security and privacy automation blockchain digital...blockchain offers audit trails, i.e.,...
TRANSCRIPT
Security and Privacy
Automation Blockchain Digital Transformation
AUGUST 2020 www.computer.org
IEEE Computer Society Has You Covered!WORLD-CLASS CONFERENCES — Stay ahead of the curve by attending one of our 200+ globally recognized conferences.
DIGITAL LIBRARY — Easily access over 780k articles covering world-class peer-reviewed content in the IEEE Computer Society Digital Library.
CALLS FOR PAPERS — Discover opportunities to write and present your ground-breaking accomplishments.
EDUCATION — Strengthen your resume with the IEEE Computer Society Course Catalog and its range of offerings.
ADVANCE YOUR CAREER — Search the new positions posted in the IEEE Computer Society Jobs Board.
NETWORK — Make connections that count by participating in local Region, Section, and Chapter activities.
Explore all of the member benefi ts at www.computer.org today!
STAFF
EditorCathy Martin
Publications Operations Project SpecialistChristine Anthony
Production & Design ArtistCarmen Flores-Garvey
Publications Portfolio ManagersCarrie Clark, Kimberly Sperka
PublisherRobin Baldwin
Senior Advertising CoordinatorDebbie Sims
Circulation: ComputingEdge (ISSN 2469-7087) is published monthly by the IEEE Computer Society. IEEE Headquarters, Three Park Avenue, 17th Floor, New York, NY 10016-5997; IEEE Computer Society Publications Office, 10662 Los Vaqueros Circle, Los Alamitos, CA 90720; voice +1 714 821 8380; fax +1 714 821 4010; IEEE Computer Society Headquarters, 2001 L Street NW, Suite 700, Washington, DC 20036.Postmaster: Send address changes to ComputingEdge-IEEE Membership Processing Dept., 445 Hoes Lane, Piscataway, NJ 08855. Periodicals Postage Paid at New York, New York, and at additional mailing offices. Printed in USA.Editorial: Unless otherwise stated, bylined articles, as well as product and service descriptions, reflect the author’s or firm’s opinion. Inclusion in ComputingEdge does not necessarily constitute endorsement by the IEEE or the Computer Society. All submissions are subject to editing for style, clarity, and space.Reuse Rights and Reprint Permissions: Educational or personal use of this material is permitted without fee, provided such use: 1) is not made for profit; 2) includes this notice and a full citation to the original work on the first page of the copy; and 3) does not imply IEEE endorsement of any third-party products or services. Authors and their companies are permitted to post the accepted version of IEEE-copyrighted material on their own Web servers without permission, provided that the IEEE copyright notice and a full citation to the original work appear on the first screen of the posted copy. An accepted manuscript is a version which has been revised by the author to incorporate review suggestions, but not the published version with copy-editing, proofreading, and formatting added by IEEE. For more information, please go to: http://www.ieee.org/publications_standards/publications /rights/paperversionpolicy.html. Permission to reprint/republish this material for commercial, advertising, or promotional purposes or for creating new collective works for resale or redistribution must be obtained from IEEE by writing to the IEEE Intellectual Property Rights Office, 445 Hoes Lane, Piscataway, NJ 08854-4141 or [email protected]. Copyright © 2020 IEEE. All rights reserved.Abstracting and Library Use: Abstracting is permitted with credit to the source. Libraries are permitted to photocopy for private use of patrons, provided the per-copy fee indicated in the code at the bottom of the first page is paid through the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923.Unsubscribe: If you no longer wish to receive this ComputingEdge mailing, please email IEEE Computer Society Customer Service at [email protected] and type “unsubscribe ComputingEdge” in your subject line.IEEE prohibits discrimination, harassment, and bullying. For more information, visit www.ieee.org/web/aboutus/whatis/policies/p9-26.html.
IEEE COMPUTER SOCIETY computer.org
IEEE Computer Society Magazine Editors in Chief
ComputerJeff Voas, NIST
Computing in Science & EngineeringLorena A. Barba (Interim), George Washington University
IEEE Annals of the History of ComputingGerardo Con Diaz, University of California, Davis
IEEE Computer Graphics and ApplicationsTorsten Möller, Universität Wien
IEEE Intelligent SystemsV.S. Subrahmanian, Dartmouth College
IEEE Internet ComputingGeorge Pallis, University of Cyprus
IEEE MicroLizy Kurian John, University of Texas at Austin
IEEE MultiMediaShu-Ching Chen, Florida International University
IEEE Pervasive ComputingMarc Langheinrich, Università della Svizzera italiana
IEEE Security & PrivacyDavid Nicol, University of Illinois at Urbana-Champaign
IEEE SoftwareIpek Ozkaya, Software Engineering Institute
IT ProfessionalIrena Bojanova, NIST
2469-7087/20 © 2020 IEEE Published by the IEEE Computer Society August 2020 1
AUGUST 2020 � VOLUME 6 � NUMBER 8
Memory Encryption Engine
A B
Memory
Enclave A
Operating System
App Enclave B
CPU SGX Micro Code
So�
war
eH
ardw
are
A B
Memory
Enclave A
Operating System
App Enclave B
CPU Sanctum PTW
So�
war
eH
ardw
are
Security Monitor
SM
Hypervisor
Secure Processor
A B
CPU
Memory
So�
war
eH
ardw
are
App
OperatingSystem
App App
OperatingSystem
App
VM A VM B
(a) (b) (c)ShockSurpriseor shockat the event
Mor
al &
com
pete
nce
Time
DenialDisbelief;looking forevidence thatit is’t true
FrustrationRecognitionthat thingsare different;sometimesangry
DepressionLow mood;lacking inenergy
ExperimentInitialengagementwith newsituation
DecisionLearning howto work in thenew situation;feeling morepositive
IntegrationChangesintegrated;a renewedindividual
8Trusted Execution
Environments: Properties,
Applications, and Challenges
36Blockchain
and Electronic Healthcare
Records
48To Transform to
Have Agility,Don’t Do a Capital
A, Capital T Agile Transformation
Security and Privacy
8 Trusted Execution Environments: Properties, Applications, and Challenges
PATRICK JAUERNIG, AHMAD-REZA SADEGHI, AND EMMANUEL STAPF
14 FinalFilter: Asserting Security Properties of a Processor at Runtime CYNTHIA STURTON, MATTHEW HICKS, SAMUEL T. KING, AND
JONATHAN M. SMITH
Automation
22 Cyberattack-Resilient Cyberphysical SystemsBARRY M. HOROWITZ
30 EDI with Blockchain as an Enabler for Extreme Automation
JINAN FIAIDHI, SABAH MOHAMMED, AND SAMI MOHAMMED
Blockchain
36 Blockchain and Electronic Healthcare RecordsNIR KSHETRI
42 Supply Chain Trust NIR KSHETRI AND JEFFREY VOAS
Digital Transformation
48 To Transform to Have Agility, Don’t Do a Capital A, Capital T Agile Transformation
JONATHAN SMART
54 Enterprise ArchitectureRICARDO PEREZ-CASTILLO, FRANCISCO RUIZ, MARIO PIATTINI, AND
CHRISTOF EBERT
Departments 4 Magazine Roundup
7 Editor’s Note: Hardware —The New Point of Attack66 Conference Calendar
Subscribe to ComputingEdge for free at www.computer.org/computingedge.
