing ISO/IEC 18000-3 standards did not meet the user requirements. We introduced ISO/IEC 18000-3m3 into SC 31 and within a month of introduction EPCglobal forced the removal of the text of the standard from ISO and to EPCglobal for development. This took nearly two years. EPCglobal finally completed their document and it is back into SC 31 for a three month Committee Draft ballot ending on December 8 th . Once the Committee Draft is approved 17364 through 17367 will be able to be released for FDIS (as is the case for 17364 and 17365) or for publication as is the case for 17366 and 17367, Therefore we do not expect the entire TC 122/104 JWG suite to be published until early 2009. 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • Again thank you for you attendance and attentiveness. We will be happy to answer any questions now or later by email. 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • I would like to thank you for what I hope was an enjoyable presentation. Much of the standards activities and other presentations are contained on our website (www.autoid.org) under “Presentations”. Good luck and God speed! 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • For questions, I ask that you go to the next slide. 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • One cannot have total freedom and complete safety. They are at polar ends of a continuum as are privacy and convenience on a different continuum. Technology can be used for good purposes or bad.  Do we want to wait in a queue to pay at the toll road booth or do we want the convenience of open road tolling?  Do we want to give up the ease of credit card payment and carry more cash around?  Do we want to give up mobile phones and wait for the information to be carried by the postman?  We have the opportunity to remove ourselves from social settings that use this technology by going to live on a mountain top in Montana.  The issue is that we appreciate the convenience of technology and must guard against its misuse.  That does not mean that we throw the technology down the well; we report abuse and misuse.  Is consumer intelligence misuse/abuse?  Part of the benefit of consumer intelligence is to offer discounts on products based on the known behavior of the consumer.  Is that wrong?  I believe that the shopper would appreciate a private discount.  Will it be obvious that the technology is in use?  Probably much more so than &amp;quot;notification&amp;quot; as the store offers me bargains only on the products I am known to buy.  We need to be vigilant whenever we implement new technology, remembering the law of unintended consequences.  But it is the access to the data where we may wish to focus, not on the technology.  For example, have we heard concerns from anti-RFID privacy activists on the lost laptops with private information or the lost storage media from retailers and banks?  Technology is an easy target, because it sufficiently developed to be considered little different than magic. It is the security of Personally Identifiable Information where efforts should be focused, not on the AIDC technology. Mobile telephones are far easier to track than RFID and credit cards truly contain more sensitive information about the person than does an RF tag. 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • There are some that would say that all RF tags should be made inoperative (or “killed”) at point-of-sale. The problem with this scenario is that for many products the benefit of the RF tag is post-sales, for example for product registration, warranty, repair, returns, and recycling. The manufacturers of electronics, automotive parts, and other high end products have no benefit without post sales operation of the tag, and will not attach a tag from which they cannot derive benefit. There are techniques that some packagers may wish to consider with a “frangible tag”. Such tags have a ribbon that runs through the antenna of the tag. If the consumer does not want to keep the tag operational, a simple pulling of the ribbon can cut the size of the antenna making the tag only readable from a centimeter or two (basically contact). A more sensible approach is to simply alert the consumer that an operational RF tag is included. AIM Global has submitted its RFID Emblem to ISO as the standard way in which to provide notification that an RF tag is contained within. This same RFID Emblem has been discussed within the European Commission as the standard way in which to represent an RF tag in Europe. 