FAQ – Cyber-Physical Passport
Q: How does the CPP relate to the Cyber Trust Mark or to software bill of materials (SBOM) and hardware (HBOM) industry protocols?
A: SBOMs and HBOMs provide documentation that would be incorporated within a CPP. The CPP then goes a step further by providing a STAMP—a Software Trace of A Manufacturing Process/Product—which traces all software components that impact the function or structure of a manufactured part, process, or operation. By consolidating otherwise disparate SBOMs and HBOMs within a single interface, the CPP provides unprecedented visibility into U.S. supply chains.
Q: How is the CPP itself verified? Does a CPP have “citizenship”?
A: In the current prototype phase, CPPs are linked to the automation facility where they are generated and then registered in a local CPP data-hub, providing a notional “citizenship.” Furthermore, every passport is digitally signed at creation, and its signature and location are recorded in a ledger across the supply chain. However, more verification mechanisms are needed to assess the physical location where CPPs are generated and to further verify the integrity of the data held within.
Q: How are firmware or software updates integrated into the CPP?
A: Firmware and software updates are part of the evolving passport associated with an object—part of its metadata digital twin. CPPs will evolve throughout the lifecycle of the object associated with it. When changes occur, a new passport is generated and linked to the previous passport.
Q: How will the CPP and AI work together?
A: CyManII has been developing different AI-based approaches to detecting attacks on subtractive and additive manufacturing machines. In the future, we anticipate that the CPP system will incorporate real-time analysis and trusted agentic AI capabilities within the CPP data-hub to provide a range of additional services, such as informing manufacturers about potential faults or attacks; providing vulnerability assessments, root-cause analysis, and fine-grained accountability, updating maintenance requirements; and throughput optimizations. At the supply chain level, we anticipate that the CPP framework will have the ability to provide integrity analysis of parts design and manufacturing process; verification of supply chain stability; multiresolution audit and optimization of supply chains; and vulnerability analysis.
Q: How does the CPP track the provenance of training data used by control hardware running AI-based software?
A: The CPP infrastructure already includes the ability to capture training data in the form of time series data extracted during the manufacturing process including energy, geometry, other sensor data; computer-aided design (CAD) or computer-aided manufacturing (CAM) data, SBOMs, and more. As the system matures, we anticipate that other types of data can also be incorporated together with AI models and the results of AI inference, which will then be presented as analysis embedded within passports.
Q: How does the CPP support current U.S. priorities to provide energy abundance, dominance, American competitiveness, and drive innovation?
A: The CPP directly supports five of the nine priorities described by U.S. Secretary of Energy Chris Wright to “unleash American Energy” with the active involvement industry partners. In particular:
1. The CPP will utilize modern AI to provide greater assurance in manufacturing supply chains, paving the way for new and improved energy production.
2. The CPP supports national security and the cybersecurity in the energy sector by improving visibility into supply chains and protecting critical energy supply.
3. The CPP will improve the nation’s ability to assess, track, and communicate common vulnerabilities and mitigations by providing a common supply chain security infrastructure.
Q: What other industries or examples can the CPP apply to today? Are there examples in fossil energy or the emerging nuclear industry?
A: CyManII’s industry use cases consider different manufacturing scenarios for industrial control systems, additive manufacturing, and secure digitalization. Furthermore, CPPs can be applied to microelectronics, biomanufacturing, nuclear energy (in connection to the industrial control system scenario and beyond).
Q: How many companies are supporting the development of the CPP?
A: As part of the CyManII’s industry use cases, we are currently piloting CPPs with the original equipment manufacturer (OEM) GE Vernova and several small-to-medium manufacturers (SMMs), including Humtown, Neuvokas, Addiguru, and Authentise.
QUESTIONS TO BE ADDRESSED IN FUTURE PILOT PROGRAMS AND IMPLEMENTATION:
1. How will you bootstrap the CPP framework?
2. How will you federate the CPP framework?
3. What other AI frameworks will be supported and how will they be integrated?
4. What will be the impact of the CPP framework in terms of cybersecurity incidents reduction?
5. How will you scale the framework for different industry use cases?
6. What other concepts of operations or use cases could be supported by the CPP framework?