4 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
Magazine Roundup
The IEEE Computer Society’s lineup of 12 peer-reviewed technical magazines covers cutting-edge topics rang-ing from software design and computer graphics to Internet computing and security, from scientific appli-
cations and machine intelligence to visualization and microchip design. Here are highlights from recent issues.
Physical Computing: A Key Element of Modern Computer Science Education
A recent growth area in com-puter science education is phys-ical computing, which involves combining software and hardware to build interactive physical sys-tems that sense and respond to the real world. This article from the April 2020 issue of Computer pro-vides an overview of physical com-puting and its value in the class-room, using the BBC micro:bit as an example.
An Interactive Exploration Tool for High-Dimensional Datasets: A Shock Physics Case Study
Validating simulations with exper-imental results is a vital compo-nent of modern materials science. Existing workflows require sub-stantial human intervention to interpret their results. The authors of this article from the March/April 2020 issue of Computing in Science & Engineering present a
statistical approach to identifying physically meaningful features. The authors construct a visual-ization system that allows users to interactively and intuitively explore their datasets.
The Font Wars, Part 2
In the early 1980s, letters raster-ized from outline fonts at low and medium resolutions had irregular shapes. The lower the resolutions, the greater the irregularities, and the more that typographers criti-cized the type quality. PostScript fonts, launched in 1985, regular-ized medium-resolution type with secret ingredients coyly called “hints” by Adobe. This prompted competing inventions of font reg-ularization using techniques vari-ously called “instructions,” “delta exceptions,” “procedures,” “intel-ligence,” and other terms sound-ing more like high-tech snake oil than science. Further research and open publication, how-ever, revealed their connections to traditional aesthetics of let-ter symmetry as well as to mod-ern signal processing, pattern recognition, and psychophysics,
thus expanding our understand-ing of typography in digital cul-ture. Read more in this article from the January–March 2020 issue of IEEE Annals of the History of Computing.
Nano for the Public: An Exploranation Perspective
Public understanding of contem-porary scientific issues is criti-cal for the future of society. Public spaces, such as science centers, can affect the communication of science by providing active knowl-edge-building experiences of sci-entific phenomena. Contributing to this vision, the authors of this article from the March/April 2020 issue of IEEE Computer Graph-ics and Applications previously developed an interactive visualiza-tion as part of a public exhibition about nano. The authors reflect on how the immersive design and fea-tures of the exhibit contribute as a tool for science communication in light of the emerging paradigm of exploranation, and offer some for-ward-looking perspectives about what this notion has to offer the domain.
www.computer.org/computingedge 5
Decision Making in IoT Environment through Unsupervised Learning
Nowadays, unsupervised learning can identify hidden patterns and classes inside the huge amount of data coming from the Internet of Things (IoT). Analyzing IoT data through machine-learning tech-niques requires the use of mathe-matical algorithms, computational techniques, and an accurate tun-ing of the input parameters. In this article from the January/February 2020 issue of IEEE Intelligent Sys-tems, the authors present a study of unsupervised-learning tech-niques applied on IoT data to sup-port decision-making processes inside intelligent environments. To assess the proposed approach, they discuss two case studies in which behavioral IoT data has been collected, in a noninvasive way, to achieve an unsupervised classifi-cation that can be adopted during a decision-making process.
Network Quality-Aware Architecture for Adaptive Video Streaming From Drones
Video streaming over the IP net-works presents several chal-lenges for remote drone piloting.
To achieve a high Quality of Expe-rience, minimal latency is manda-tory. However, wireless links usu-ally impose dynamic changes to the Quality of Service conditions. Moreover, bandwidth limitations can increase both the final per-ceived latency and packet loss during video streaming. These cir-cumstances require an architec-ture capable of estimating net-work performance and applying corrective actions in a timely man-ner to optimize application-level quality. In this article from the Jan-uary/February 2020 issue of IEEE Internet Computing, the authors present such an architecture and discuss the results of its applica-tion in video streaming for remote drone piloting. Their proposal offers a framework with low cou-pling between its functional blocks and high adaptability to dynamic scenarios. Accordingly, they aim to pave the way for reactive applica-tions that leverage edge-comput-ing elements and adapt to network conditions.