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • Security has attempted to be addressed in documents such as the RFID Experts Group’s REG ToR 5-C, ISO/IEC TR 24729-4, and ISO/IEC 24791-6 whereby each attempt might address part of the issue: REG ToR 5-C and ISO/IEC TR 24729-4 addressed from 1 through 3 in the figure from the RF tag up to and including the RFID reader. ISO/IEC 24791-6 is attempting to address numbers 3 through 5 from the reader to the enterprise system. And finally we have the host to user (as seen in 5 through 7). Today (October 8 th ) a new work item proposal will close its balloting and a comprehensive standard taking a holistic approach to security will begin. Craig K. Harmon Presentation - JPI 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212
  • There are numerous potential “threats” that fall under the category of “security”. The first of this is protecting the “confidentiality” of the information on the tag. This confidentiality could be compromised by a variety of threats, including “skimming of data”, “eavesdropping”, and “data tampering”. If the confidentiality of the tag is compromised in the these “gather” threats there is then a possibility of the “mimic” threats (“spoofing”, “cloning”, and the “insertion of malicious code”) might also occur, effecting the “integrity” of the tag data.. Craig K. Harmon Presentation - JPI 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212
  • Likewise, “denial of service” attacks from the “unauthorized killing of the tag” or by “jamming and shielding” can affect the “availability” of the data. A further step towards “confidentiality” can occur if “authentication” techniques are compromised. Craig K. Harmon Presentation - JPI 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212
  • The threats include: &amp;quot;Eavesdropping&amp;quot; or “sniffing” on transmission between tag and reader Eavesdropping (also called &amp;quot;man-in-the-middle&amp;quot; reader) is unauthorized listening / intercepting, through the use of radio receiving equipment, of an authorized transmission to monitor or record data between the tag and reader for the purpose(s) of: — collecting raw transmissions to determine communications protocols and/or encryption — collecting the tag&apos;s data, or — determining traffic patterns Spoofing Spoofing is defined as duplicating tag data and transmitting it to a reader. Data acquired from a tag, by whatever means, is transmitted to a reader to mimic a legitimate source. For example, for an electronic seal, a threat that defines spoofing is where the e-seal information is transmitted to the reader from some alternative source that is not the original e-seal. Cloning Cloning is defined as duplicating data of one tag to another tag. Data acquired from a tag, by whatever means, is written to an equivalent tag. For example, in contrast to spoofing, cloning an e-seal would be the duplication of the e-seal and replacement of the original with a duplicate/cloned version that would then communicate with the reader. Data tampering Data tampering is unauthorized erasing of data to render the tag useless or changing of the data. For example data tampering in the consumer goods market could involve changing the price of an item for sale to the detriment of the owner. Malicious code Insertion of a executable code / virus to corrupt the enterprise systems is hypothetically possible given a tag with sufficient memory and range. Denial of access / service Denial of service (DoS) occurs when multiple tags or specially-designed tags are used to overwhelm a reader&apos;s capacity to differentiate tags, rendering the system inoperative. A type of denial service is a blocker tag that confuses the interrogator so that they are unable to identify the individual tags. (Ref. NIST Special Publication 800-98, “Guidance for Securing Radio Frequency Identification (RFID) Systems) Unauthorized killing the tag (electronic or mechanical) Killing of a tag is an operational threat in that the physical or electronic destruction of the tag deprives downstream users of the tag of its data. Jamming / Shielding Jamming is the use of an electronic device to disrupt the reader&apos;s function. Shielding is the use of mechanical means to prevent reading of a tag. 