Biblio

We consider a pharmaceutical supply chain where the manufacturer sources a customized product with unique attributes from a set of unreliable suppliers. We model the likelihood of a supplier to successfully deliver the product via Bayesian logistic regression and use simulation to obtain the posterior distribution of the unknown parameters of this model. We study the role of so-called input-model uncertainty in estimating the likelihood of the supply failure, which is the probability that none of the suppliers in a given supplier portfolio can successfully deliver the product. We investigate how the input-model uncertainty changes with respect to the characteristics of the historical data on the past realizations of the supplier performances and the product attributes.

Cloud computing is widely believed to be the future of computing. It has grown from being a promising idea to one of the fastest research and development paradigms of the computing industry. However, security and privacy concerns represent a significant hindrance to the widespread adoption of cloud computing services. Likewise, the attributes of the cloud such as multi-tenancy, dynamic supply chain, limited visibility of security controls and system complexity, have exacerbated the challenge of assessing cloud risks. In this paper, we conduct a real-world case study to validate the use of a supply chaininclusive risk assessment model in assessing the risks of a multicloud SaaS application. Using the components of the Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, we show how the model enables cloud service providers (CSPs) to identify critical suppliers, map their supply chain, identify weak security spots within the chain, and analyse the risk of the SaaS application, while also presenting the value of the risk in monetary terms. A key novelty of the CSCCRA model is that it caters for the complexities involved in the delivery of SaaS applications and adapts to the dynamic nature of the cloud, enabling CSPs to conduct risk assessments at a higher frequency, in response to a change in the supply chain.

Logic locking is a holistic design-for-trust technique that aims to protect the design intellectual property (IP) from untrustworthy entities throughout the supply chain. Functional and structural analysis-based attacks successfully circumvent state-of-the-art, provably secure logic locking (PSLL) techniques. However, such attacks are not holistic and target specific implementations of PSLL. Automating the detection and subsequent removal of protection logic added by PSLL while accounting for all possible variations is an open research problem. In this paper, we propose GNNUnlock, the first-of-its-kind oracle-less machine learning-based attack on PSLL that can identify any desired protection logic without focusing on a specific syntactic topology. The key is to leverage a well-trained graph neural network (GNN) to identify all the gates in a given locked netlist that belong to the targeted protection logic, without requiring an oracle. This approach fits perfectly with the targeted problem since a circuit is a graph with an inherent structure and the protection logic is a sub-graph of nodes (gates) with specific and common characteristics. GNNs are powerful in capturing the nodes' neighborhood properties, facilitating the detection of the protection logic. To rectify any misclassifications induced by the GNN, we additionally propose a connectivity analysis-based post-processing algorithm to successfully remove the predicted protection logic, thereby retrieving the original design. Our extensive experimental evaluation demonstrates that GNNUnlock is 99.24% - 100% successful in breaking various benchmarks locked using stripped-functionality logic locking [1], tenacious and traceless logic locking [2], and Anti-SAT [3]. Our proposed post-processing enhances the detection accuracy, reaching 100% for all of our tested locked benchmarks. Analysis of the results corroborates that GNNUnlock is powerful enough to break the considered schemes under different parameters, synthesis settings, and technology nodes. The evaluation further shows that GNNUnlock successfully breaks corner cases where even the most advanced state-of-the-art attacks [4], [5] fail. We also open source our attack framework [6].

Counterfeit integrated circuits (ICs) and systems have emerged as a menace to the supply chain of electronic goods and products. Simple physical inspection for counterfeit detection, basic intellectual property (IP) laws, and simple protection measures are becoming ineffective against advanced reverse engineering and counterfeiting practices. As a result, hardware security-based techniques have emerged as promising solutions for combating counterfeiting, reverse engineering, and IP theft. However, these solutions have their own merits and shortcomings, and therefore, these options must be carefully studied. In this work, we present a comparative overview of available hardware security solutions to fight against IC counterfeiting. We provide a detailed comparison of the techniques in terms of integration effort, deployability, and security matrices that would assist a system designer to adopt any one of these security measures for safeguarding the product supply chain against counterfeiting and IP theft.