MLPerf: An Industry Standard Benchmark Suite for Machine Learning Performance
In this article from the March/April 2020 issue of IEEE Micro, the authors describe the design choices behind MLPerf, a
machine-learning performance benchmark that has become an industry standard. The first two rounds of the MLPerf Training benchmark helped drive improve-ments to software-stack perfor-mance and scalability, showing a 1.3× speedup in the top 16-chip results despite higher quality tar-gets and a 5.5× increase in sys-tem scale. The first round of MLP-erf Inference received over 500 benchmark results from 14 differ-ent organizations, showing grow-ing adoption.
Do I Smell Coffee? The Tale of a 360° Mulsemedia Experience
One of the main challenges in cur-rent multimedia networking envi-ronments is to find solutions to help accommodate the next generation of mobile application classes with stringent Quality of Service (QoS) requirements while enabling the Quality of Experience (QoE) provi-sioning for users. One such appli-cation class is 360° mulsemedia—multiple sensorial media—which enriches 360° video by adding sen-sory effects that stimulate human senses beyond those of sight and hearing, such as the tactile and olfactory ones. In this article from the January–March 2020 issue of IEEE MultiMedia, the authors pres-ent a conceptual framework for
6 ComputingEdge August 2020
MAGAZINE ROUNDUP
360° mulsemedia delivery and a 360° mulsemedia-based prototype that enables users to experience 360° mulsemedia content. User evaluations revealed that higher video resolutions do not necessar-ily lead to the highest QoE levels. Therefore, bandwidth savings can be leveraged with no detrimental impact on QoE.
Child-Robot Theater: Engaging Elementary Students in Informal STEAM Education Using Robots
One of the options to make sci-ence, technology, engineering, and mathematics (STEM) more acces-sible, especially for children, is to integrate STEM content into more attractive materials and familiar formats. The authors of this arti-cle from the January–March 2020 issue of IEEE Pervasive Comput-ing created an afterschool pro-gram called “Child-Robot Theater” for children in a rural elementary school. They administered two pro-grams over two years. Thirty-seven children participated in the two-phase program, from which 23 chil-dren were included in the analysis of this study. The authors infused science, robotics, and computer science with acting, dancing, sing-ing, and drawing inspired by the theater production. In the article, after briefly introducing their peda-gogical framework and procedure, the authors delineate potential impacts, lessons, and recommen-dations for future works.
You Could Be Mine(d): The Rise of Cryptojacking
Traditional malicious attacks have evolved beyond file-based meth-ods, with malicious files now exist-ing as processes and services to evade detection. This article from the March/April 2020 issue of IEEE Security & Privacy examines the rise of cryptojacking—the use of another’s machine for profit through cryptocurrency mining—and how we’re all at risk.
Contrasting Big Bang With Continuous Integration Through Defect Reports
Continuous integration prom-ises earlier defect detection, qual-ity improvements, and more cus-tomer value delivered faster. In this case study from the May/June 2020 issue of IEEE Software, the authors examine development of software for the advanced safety and driver support component of a Swedish vehicle manufacturer in two consecutive projects.
Attacking Key Management in Ransomware
Ransomware has observed a steady growth over the years with several concerning trends that indicate efficient, targeted attacks against organizations and indi-viduals alike. These opportunistic
attackers indiscriminately tar-get both public- and private-sec-tor entities to maximize gain. In this article from the March/April 2020 issue of IT Professional, the authors highlight the criticality of key management in ransomware’s cryptosystem to facilitate build-ing effective solutions against this threat. They introduce the ran-somware kill chain to elucidate the path that adversaries must take to attain their malicious objec-tive. The authors examine current solutions presented against ran-somware in light of this kill chain and specify which constraints on ransomware are being violated by the existing solutions. Finally, they present the notion of mem-ory attacks against ransomware’s key management and present ini-tial experiments with dynamically extracting decryption keys from real-world ransomware. Results of the preliminary research are prom-ising, and the extracted keys were successfully deployed in subse-quent data decryption.
Join the IEEE Computer Societycomputer.org/join
2469-7087/20 © 2020 IEEE Published by the IEEE Computer Society August 2020 7
Editor’s Note
Hardware—The New Point of Attack
Cybercriminals increasingly exploit computer hardware
vulnerabilities, highlighting the need for secure architectures and hardware-based defenses. Cache timing, Rowhammer, BIOS, and other types of cyberattacks on hardware and firmware are threatening information security in new ways. This issue of Com-putingEdge discusses innovative techniques for combatting these attacks at the hardware level.
One promising approach is trusted execution environments (TEEs). IEEE Security & Priva-cy’s “Trusted Execution Environ-ments: Properties, Applications, and Challenges” provides an over-view of existing TEEs and calls for improvements in TEE architec-ture design. Meanwhile—given the absence of provably secure microprocessors—the authors of IEEE Micro’s “FinalFilter: Asserting Security Properties of a Processor
at Runtime” recommend using a dynamic, reconfigurable verifica-tion tool to catch security viola-tions not found using static verifi-cation methods.
Security is of paramount importance in today’s automated systems. The author of IEEE Secu-rity & Privacy’s “Cyberattack-Resilient Cyberphysical Systems” describes his team’s security approach for automated systems in cars, drones, and 3D printers. In IT Professional ’s “EDI with Block-chain as an Enabler for Extreme Automation,” the authors argue that blockchain technology can make electronic data interchange (EDI) systems—which automate healthcare supply-chain man-agement—more secure.
Blockchain technology can enable data security in various industries. Computer’s “Block-chain and Electronic Health-care Records” gives another
example of blockchain in health-care, explaining that the technol-ogy can help secure patient data. IT Professional ’s “Supply Chain Trust” shows how blockchain can help strengthen supply chains, which are increasingly subject to cyberattacks.