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • From these threats, certain countermeasures can be put in place to mitigate the threats, including Wafer programming (true WORM) True Write-Once-Read-Many (WORM) tags are programmed at the fabrication facility with a unique code that cannot be changed. Since the data cannot be changed after manufacture, as an example, wafer programming of a WORM device at the IC foundry prevents data from being inadvertently or clandestinely altered later in the supply chain. ISO Tag ID verification — ISO/IEC 15963 defines a unique tag identification (Tag ID) encoded by the I.C. manufacturer. For the purposes of this countermeasure a Tag ID shall be serialized in accordance with ISO/IEC 15963 to uniquely identify the chip and then locked by the I.C. manufacturer. The Tag ID can be used to authenticate that the chip is the original and not a copy. To provide I.C. traceability and tracking, the I.C. manufacturer has a vested interest in ensuring that the Tag ID cannot be altered. The TAG ID uniquely identifies the RFID chip and the Unique Item Identifier (UII) uniquely identifies the item to which the RFID tag is attached. — The combination of Tag ID and UII, with a secure chain of custody within the supply chain, provides an assurance of anti-counterfeiting. The supplier of a tagged item communicates both the UII and the Tag ID of that item being shipped to the recipient. This solution presumes that tag identification serialization is programmed by the manufacturer and locked before distribution. At the time of this publication, the effectiveness of this countermeasure is weakened because of the availability of field programmable Tag IDs and the ability to validate when the Tag ID was manufactured. — When the original EPC UHF Gen2 specification was developed, concerns existed that the Tag ID might potentially supplant the EPC (UII); consequently the Gen2 specification did not require Tag ID serialization. EPC compliance has continued to not require Tag ID serialization through Version 1.1.0. The addition of Tag ID serialization cannot occur too soon. License plate A license plate is the use of a non-significant number that serves only as a pointer to a database. This can provide security by not representing any sensitive information in the open. The security of this method is at a level determined by the security of the enterprise systems as shown in Figure 1. Memory lock Memory lock is the disabling of the write/rewrite function on the tag or a given block of memory, preventing unauthorized users from deleting or changing data or inserting unexpected data. Password protection A password is used to unlock the tag&apos;s memory for either read or write operations, or both. Authentication There are three types of authentication, data, reader, and tag authentication. At the time of this document development, reader and tag authentication standards are still in development. — Data authentication : Data authentication is a comparison of known validated data with read tag data. Back end systems that anticipate data content and validate that ‘what is received is what is expected’ is a form of data authentication. — Reader authentication : A process by which a tag ensures a reader is authorized to access tag data. — Tag authentication : A process by which a reader ensures a tag is an authorized tag to send data. Cloaking / Data security (obfuscated ID) For the purposes of this document cloaking is the process of altering the transmitted UII code that is different than the UII encoded, thereby obfuscating the identity of the item to which the RF tag is attached. There are several methods by which