Supply chain management (SCM) system is a main requirement for manufacturers and companies to cooperate. There are many management techniques to manage supply chains, such as using Excel sheets. However, that technique is ineffective, insecure, and sensitive to human errors. In this paper, we propose CLOUDITY, a cloud-based SCM system using SELAT (Selective Market) and Blockchain system. We modify JUGO architecture to develop SELAT as a connector between users and cloud service providers. Also, we apply the Blockchain concept to make more secure system. CLOUDITY system can solve several cases: resource provisioning, service selection, authentication, and access control. Also, it improves the data security by checking every data changes of the supply chain management system using Blockchain system.

The revolution caused by the advanced analysis features of Internet of Things and big data have made a big turnaround in the digital world. Data analysis is not only limited to collect useful data but also useful in analyzing information quickly. Therefore, most of the variants of the shared system based on the parallel structural model are explored simultaneously as the appropriate big data storage library stimulates researchers’ interest in the distributed system. Due to the emerging digital technologies, different groups such as healthcare facilities, financial institutions, e-commerce, food service and supply chain management generate a surprising amount of information. Although the process of statistical analysis is essential, it can cause significant security and privacy issues. Therefore, the analysis of data privacy protection is very important. Using the platform, technology should focus on providing Advanced Cryptography Policy (ACP). This research explores different security risks, evolutionary mechanisms and risks of privacy protection. It further recommends the post-statistical modern privacy protection act to manage data privacy protection in binary format, because it is kept confidential by the user. The user authentication program has already filed access restrictions. To maintain this purpose, everyone’s attitude is to achieve a changing identity. This article is designed to protect the privacy of users and propose a new system of restoration of controls.

Food supply chain is a complex but necessary food production arrangement needed by the global community to maintain sustainability and food security. For the past few years, entities being a part of the food processing system have usually taken food supply chain for granted, they forget that just one disturbance in the chain can lead to poisoning, scarcity, or increased prices. This continually affects the vulnerable among society, including impoverished individuals and small restaurants/grocers. The food supply chain has been expanded across the globe involving many more entities, making the supply chain longer and more problematic making the traditional logistics pattern unable to match the expectations of customers. Food supply chains involve many challenges like lack of traceability and communication, supply of fraudulent food products and failure in monitoring warehouses. Therefore there is a need for a system that ensures authentic information about the product, a reliable trading mechanism. In this paper, we have proposed a comprehensive solution to make the supply chain consumer centric by using Blockchain. Blockchain technology in the food industry applies in a mindful and holistic manner to verify and certify the quality of food products by presenting authentic information about the products from the initial stages. The problem formulation, simulation and performance analysis are also discussed in this research work.

At the RELENG 2014 Q&A, the question was asked, “What is your greatest concern?” and the response was “someone subverting our deployment pipeline”. That is the motivation for this paper. We explore what it means to subvert a pipeline and provide several different scenarios of subversion. We then focus on the issue of securing a pipeline. As a result, we provide an engineering process that is based on having trusted components mediate access to sensitive portions of the pipeline from other components, which can remain untrusted. Applying our process to a pipeline we constructed involving Chef, Jenkins, Docker, Github, and AWS, we find that some aspects of our process result in easy to make changes to the pipeline, whereas others are more difficult. Consequently, we have developed a design that hardens the pipeline, although it does not yet completely secure it.

Ensuring sustainable sourcing of crude materials and production of goods is a pressing problem in consideration of the growing world population and rapid climate change. Supply-chain traceability systems based on distributed ledgers can help to enforce sustainability policies like production limits. We propose two mutually independent distributed-ledger-based protocols that enable public verifiability of policy compliance. They are designed for different supply-chain scenarios and use different privacy-enhancing technologies in order to protect confidential supply-chain data: secret sharing and homomorphic encryption. The protocols can be added to existing supply-chain traceability solutions with minor effort. They ensure confidentiality of transaction details and offer public verifiability of producers' compliance, enabling institutions and even end consumers to evaluate sustainability of supply chains. Through extensive theoretical and empirical evaluation, we show that both protocols perform verification for lifelike supply-chain scenarios in perfectly practical time.