Finally, this ComputingEdgeissue features two articles from IEEE Software that examine dig-ital transformation. In “To Trans-form to Have Agility, Don’t Do a Capital A, Capital T Agile Trans-formation,” the author shares advice for digitally transform-ing large, established organi-zations: articulate reasons for change, focus on outcomes, pri-oritize technical excellence, and more. “Enterprise Architecture” presents insights about a digi-tal transformation process that allows companies to assess their IT systems and identify needed changes.
8 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
EDITORS: Mohamed Kaâniche, [email protected] Richard Kuhn, [email protected]
DEPARTMENT: RESILIENT SECURITY
Trusted Execution Environments: Properties, Applications, and ChallengesPatrick Jauernig, Ahmad-Reza Sadeghi, Emmanuel Stapf, TU Darmstadt
Software attacks on modern computer sys-tems have been a persisting challenge for several decades, leading to a continuous arms
race between attacks and defenses. As a first line of defense, operating system kernels enforce process isolation to limit potential attacks to only the code containing the vulnerabilities. However, vulnerabili-ties in the kernel itself (for example, various vulner-abilities found by Google Project Zero), side-channel attacks,1 or even physical attacks2 can be used to undermine process isolation.
To provide strong isolation between untrusted software components, including the operating sys-tems itself, a number of hardware-assisted security solutions have been proposed that aim to significantly increase the protection level that defenses against software exploitation have failed to provide. Promi-nent examples are trusted platform modules (TPMs), hardware security modules (HSMs), secure elements (SEs), and trusted execution environments (TEEs).
TPMs are dedicated, secure cryptoprocessors tied to the individual device, offering services like key generation, encryption, or authenticated integrity measurements called attestation. Yet, they do not offer isolation for sensitive applications. In contrast, HSMs also allow the running of sensitive code and are not bound to a device because they are typically implemented as plug-in cards (like peripheral com-ponent interconnect cards) or attachable external devices. SEs instead implement the HSM functional-ity as a coprocessor directly on the board, which offers only low performance due to size and energy
constraints. Moreover, third-party development on SEs is heavily restricted by manufacturers. An alterna-tive to these solutions is TEEs, which are commonly integrated tightly into the system on chip (SoC) and leverage existing SoC resources, enabling them to provide cryptographic primitives and isolated execu-tion with much higher flexibility than that provided by any other solution. Thus, industry is pushing TEEs on all fronts, from cloud servers and desktop computers over smartphones to low-energy embedded devices.
However, after years of hardware security re search, we can conclude that existing solutions are still insufficient: Deployed hardware solutions like TPMs or TEEs, are not used widely or have been attacked through various side-channels or through recently emerging cross-layer attacks that exploit hardware vulnerabilities from software, as demon-strated by attacks like CLKScrew or Foreshadow. The Hack@DAC hardware security contest3 revealed a systematic protection gap in current chip designs: Existing verification approaches may fail to detect certain classes of vulnerabilities in the Register Trans-fer Level (RTL) of hardware description code.
A promising recent approach is to manage hard-ware via a small software trusted computer base (TCB) to create strongly isolated unprivileged TEEs, (e.g., by building user-space enclaves for mobile devices based on ARM TrustZone4), or to leverage a completely open source design (for example, for the RISC-V platform5).
In this article, we review selected existing indus-trial and promising academic TEE solutions and briefly discuss the impact of deployed solutions, their strengths and shortcomings, and new research direc-tions. The results of this survey are summarized in Table 1.
This article originally appeared in
vol. 18, no. 2, 2020
Digital Object Identifier 10.1109/MSEC.2019.2947124 Date of current version: 19 March 2020
www.computer.org/computingedge 9
RESILIENT SECURITY
TEES PROPOSED BY INDUSTRYThe high demand for hardware-assisted security architectures led to the development of TEE architec-tures across many platforms. In this section, we pres-ent a subset of these TEE architectures of major pro-cessor brands, namely, Intel, AMD, and ARM.
Intel SGX: Protecting Apps in User SpaceIntel introduced Software Guard Extensions (SGX)6 with their Skylake microarchitecture in 2015. From the adversary model perspective, any software, including the OS, (and even some hardware components) may be considered untrusted. Hence, SGX’s TCB only com-prises the CPU hardware and its microcode.
In SGX, instances of a TEE, called enclaves [as shown in Figure 1(a)], are used to execute sensitive program code in user space, isolated from a poten-tially malicious OS or hypervisor. Each enclave is bundled with a regular nonsensitive application (App) that invokes the enclave as a child process. During the enclave setup, the integrity of the enclave code is veri-fied (attested); i.e., an authenticated measurement, typically a binary hash, of the code loaded into the enclave is reported either locally or remotely. When an enclave is executed, it shares its virtual address space with its host process. The enclave memory management is entirely performed by the untrusted OS. Moreover, the OS provides exception handling and input–output services to the enclave. Hardware
Intel SGX AMD SEV ARM TrustZone Sanctum Sanctuary
Commercial/academic Commercial Commercial Commercial Academic Academic
Target devices Client PCs Servers Mobile devices Undefined Mobile devices
Trust anchor CPU hardwareand microcode
Platformsecurityprocessor
TZ hardware andARM trustedfirmware
CPU hardwareand securitymonitor
TZ hardware and ARMtrusted firmware
Cache side-channelprotection
No No No Yes Yes (for sanctuaryinstances)
Multiple securitydomains
Yes Yes No Yes Yes
Secure peripherals No No Yes No Yes
TABLE 1. A comparison of presented TEE architectures.