cloaking could be accomplished, however, at the time of this writing, none are known to be available to public standards. Encryption — RFID security at one level can be handled through data encryption. Encryption is the process of converting a plaintext message into an alternate ciphertext message. The ciphertext message contains all the information of the plaintext message, but is not in a format readable by a human or computer. The inverse process, of extracting the original information, is called decryption and can only be accomplished using auxiliary information, called a key (a relatively small amount of information that is used by an algorithm to customize the transformation of plaintext into ciphertext, or vice versa (1). — The use of public or private encryption schemes when writing data to the tag is discussed in detail in Annex A. The primary issue and barrier to using encryption is key distribution. A communication channel with all involved in the chain of data custody is required for successful key distribution. Limitation of read distance — The choice of frequency defines the distance of which the tag can be read. Many systems rely on distance as a primary means of security. — The ability to have a tag transmit only when the user activates the tag, e.g. using a momentary switch, electrical, or physical addition to alter the readability of a tag requiring close proximity to read during a prescribed time period. Direct electrical contact offers the most secure form of physical activation 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • The most challenging issue associated with RFID security is that if passwords or “keys” are implemented there must be a way to exchange these passwords. Probably the best concept presented so far is when we send key information from the departure server to the arrival server. However, in many cases, the number of individuals who would need to have access to this information makes this form a key distribution impractical. However, if a trusted third party server received the key information from the departure server, authorized users of the data could access the third party server for key (in the case of encryption) or password. From this drawing the only difference is that the the server in the upper right-hand corner is not the server of a recipient but more Craig K. Harmon Presentation - JPI 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212
  • At this time there is no widely accepted method of providing security across the entire supply chain for RFID. Likewise some types of RFID are better suited to provide certain forms of security than other types of RF tags. Most security techniques would require broad trading partner acceptance of that technique. It is hoped that the new initiatives in SC 31/WG 4 will provide a common set of techniques that can be widely implemented. A note of caution, however; it may be equally or more damaging to a customer to implement security techniques out of step with the rest of the industry. Consequently, integrators and customers are encouraged to follow legal and technical developments and to proceed with caution. 2008-10-08 (E): craig.harmon@qed.org (V): +1 319/364-0212 Craig K. Harmon Presentation - JPI
  • SupplyChainSecurity_20081208__ckh2.ppt

    1. 1. Supply Chain Security by: Craig K. Harmon, Chair, ISO TC 122/104 JWG 2008-12-09
    2. 2. Craig K. Harmon • President & CEO Q.E.D. Systems <ul><li>Chair, ISO TC 122/104 JWG - Supply Chain Applications of RFID (TC 122/WG 10) </li></ul><ul><li>Chair, RFID Experts Group (REG) </li></ul><ul><li>Founder, JTC 1/SC 31 </li></ul><ul><li>Chair, ISO TC 122/WG 4 (Shipping Labels) & ISO TC 122/WG 7 (Product Packaging) </li></ul><ul><li>Vice-chair, ASC MH 10 and U.S. TAG to ISO TC 122 (Packaging) </li></ul><ul><li>Chair, JTC 1/SC 31/WG 6 - Mobile Item Identification and Management </li></ul><ul><li>Senior Project Editor ISO/IEC JTC 1/SC 31/WG 4 (RFID) </li></ul><ul><li>Project Editor, ISO 18185-5 (Electronic Container Seal - Physical Layer) </li></ul><ul><li>Joint Automotive Industry Forum (JAIF) JAMA/JAPIA/AIAG/ODETTE) – Returnable Transport Items </li></ul><ul><li>AIAG