In the recent years, sustainability has becoming an important topic in agro-food supply chain. Moreover, these supply chains are more vulnerable due to different interrelated risks from man-made and natural disasters. However, most of the previous studies consider less about interrelation in assessing sustainability risks. The purpose of this research is to develop a framework to assess supply chain sustainability risks by rnking environmental risks, economic risks, social risks and operational risks. To solve this problem, the proposed methodology is an integrated rough decision- making and trial evaluation laboratory (DEMA℡) method that consider the interrelationship between different risks and the group preference diversity. In order to evaluate the applicability of the proposed method, a real-world case study of Tunisian agro-food company is presented. The results show that the most important risks are corruption, inflation and uncertainty in supply and demand.

The software supply chain is a source of cybersecurity risk for many commercial and government organizations. Public data may be used to inform automated tools for detecting software supply chain risk during continuous integration and deployment. We link data from the National Vulnerability Database (NVD) with open version control data for the open source project OpenSSL, a widely used secure networking library that made the news when a significant vulnerability, Heartbleed, was discovered in 2014. We apply the Alhazmi-Malaiya Logistic (AML) model for software vulnerability discovery to this case. This model predicts a sigmoid cumulative vulnerability discovery function over time. Some versions of OpenSSL do not conform to the predictions of the model because they contain a temporary plateau in the cumulative vulnerability discovery plot. This temporary plateau feature is an empirical signature of a security failure mode that may be useful in future studies of software supply chain risk.

With increased awareness comes unprecedented expectations. We live in a digital, cloud era wherein the underlying information architectures are expected to be elastic, secure, resilient, and handle petabyte scaling. The expectation of epic proportions from the next generation of the data frameworks is to not only do all of the above but also build it on a foundation of trust and explainability across multi-organization business networks. From cloud providers to automobile industries or even vaccine manufacturers, components are often sourced by a complex, not full digitized thread of disjoint suppliers. Building Machine Learning and AI-based order fulfillment and predictive models, remediating issues, is a challenge for multi-organization supply chain automation. We posit that Federated Learning in conjunction with blockchain and smart contracts are technologies primed to tackle data privacy and centralization challenges. In this paper, motivated by challenges in the industry, we propose a decentralized distributed system in conjunction with a recommendation system model (Matrix Factorization) that is trained using Federated Learning on an Ethereum blockchain network. We leverage smart contracts that allow decentralized serverless aggregation to update local-ized items vectors. Furthermore, we utilize Homomorphic Encryption (HE) to allow sharing the encrypted gradients over the network while maintaining their privacy. Based on our results, we argue that training a model over a serverless Blockchain network using smart contracts will provide the same accuracy as in a centralized model while maintaining our serverless model privacy and reducing the overhead communication to a central server. Finally, we assert such a system that provides transparency, audit-ready and deep insights into supply chain operations for enterprise cloud customers resulting in cost savings and higher Quality of Service (QoS).

Blockchain technology has brought a huge paradigm shift in multiple industries, by integrating distributed ledger, smart contracts and consensus protocol under the same roof. Notable applications of blockchain include cryptocurrencies and large-scale multi-party transaction management systems. The latter fits very well into the domain of manufacturing and supply chain management for Integrated Circuits (IC), which, despite several advanced technologies, is vulnerable to malicious practices, such as overproduction, IP piracy and deleterious design modification to gain unfair advantages. To combat these threats, researchers have proposed several ideas like hardware metering, design obfuscation, split manufacturing and watermarking. In this paper, we show, how these issues can be complementarily dealt with using blockchain technology coupled with identity-based encryption and physical unclonable functions, for improved resilience against certain adversarial motives. As part of our proposed blockchain protocol, titled `BLIC', we propose an authentication mechanism to secure both active and passive IC transactions, and a composite consensus protocol designed for IC supply chains. We also present studies on the security, scalability, privacy and anonymity of the BLIC protocol.