Memory Encryption Engine
A B
Memory
Enclave A
Operating System
App Enclave B
CPU SGX Micro Code
So�
war
eH
ardw
are
A B
Memory
Enclave A
Operating System
App Enclave B
CPU Sanctum PTW
So�
war
eH
ardw
are
Security Monitor
SM
Hypervisor
Secure Processor
A B
CPU
Memory
So�
war
eH
ardw
are
App
OperatingSystem
App App
OperatingSystem
App
VM A VM B
(a) (b) (c)
FIGURE 1. High-level architectural views. The (a) Intel SGX, (b) Sanctum, and (c) AMD SEV. PTW: page table walker; VM: virtual machine.
10 ComputingEdge August 2020
RESILIENT SECURITY
features protect the enclave code and data (e.g., its page tables) from an unauthorized access by the host process, the OS, or even the hypervisor.
SGX is implemented inside the CPU through micro-code and minimal hardware changes that are made at the page table walker (PTW). All enclave code or data leaving the CPU is encrypted, using a new hardware component called the Memory Encryption Engine (MEE) that allows SGX to protect enclaves from direct memory access (DMA) attacks from malicious periph-erals. The MEE is also used to persistently store the enclave states after their execution.
In the first and only commercially available version of SGX, software cache side-channel attacks are not considered in the adversary model. However, a broad spectrum of recent attacks showed that side-channel attacks are a much more crucial threat for SGX than expected.1,7
AMD SEV: Moving to the CloudIn 2017, AMD introduced its own TEE, Secure Encrypted Virtualization (SEV)8 [shown in Figure 1(c)], which fol-lows an entirely different approach than Intel SGX. Whereas SGX focuses on micro services (e.g., DRM, or cryptographic functionality), AMD designed a TEE for the cloud: It offers better performance for inten-sive workloads and is transparent to the software run-ning in an SEV-enabled virtual machine (VM)8. Thus, its adversary model is also centered around the cloud (i.e., after setting up a VM, its memory is isolated even from the hypervisor).
To isolate a VM, Secure Encrypted Virtualization (SEV) encrypts each VM transparently with an indi-vidually generated encryption key. Access to these keys is limited to hardware; thus, the hypervisor or any other software component outside the VM cannot interfere with the encryption. Although SGX enclaves’ isolation is enforced by the memory management unit, SEV leverages Secure Memory Encryption (SME) to encrypt VM memory to protect against physical adversaries and to protect against privileged software or other VMs. SME is a transparent hardware memory encryption feature that encrypts data before storing it in memory and decrypts the data before loading it to the cache. SME stores encryption keys in a dedicated platform security processor based on the ARM archi-tecture, and only allows operations on memory that
has the matching tag to a key. This tag is automatically assigned to all memory that belongs to a VM (using the VM ASID identifier); thus, external accesses (for example, by the hypervisor) will see only encrypted data. A bit flag set indicates that a page should be encrypted; hence, VMs can also have unencrypted pages for shared memory.
Later, SEV-ES (Encrypted State) is introduced to add protection for CPU register contents which pre-vents information leakage to the hypervisor when a VM is suspended. As in SGX, cache side-channels are not considered in the adversary model of AMD SEV. Recently, security researchers from Google found a vulnerability in SEV’s elliptic-curve implementation, allowing them to recover the private key that is used to derive individual VM keys, effectively breaking the encryption. This issue has been fixed by a firmware update.9
ARM TrustZone: Protecting Mobile DevicesProtection of sensitive program code on mobile devices is also of vital importance and will be even more vital due to emerging use cases like mobile ID or the digital car key. Since 2004, ARM TrustZone10 has provided the hardware primitives to implement TEE security architectures on mobile devices. In Figure 2(a), the typical design of a security architecture that uses TrustZone is shown.
TrustZone assumes a strong software attacker able to compromise the untrusted commodity operat-ing system running regular apps. However, physical attackers are out of scope. TrustZone separates the system into two worlds: the normal world, containing the untrusted commodity OS and all nonsensitive applications, and the so-called secure world. The secure world comprises the sensitive applications [Trusted Apps (TAs)] and the Trusted OS (TOS). TAs can come either standalone or bundled with a nonsensitive application running in normal world, whereas the TOS provides usual process isolation and system services to the TAs. The secure world represents the single TEE of the system, unlike Intel SGX or AMD SEV, which can all provide multiple separated TEE instances. By including device drivers into the TOS, TrustZone can establish secure communication channels from peripherals (e.g., fingerprint sensors) to sensitive
www.computer.org/computingedge 11
RESILIENT SECURITY
applications. TrustZone even allows secure DMA by temporarily assigning memory regions exclusively to one or multiple SoC components (for example, the CPU, GPU, or LCD controller).
TrustZone’s core idea, the world switch, is imple-mented in the most privileged software component, called Trusted Firmware (TF), which also handles the communication between both worlds. The TF repre-sents the software TCB of the system together with all code running in the secure world. The separation between the normal and the secure world is achieved in hardware by a set of security enhancements of the CPU, the system bus, and additional components on the SoC such as the memory controller.
TrustZone does not provide cache partitioning and, therefore, cannot protect against cache side-channel attacks in general. Yet, the main weakness of clas-sic TrustZone-based security architectures is their single-TEE nature. As a result, trust relationships have to be established between the device vendor and every developer. Establishing this trust generates high costs for security assessments and management overhead, which restrains development of new secure mobile services.
TEES PROPOSED BY ACADEMIALimitations of existing TEEs motivated academic developers to propose their own hardware-assisted security architectures. In this section, we pres-ent Sanctum and Sanctuary which, on an abstract level, aim to improve Intel SGX and ARM TrustZone, respectively.
SANCTUM: EXTENDING ENCLAVE PROTECTION
The Sanctum security architecture was proposed in 2016 by Costan et al.4 for the open RISC-V architec-ture [shown in Figure 1(b)]. Sanctum resembles Intel SGX regarding its adversary model and high-level con-cept of user-space enclaves (or TEE instances) but pro-vides resilience to cache side-channel attacks. Like SGX, a Sanctum enclave comes bundled with a non-sensitive host application that invokes the enclave. The untrusted OS still provides exception handling and input–output services to the enclaves. However, in Sanctum, each enclave manages its own page tables.