Bar Code, Applications, 2D, Tire, Returnables, & RFID Committees </li></ul><ul><li>Member, EPCglobal HAG (UHFGen2), FMCG BAG, HLS BAG, SAG, TLS, TDS, AIWG, SBAC </li></ul><ul><li>JTC 1 & TC 104 Liaison Officer to the International Telecommunications Union (ITU-R & ITU-T) </li></ul><ul><li>ISO TC 104 & 122 (Freight Containers / Packaging) Liaison Officer to JTC 1/SC 31 </li></ul><ul><li>Past Chair, U.S. TAG to ISO/IEC JTC 1/SC 31/WG 4 (RFID) </li></ul><ul><li>Past Chair, ASC INCITS T6 (RFID) - ANS INCITS 256:1999, 2001 </li></ul><ul><li>Advisor and Member of USPS Strategic Technology Council </li></ul><ul><li>Chairman & Project Editor, ANS MH10.8.2 (Data Application Identifiers) </li></ul><ul><li>Original Project Editor, NATO STANAG 2233 (RFID for NATO Asset Tracking) </li></ul><ul><li>Vocabulary Rapporteur to ISO/IEC JTC 1/SC 31, ISO/IEC 19762 - Harmonized vocabulary </li></ul><ul><li>CompTIA RFID Subject Matter Expert and RFID Certified Professional (CRCP) - RFID+ </li></ul><ul><li>Recipient of the 2004 Richard Dilling Award </li></ul>This presentation posted at: http://www.autoid.org/presentations/presentations.htm
    3. 3. ISO TC 104 (Freight Containers)
    4. 4. Three tags – different purposes Electronic Seal - ISO 18185 Container ID Tag - ISO 10891 (nee ISO 10374.2) Supply Chain Tag - ISO 17363
    5. 5. Freight container standards and associated frequencies 433 MHz (18000-7) 850–950 MHz* 860–960 MHz (18000-6C) 2 450 MHz (24730-2) 2 400–2 500 MHz* ISO 10374   ISO 10891  ISO 17363  ISO 18185   *Note: Columns without a parenthetical reference standard have no published or in process air interface standard and may be considered proprietary. ISO/IEC 18000-7 and ISO/IEC 24730-2 are called out in ISO 18185
    6. 6. Global Freight Container Band Assignment <ul><li>In May 2003 ISO TC 104 petitioned the ITU for a frequency band that would provide </li></ul><ul><ul><li>a frequency hopping spread spectrum (FHSS), passive frequency; and, </li></ul></ul><ul><ul><li>a narrow band, active frequency. </li></ul></ul><ul><li>At that time TC 104 suggested ISO/IEC 18000-6 and ISO/IEC 18000-7, respectively. </li></ul><ul><li>It is unlikely that the currently in-place air interfaces would be selected for a common frequency band for freight containers, because: </li></ul><ul><ul><li>433 MHz (ISO/IEC 18000-7) is an ISM band in various regions, </li></ul></ul><ul><ul><li>860 – 960 MHz (ISO/IEC 18000-6) is an ISM band in various regions, and </li></ul></ul><ul><ul><li>2450 MHz (ISO/IEC 24730-2) is an ISM band in all regions. </li></ul></ul><ul><li>Ultra Wide Band may be the most viable frequency allocation for marine containers </li></ul>
    7. 7. ISO TC 122/104 Joint Working Group (JWG) (Supply chain applications of RFID)
    8. 8. The Layers of Logistic Units (Radio Frequency Identification Item Item Item Item Item Item Item Item Item Item Item Item Item Item Item Item Pkg Pkg Pkg Pkg Pkg Pkg Pkg Pkg Transport Unit Transport Unit Transport Unit Transport Unit Unit Load “ Pallet” Unit Load “ Pallet” Container (e.g., 40 foot Sea Container) Movement Vehicle (truck, airplane, ship, train) Layer 5 Layer 4 (433 MHz) ISO 17363 (Freight containers) Layer 3 (860-960 MHz) (Other 18000 with TPA) ISO 17364 (Returnable transport items) Layer 2 (860-960 MHz) (Other 18000 with TPA) ISO 17365 (Transport units) Layer 1 (860-960 MHz with TPA) (13.56 MHz with TPA) ISO 17366 (Product packaging) Layer 0 (860-960 MHz with TPA) (13.56 MHz with TPA) ISO 17367 (Product tagging) “ TPA” - Trading Partner Agreement Concept Source: Akira Shibata, DENSO-Wave Corporation
    9. 9. ISO TC 122/104 JWG Project Status (2007-07-10) <ul><li>ISO 17363, Supply chain applications of RFID - Freight containers </li></ul><ul><ul><li>International Standard published </li></ul></ul><ul><li>ISO 17364, Supply chain applications of RFID - Returnable transport items </li></ul><ul><ul><li>DIS approved registered for FDIS ballot </li></ul></ul><ul><li>ISO 17365, Supply chain applications of RFID - Transport units </li></ul><ul><ul><li>DIS approved registered for FDIS ballot </li></ul></ul><ul><li>ISO 17366.2, Supply chain applications of RFID - Product packaging </li></ul><ul><ul><li>International Standard under publication </li></ul></ul><ul><li>ISO 17367.2, Supply chain applications of RFID - Product tagging </li></ul><ul><ul><li>International Standard under publication </li></ul></ul>