The Industrial Internet promises to radically change and improve many industry's daily business activities, from simple data collection and processing to context-driven, intelligent and pro-active support of workers' everyday tasks and life. The present paper first provides insight into a typical industrial internet application architecture, then it highlights one fundamental arising contradiction: “Who owns the data is often not capable of analyzing it”. This statement is explained by imaging a visionary data supply chain that would realize some of the Industrial Internet promises. To concretely implement such a system, recent standards published by The Open Group are presented, where we highlight the characteristics that make them suitable for Industrial Internet applications. Finally, we discuss comparable solutions and concludes with new business use cases.

The perception of lack of control over resources deployed in the cloud may represent one of the critical factors for an organization to decide to cloudify or not their own services. Furthermore, in spite of the idea of offering security-as-a-service, the development of secure cloud applications requires security skills that can slow down the adoption of the cloud for nonexpert users. In the recent years, the concept of Security Service Level Agreements (Security SLA) is assuming a key role in the provisioning of cloud resources. This paper presents the SPECS framework, which enables the development of secure cloud applications covered by a Security SLA. The SPECS framework offers APIs to manage the whole Security SLA life cycle and provides all the functionalities needed to automatize the enforcement of proper security mechanisms and to monitor userdefined security features. The development process of SPECS applications offering security-enhanced services is illustrated, presenting as a real-world case study the provisioning of a secure web server.

Security in cloud environments is always considered an issue, due to the lack of control over leased resources. In this paper, we present a solution that offers security-as-a-service by relying on Security Service Level Agreements (Security SLAs) as a means to represent the security features to be granted. In particular, we focus on a security mechanism that is automatically configured and activated in an as-a-service fashion in order to protect cloud resources against DoS attacks. The activities reported in this paper are part of a wider work carried out in the FP7-ICT programme project SPECS, which aims at building a framework offering Security-as-a-Service using an SLA-based approach. The proposed approach founds on the adoption of SPECS Services to negotiate, to enforce and to monitor suitable security metrics, chosen by cloud customers, negotiated with the provider and included in a signed Security SLA.

Food safety policies have aim to promote and develop feeding and nutrition in society. This paper presents a system dynamics model that studies the dynamic behavior between transport infrastructure and the food supply chain in the city of Bogotá. The results show that an adequate transport infrastructure is more effective to improve the service to the customer in the food supply chain. The system dynamics model allows analyze the behavior of transport infrastructure and supply chains of fruits and vegetables, groceries, meat and dairy. The study has gone some way towards enhancing our understanding of food security impact, food supply chain and transport infrastructure.

RFID (Radio-Frequency IDentification) is attractive for the strong visibility it provides into logistics operations. In this paper, we explore fair-exchange techniques to encourage honest reporting of item receipt in RFID-tagged supply chains and present a fair ownership transfer system for RFID-tagged supply chains. In our system, a receiver can only access the data and/or functions of the RFID tag by providing the sender with a cryptographic attestation of successful receipt; cheating results in a defunct tag. Conversely, the sender can only obtain the receiver's attestation by providing the secret keys required to access the tag.

Radio Frequency Identification (RFID) improves the efficiency of managing assets in supply chain applications throughout an entire life cycle or while in transport. Transfer of ownership of RFID-tagged items involves replacing information authorizing the old owner with information authorizing the new owner. In this work, we present a two-party, multiple tag, single-owner protocol for ownership transfer: 2P-mtOTP. This two-party protocol depends only on the communication among the two owners and the tags. Further, 2P-mtOTP is robust to attacks on its security, and it preserves the privacy of the owners and tags. We analyze our work in comparison to recent ownership transfer protocols in terms of security, privacy, and efficiency.

Globalization of the integrated circuit (IC) supply chain exposes designs to security threats such as reverse engineering and intellectual property (IP) theft. Designers may want to protect specific high-level synthesis (HLS) optimizations or micro-architectural solutions of their designs. Hence, protecting the IP of ICs is essential. Behavioral locking is an approach to thwart these threats by operating at high levels of abstraction instead of reasoning on the circuit structure. Like any security protection, behavioral locking requires additional area. Existing locking techniques have a different impact on security and overhead, but they do not explore the effects of alternatives when making locking decisions. We develop a design-space exploration (DSE) framework to optimize behavioral locking for a given security metric. For instance, we optimize differential entropy under area or key-bit constraints. We define a set of heuristics to score each locking point by analyzing the system dependence graph of the design. The solution yields better results for 92% of the cases when compared to baseline, state-of-the-art (SOTA) techniques. The approach has results comparable to evolutionary DSE while requiring 100× to 400× less computational time.