In contrast to SGX, the enclave setup and other security critical functionalities are not implemented in microcode but in a software component called the Security Monitor (SM), which represents the software TCB of the system. The SM runs in the most privileged software level of a RISC-V processor, known as the machine level, and enables the enclave integrity verification locally or remotely before the enclave is executed. Sanctum enforces the isolation of the enclave code and data by introducing small hard-ware changes at the PTW of the CPU. The hardware changes guarantee on one hand that the OS cannot access enclave memory and, on the other hand, that an enclave cannot access the OS memory by chang-ing its page tables. The circuitry added around the PTW prevents a successful address translation of virtual memory addresses that would map to physical memory addresses that the current execution context is not allowed to access. The protection from cache
App
OperatingSystem
Bus and Memory Controller
Normal Secure Normal
Normal World
App
Trusted Firmware
Secure World
CPU Cores
TA
Trusted OS
TA
Memory
So�
war
eH
ardw
are
So�
war
eH
ardw
are
App
OperatingSystem
Bus and Memory Controller
Normal Secure Normal
Normal World
App
Trusted Firmware
Secure World
CPU Core s
SecurityPrimitives
Memory
SanctuaryLibrary
Sensitive App
Single Core
Sanctuary
Sanctuary
(a) (b)
FIGURE 2. High-level architectural views. (a) The ARM TrustZone and (b) the Sanctuary.
12 ComputingEdge August 2020
RESILIENT SECURITY
side-channel attacks is achieved with cache partition-ing, which is implemented through memory page col-oring. Cache partitioning allows assignment of cache lines of the last-level cache, which is shared between cores, exclusively to single enclaves.
In contrast to SGX, Sanctum does not encrypt the enclave code and data in the main memory. However, Sanctum provides a basic DMA attack protection by making small changes to the memory controller that allow Sanctum to restrict DMA to a certain region of the memory.
SANCTUARY: PROVIDING MULTIDOMAIN SECURITY
The limitations of TrustZone inspired the TEE archi-tecture Sanctuary, which was proposed by Brasser et al. in 2019.3 In contrast to currently deployed TrustZone-based security architectures, Sanctuary, which is shown in Figure 2(b), provides an arbitrary number of TEEs (or enclaves) on ARM-based devices. Moreover, Sanctuary tolerates malicious code in the TEEs, as well as cache side-channel attacks.
Sanctuary relies on TrustZone and, therefore, inherits many of its security features, such as world separation, secure boot, DMA access control, or secure communication to peripherals. In contrast to TrustZone, Sanctuary removes sensitive third-party applications from the secure world, which contains only security primitives provided by the device vendor. Instead, single sensitive apps are temporarily isolated on physical cores in a Sanctuary Instance. The remain-ing CPU cores execute the normal world and secure world code. Thus, no trust relationship has to be estab-lished between the device vendor and the sensitive app developer, which enables an open use of TrustZone. The isolated sensitive apps can communicate with the untrusted OS in the normal world and with the security primitives in the secure world. The communication is facilitated by a software component, called Sanctuary Library (SL), which provides OS services to the SA. The TF and secure world code represent the software TCB of the system. However, in Sanctuary, no third-party code is included in the TCB. The SL, which is also pro-vided by the device vendor, is not part of the system TCB because it is running in the normal world.
The isolation of the physical CPU cores is enforced using a security feature of the TrustZone-enabled
memory controller provided by ARM. In Sanctuary, this feature is exploited to temporarily assign memory regions exclusively to physical CPU cores when they are selected to execute a sensitive app. The configura-tion of the memory controller, as well as the setup of the enclaves, is performed and verified by the security primitives in the secure world.
Sanctuary cannot provide hardware cache par-titioning. However, software cache side-channel attacks on sensitive apps are prevented by flushing the core-exclusive caches when setting up an enclave and by excluding its code and data from the shared last-level cache.
One of the biggest challenges of existing TEE architectures is the threat of microarchitectural
attacks. The most prominent attacks in recent years were cache side-channel attacks (see Brasser et al.1) and transient execution attacks like Spectre and Melt-down.7 Most known microarchitectural attacks involve resources that are shared on the system and responsible for optimizing the performance of the system (for exam-ple, the data caches1 or the Branch Target Buffer).7
A modern TEE architecture must provide strong isolation among different security domains. However, preventing the sharing of resources might lead to a drastic decrease in system performance, which would make a TEE architecture impractical. At the same time, increasing the number of resources and partitioning them between the security domains might lead to a high hardware overhead. Therefore, designers of TEE architectures need to find a valuable tradeoff between domain isolation and resource sharing.
Moreover, designers must keep in mind that the known microarchitectural attacks might not be the end of the story. Cross-layer attacks based on hard-ware bugs can be diverse, as shown at the hardware security contests Hack@DAC in 2018 and 2019.3
REFERENCES1. F. Brasser, U. Muller, A. Dmitrienko, K. Kostiainen, S.
Capkun, and A. Sadeghi, “Software Grand Exposure: SGX cache attacks are practical,” in Proc. 11th USENIX Workshop Offensive Technologies, Vancouver, British Columbia, 2017. [Online]. Available: https://www .usenix.org/conference/woot17/workshop-program /presentation/brasser
www.computer.org/computingedge 13
RESILIENT SECURITY
2. “Fault attacks on secure chips: From glitch to flash,” in Proc. Design and Security of Cryptographic Algorithms and Devices (ECRYPT II), Albena, Bulgaria, May 29–June 3, 2011. [Online]. Available: https://studylib.net/doc /18400951/fault-attacks-on-secure-chips–from-glitch -to-flash
3. G. Dessouky, et al., “Hardfails: Insights into software- exploitable hardware bugs,” in Proc. 28th USENIX Secu-rity Symp., Santa Clara, CA, 2019. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19 /presentation/dessouky
4. F. Brasser, D. Gens, P. Jauernig, A. Sadeghi, and E. Stapf, “Sanctuary: Arming TrustZone with user-space enclaves,” in Network and Distributed System Security Symp., San Diego, CA, 2019. doi: 10.14722/ndss.2019.23448.