    10. 10. Border Crossing                                                             Transportation Worker ID Card (TWIC) with Fingerprint Biometric ISO/IEC 14443 Fingerprint Reader Tractor Tag TC 204 Standard Chassis Tag TC 204 Standard 10891 Tag 18185 Tag/Seal 17363 Tag 17364 Tags 17365 Tags Container Reader/ Communicator On Board Unit (OBU)  Road Side Unit (RSU) On Board Unit (OBU) Part of CALM Network Today Proposed Tomorrow Would be improved with a single device Customs Customs
    11. 11. Border Crossing                                                          Transportation Worker ID Card (TWIC) with Fingerprint Biometric ISO/IEC 14443 Fingerprint Reader Tractor Tag TC 204 Standard Chassis Tag TC 204 Standard 17364 Tags 17365 Tags Container Reader/ Communicator On Board Unit (OBU)  Road Side Unit (RSU) On Board Unit (OBU) Part of CALM Network Today Proposed Tomorrow    10891 Tag 18185 Tag/Seal 17363 Tag Would be improved with a single device Customs Customs
    12. 12. Standards <ul><li>The standards of ISO 17363, ISO 17364, ISO 17365, ISO 17366, ISO 17367, ISO 18185, and ISO 10891 are based on the standards of ISO TC 122 and ISO/IEC JTC 1/SC 31 </li></ul><ul><ul><li>Technology standards (e.g. ISO/IEC 18000-6, 18000-3, 18000-7, and 24730-2 for RF) </li></ul></ul><ul><ul><li>Data standards (e.g. ISO/IEC 15434, 15418, 15459, 15963) </li></ul></ul><ul><ul><li>Conformance standards (e.g. ISO/IEC 18047-6, 18047-3, 18047-7, and 24769 for RF) </li></ul></ul><ul><ul><li>Sensor standards are the cooperative work of ISO/IEC JTC 1/SC 31 and IEEE 1451 </li></ul></ul>
    13. 13. Standards <ul><li>ISO 17365 (transport unit) tags used to build 17364 pallet tags </li></ul><ul><li>ISO 17364 tags used to build 17363 container/manifest tags and to communicate with container reader/ communicator </li></ul><ul><li>ISO 10891 (formerly designated as ISO 10374.2) tag identifies container </li></ul><ul><li>ISO 18185 is eSeal tag </li></ul><ul><li>Chassis is identified by ISO TC 204 tag (ISO 14816) [note that ISO 10891 claims the chassis as well] </li></ul><ul><li>Tractor is identified by ISO TC 204 tag (ISO 14816) </li></ul><ul><li>Driver is identified by ISO/IEC JTC 1/SC 17 Transportation and DHS Worker Identification Card (TWIC) </li></ul><ul><li>On-board Unit (OBU) communicates to Road-side Unit (RSU) via CALM (Communication Air-interface Long and Medium range) Network (OBU-RSU communications protocol provisional) </li></ul><ul><li>On-board Unit (OBU) also provides location information and communications via / satellite/GPS </li></ul>
    14. 14. Concept of Operations <ul><li>As supply chain pallets are being built, transport unit tags are loaded to pallet tags identifying contents, who built the shipment, purchase order number, and when the shipment was built. </li></ul><ul><li>As pallets are loaded into the container, pallet tags are loaded to container supply chain tags identifying contents, who built the shipment, purchase order number, container ID, eSeal ID, and when the container was stuffed. </li></ul><ul><li>Container loaded onto chassis. </li></ul><ul><li>When the tractor connects to the chassis, container information, chassis ID, and tractor ID is loaded to the On-board Unit (OBU) through CANbus-like communications </li></ul><ul><li>Driver inserts TWIC to ID card/fingerprint print reader </li></ul><ul><li>Immediately prior to border crossing event, driver records in vitro fingerprint to the OBU and a time stamp of fingerprint read. </li></ul><ul><li>At the border crossing point the contents of the OBU are transferred to the Road-side Unit (RSU). The Road-side Unit (RSU) might also capture information from the Container ID, eSeal, and Supply Chain/Manifest tag. </li></ul><ul><li>Process records the matching of the driver to the tractor, chassis, container, contents, eSeal, and time of the event. </li></ul><ul><li>OBU also able to drive GPS system </li></ul>
    15. 15. ???