The risk of cyber-attack is omnipresent, there are lots of threat actors in the cyber field and the number of attacks increases every day. The paper defines currently the most discussed supply chain attacks, briefly summarizes significant events of successful supply chain attacks and outlines complex strategy leading to the prevention of such attacks; the strategy which can be used not only by civil organizations but governmental ones, too. Risks of supply chain attacks against the Czech army are taken into consideration and possible mitigations are suggested.

In this paper, an optimization model of automobile supply chain network with risks under fuzzy price is put forward. The supply chain network is composed of component suppliers, plants, and distribution centers. The total costs of automobile supply chain consist of variable costs, fixed costs, and transportation costs. The objective of this study is to minimize the risks of total profits. In order to deal with this model, this paper puts forward an approximation method to transform a continuous fuzzy problem into discrete fuzzy problem. The model is solved using Cplex 12.6. The results show that Cplex 12.6 can perfectly solve this model, the expected value and lower semi-variance of total profits converge with the increasing number of discretization points, the structure of automobile supply chain network keeps unchanged with the increasing number of discretization points.

In recent years, integrated circuits (ICs) have become significant for various industries and their security has been given greater priority, specifically in the supply chain. Budgetary constraints have compelled IC designers to offshore manufacturing to third-party companies. When the designer gets the manufactured ICs back, it is imperative to test for potential threats like hardware trojans (HT). In this paper, a novel multi-level game-theoretic framework is introduced to analyze the interactions between a malicious IC manufacturer and the tester. In particular, the game is formulated as a non-cooperative, zero-sum, repeated game using prospect theory (PT) that captures different players' rationalities under uncertainty. The repeated game is separated into a learning stage, in which the defender learns about the attacker's tendencies, and an actual game stage, where this learning is used. Experiments show great incentive for the attacker to deceive the defender about their actual rationality by "playing dumb" in the learning stage (deception). This scenario is captured using hypergame theory to model the attacker's view of the game. The optimal deception rationality of the attacker is analytically derived to maximize utility gain. For the defender, a first-step deception mitigation process is proposed to thwart the effects of deception. Simulation results show that the attacker can profit from the deception as it can successfully insert HTs in the manufactured ICs without being detected.

The Internet of Things is an emerging technology for recent marketplace. In IoT, the heterogeneous devices are connected through the medium of the Internet for seamless communication. The devices used in IoT are resource-constrained in terms of memory, power and processing. Due to that, IoT system is unable to implement hi-end security for malicious cyber-attacks. The recent era is all about connecting IoT devices in various domains like medical, agriculture, transport, power, manufacturing, supply chain, education, etc. and thus need to be prevented from attacks and analyzed after attacks for legal action. The legal analysis of IoT data, devices and communication is called IoT forensics which is highly indispensable for various types of attacks on IoT system. This paper will review types of IoT attacks and its preventive measures in cyber security. It will also help in ascertaining IoT forensics and its challenges in detail. This paper will conclude with the high requirement of cyber security in IoT domains with implementation of standard rules for IoT forensics.

Blockchain has the potential to enhance supply chain management systems by providing stronger assurance in transparency and traceability of traded commodities. However, blockchain does not overcome the inherent issues of data trust in IoT enabled supply chains. Recent proposals attempt to tackle these issues by incorporating generic trust and reputation management methods, which do not entirely address the complex challenges of supply chain operations and suffers from significant drawbacks. In this paper, we propose DeTRM, a decentralised trust and reputation management solution for supply chains, which considers complex supply chain operations, such as splitting or merging of product lots, to provide a coherent trust management solution. We resolve data trust by correlating empirical data from adjacent sensor nodes, using which the authenticity of data can be assessed. We design a consortium blockchain, where smart contracts play a significant role in quantifying trustworthiness as a numerical score from different perspectives. A proof-of-concept implementation in Hyperledger Fabric shows that DeTRM is feasible and only incurs relatively small overheads compared to the baseline.