5. V. Costan, I. A. Lebedev, and S. Devadas, “Sanctum: Minimal hardware extensions for strong software isolation,” in Proc. 25th USENIX Security Symp., Austin, TX, 2016, pp. 213–230.
6. Intel. “Intel® Software Guard Extensions programming reference,” 2014. Accessed on: Aug. 9, 2019. [Online]. Available: https://software.intel.com/sites/default /files/managed/48/88/329298-002.pdf
7. C. Canella, J. V. et al., “A systematic evaluation of
transient execution attacks and defenses,” in Proc. 28th USENIX Security Symp., Santa Clara, CA, 2019, pp. 249–266.
8. S. Mofrad, F. Zhang, S. Lu, and W. Shi, “A comparison study of Intel SGX and AMD Memory Encryption technology,” in Proc. 7th Int. Workshop Hardware and Architectural Support Security and Privacy, New York, 2018.
9. Seclists.org, CVE-2019-9836, Accessed on: Aug. 8, 2019. [Online]. Available: https://seclists.org/fulldisclosure /2019/Jun/46, 2019.
10. ARM Limited. “Security technology: Building a secure system using TrustZone® technology,” 2008. [Online]. Available: http://infocenter.arm.com/help/index .jsp?topic=/com.arm.doc.prd29-genc-009492c/index .html
PATRICK JAUERNIG is a researcher with TU Darmstadt. Con-tact him at [email protected].
AHMAD-REZA SADEGHI is a professor with TU Darmstadt. Contact him at [email protected].
EMMANUEL STAPF is a researcher with TU Darmstadt. Con-tact him at [email protected].
Write for the IEEE Computer Society’s authoritative computing publications and conferences.
IEEE COMPUTER SOCIETY
Call for Papers
GET PUBLISHEDwww.computer.org/cfp
14 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
DEPARTMENT: EXPERT OPINION
FinalFilter: Asserting Security Properties of a Processor at RuntimeCynthia Sturton, University of North Carolina at Chapel Hill
Matthew Hicks, Virginia Tech
Samuel T. King, University of California, Davis
Jonathan M. Smith, University of Pennsylvania and DARPA
In an ideal world, it would be possible to build a provably correct and secure processor. However, the complexity of today's processors puts this
ideal out of reach. The complete verification of a mod-ern processor remains intractable. Statically verifying even a simple security property—for example, “hard-ware privilege escalation never occurs”—remains beyond the state of the art in formal verification.
Testing can complement formal verification meth-ods, yet testing is incomplete and bugs in the hardware that leave it vulnerable continue to elude test suites. Further, a crafty malicious actor can evade typical testing coverage metrics.
Recent efforts, including that of three of the authors, have explored the use of static analysis on the design files (e.g., hardware description level source code or gate-level netlists) to find suspicious circuitry.1–3 These techniques rely on heuristics to define patterns that indicate a likely trojan and then search for instances in the design that match the pat-tern. However, malicious circuitry that does not match the pattern will be missed, as will inadvertent bugs that open vulnerabilities. By the time the weakness is uncovered, the hardware is already in the end user's hands and vulnerable to attack.
In the absence of a full proof of correctness, what is needed is a final filter: a runtime verification tech-nique that works—postdeployment—to detect and respond to security property violations as they occur
during execution. In this article, we make the case for final filters using our tool, FinalFilter, as a case study.
FINALFILTERPrior research, including our own, has shown that assertions hard-coded into the design can be a cheap and effective way to verify the correctness of any sin-gle execution run.4,5 Assertions can cover properties that would be intractable to prove statically for the cur-rent state of the art. The downside is that, like all exe-cution monitors, this approach cannot prove that the property can never be violated, only that if such a viola-tion occurs the monitor will catch it. As such, a final fil-ter is a verification approach that is complementary to and should be used in conjunction with existing test-ing and static verification methods.
We extend the basic idea of an assertion-based execution monitor to make it configurable so that the set of properties being monitored can be updated postdeployment to reflect new information about exploitable vulnerabilities in the design. FinalFilter is a reconfigurable, run-time verification system that monitors the state and events of the processor for invalid updates to privileged registers.
The mechanism of a final filter is simple and pres-ents a small attack surface. Yet, making it configurable does add complexity. To minimize FinalFilter's cost to the system's trustworthiness, we formally verify the correctness properties of its component modules and of the composed system. Finally, we show how to verify key properties for individual configurations.
As a formally verified execution monitor, FinalFilter guarantees that any trace violating a given security
This article originally appeared in
vol. 39, no. 4, 2019
Digital Object Identifier 10.1109/MM.2019.2921509 Date of current version 23 July 2019.
www.computer.org/computingedge 15
EXPERT OPINION
property will be detected at the point of violation. This is indepen-dent of how the violation occurs or what the root cause is.
THREAT MODELThe trusted computing base for FinalFilter includes our specifi-cation and verification process and tools, the fabrication process and tools, and the filter's current configuration.
Lifecycle AssumptionsReferring to Figure 1, we assume we are the last ones to touch the pro-cessor design. We rely on orthogo-nal techniques to ensure that Final-Filter is not tampered with in the supply chain, which includes fabri-cation of the processor and shipping to the end user.