    16. 16. Thank you!!! Craig K. Harmon, President & CEO Q.E.D. Systems 3963 Highlands Lane, SE Cedar Rapids, IA 52403-2140 USA (V): +1 319/364-0212 (M): +1 319/533-8092 (E): [email_address] (U): http://www.autoid.org
    17. 18. DISCUSSION SLIDES
    18. 19. Social issue - Privacy <ul><li>Privacy & Convenience are much akin to Freedom & Safety, where each are at polar ends of a continuum. One cannot have both complete freedom and maximized safety, just as one cannot have complete privacy and maximized convenience. </li></ul><ul><li>The issue of privacy must become an issue of Personally Identifiable Information (PII), not of the technology </li></ul><ul><li>Credit cards and mobile telephones are far easier to inappropriately access Personally Identifiable Information (PII). </li></ul>
    19. 20. Social issue – Privacy What Can We Do? <ul><li>Provide packaging that reflects its content; if there is an embedded RFID tag, signal its presence with the RFID Emblem. </li></ul><ul><li>Follow government and industry discussions regarding disclosure </li></ul>Generic Emblem 18000-6C - 17366
    20. 21. Social issue - Security <ul><li>Security has been explained in ISO/IEC TR 24729-4 (DTR ballot closes 2008-10-19) and standardization is being proposed in a New Work Item Proposal (as yet an unnumbered work item) submitted by the National Body of Austria </li></ul>
    21. 22. Social issue - Security <ul><li>Risks include: </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><ul><li>“ Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [FISMA, 44 U.S.C., Sec. 3542] </li></ul></ul></ul><ul><ul><ul><li>A loss of confidentiality is the unauthorized disclosure of information. </li></ul></ul></ul><ul><li>Integrity </li></ul><ul><ul><ul><li>Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] </li></ul></ul></ul><ul><ul><ul><li>A loss of integrity is the unauthorized modification or destruction of information. </li></ul></ul></ul>
    22. 23. Social issue - Security <ul><li>Risks include: </li></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><ul><li>“ Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] </li></ul></ul></ul><ul><ul><ul><li>A loss of availability is the disruption of access to or use of information or an information system. </li></ul></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><ul><li>Ensuring that a tag’s data can only be accessed by authorized individuals/systems. </li></ul></ul></ul>
    23. 24. Social issue - Security <ul><li>Threats include: </li></ul><ul><ul><li>Skimming data </li></ul></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Spoofing </li></ul></ul><ul><ul><li>Cloning </li></ul></ul><ul><ul><li>Data tampering </li></ul></ul><ul><ul><li>Insertion of executable code or virus </li></ul></ul><ul><ul><li>Denial of access or service </li></ul></ul><ul><ul><li>Unauthorized killing of tag </li></ul></ul><ul><ul><li>Jamming or shielding </li></ul></ul>
    24. 25. Social issue - Security <ul><li>Countermeasures include: </li></ul><ul><ul><li>Wafer programming (true WORM) </li></ul></ul><ul><ul><li>ISO Tag ID verification </li></ul></ul><ul><ul><li>License plate </li></ul></ul><ul><ul><li>Memory lock </li></ul></ul><ul><ul><li>Password protection </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Cloaking </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Limitation of read distance </li></ul></ul>
    25. 26. A Scenario for Password Distribution Authorities Server (Departure) Digital Signature Server (Arrival) ⑦ Key Transmission (Push) Reader B ⑬ Verification Req ⑭ Verification Res RF tag RF tag ④ Signature Res ③ Signature Req ⑨ Tag ID Req ⑩ Tag ID Res ⑧ Shipping IPsec XML/EDI IPSec XML/EDI DB IPsec ⑪ Tag Req ⑫ Tag Res Reader A ① Tag ID Req ② Tag ID Res ⑤ ePP Req ⑥ ePP Res IPsec
    26. 27. Social issue - Security What Can We Do? <ul><li>Remain aware of which technologies provide which levels of security. </li></ul><ul><li>Prior to implementing RFID security for any customer, ensure that they know what they are doing with security. </li></ul><ul><li>At this moment, a simple method of security is not available. </li></ul><ul><li>Follow legal and technical developments </li></ul>

    ×