Architectural ScopeFinalFilter protects privileged instruction set architec-ture (ISA)-level registers. FinalFilter does not detect side-channel attacks as doing so requires knowledge of more than the current trace of execution. The focus of this paper is the integer core of the processor. Nota-bly, we assume the memory hierarchy is correct.
Attacker ModelThe attacker is free to take any action not precluded by our assumptions, either in hardware or in software. This includes an attacker capable of creating and exploiting a hardware defect. An example might be a defect that causes the processor to return from an exception without restoring the privilege level.
DESIGNFinalFilter enforces properties over privileged ISA state and events necessary for the security of soft-ware running on the processor. An example property that we will return to is, “the processor transitions from user mode to supervisor mode if, and only if, there is an interrupt or exception.” Any processor that correctly implements the specification must satisfy this property. Proving this property statically requires
a proof across all possible execution traces—cur-rently an intractable task. Yet, as an execution mon-itor, FinalFilter can verify the property for every trace that is executed. Monitoring is done by a set of hardware-based assertions over architecturally visi-ble states and events.
FinalFilter is designed to be used in conjunction with existing software-level recovery and repair tools. For example, BlueChip,1 a tool developed by three of the authors, can route execution around vulnerable circuitry. FinalFilter provides precise introspection points and can support a variety of repair and recovery approaches.
Three aspects of the design are worth noting.
1. FinalFilter is reconfigurable after deployment and can protect multiple security-critical properties concurrently.
2. FinalFilter's design is formally specified and its implementation proven correct.
3. Execution overhead is incurred only in the rare case that a processor violates one of the monitored security properties.
The key insight that allowed us to make the monitor both reconfigurable and able to handle multiple invari-ants concurrently is that many security properties can
FIGURE 1. Processor design flow with FinalFilter: (a) Hardware description language implementation of the instruction set specification. (b) Vulnerability is accidentally or maliciously opened in the processor. (c) FinalFilter is added to the design as the last action,6 with taps directly on the outputs of ISA state storing elements. (d) FinalFilter dynamically verifies the properties encoded by trusted software. FinalFilter triggers existing repair/recovery approaches in the event of an invariant violation. FinalFilter continues to protect the repair/recovery software.
16 ComputingEdge August 2020
EXPERT OPINION
be implemented as a Boolean combination of more simple assertions, and these simple component asser-tions are usually in one of only a few forms. Users can specify a number of simple component assertions and combine them into one or more complex assertions that monitor hardware state.
Running ExampleWe use security invariants (or just invariants) to describe properties of the ISA that must be true of a secure implementation—that if violated would open an exploitable vulnerability. Invariants are dynamically verified by one or more assertions over architecturally visible state.
Consider the following component of the privilege escalation property mentioned before:
I0 A change in processor mode from low priviledge to high priviledge is caused only by an exception or a reset.
Invariant I0 is a statement that the instruction set specification says must be true of the system at all points of execution. It can be written as a concrete assertion in terms of the ISA-level state in the follow-ing way:
A0 assert(risingEdge( ) ( [31 : 12] 0) risingEdge( ) ( [7 : 0] 0) risingEdge( ) ( 1))
where represents the supervisor mode bit of the processor's status register, and an exception is indicated by the next program counter NPCpointing to an exception vector start address. The address will always be of the form 0x00000X00, where the “X” indi-cates a don't-care value. (This might seem as if it leaves the door open for a processor attack that escalates privilege while executing at an address that matches the form 0x00000X00, but it does not. Pages in that address range have supervisor permissions set which implies that code executing in that address range is already in supervisor mode. If the processor attack attempts to allow user mode execution of supervisor mode pages, FinalFilter includes an invariant to detect such misbehavior.)
We break A0 into three component assertions.
Aa assert(risingEdge( ) ( [31 : 12] 0)) Ab assert(risingEdge( ) ( [7 : 0] 0)) Ac assert(risingEdge( ) ( 1))
Each of these individual assertions is evaluated at each step of execution, and the results are appropriately combined to form a statement that is equivalent to A0.
Invariant MonitorFinalFilter reads in ISA-level state and outputs a signal indicating whether any of the programmed invariants were violated. It works essentially as a programmable finite state machine. Configuration data programs the machine with which invariants to check and ISA-level state acts as the input to the machine. The number of invariants it can monitor concurrently depends on the complexity of the associated component assertions and the number of assertion blocks built into the monitor.
Using our running example, we now describe each module in the configurable monitor, shown in its configured state in Figure 2. In our system, we refer to Aa, Ab, and Ac as component assertions, and A0 as simply an assertion. The difference being that Anumber is the implementation of an invariant, a combination of component assertions, whereas Aletter represents a component assertion corresponding to one assertion block in the configurable monitor.
Routing. The Routing block is responsible for feed-ing the desired ISA-level state to the Logic blocks. The configuration data determines which state ele-ment gets routed to which Logic block. To accommo-date arbitrary outputs, each Routing block output is 32 bits wide, with zero padding as required. In our running example, is output to Logic blocks 0, 2, and 4,
is output to Logic blocks 1 and 3, and is out-put to Logic block 5, as shown in Figure 2.
Logic. Each Logic block implements a comparison operator. Given two inputs A and B, the configura-tion data can select one comparison operator from the set {=,≠,≤,<,≥,>}. Additionally, the configuration data can choose to mask off some portion of A or B, or both, or it can substitute a constant value for the value in B. Returning to our running example, Logic block 1 will evaluate and output the result. Logic block 3 will evaluate
www.computer.org/computingedge 17
EXPERT OPINION
and output the result and Logic block 5 will evaluate and output the result. Logic blocks 0, 2, and 4
will evaluate and output the result.
Assert. The Assert block implements component assertions of the form p q, possibly across several clock cycles (e.g., if p is true then three cycles later, q is true). If it is ever the case that p is true while q is false, the assertion is triggered and the output of the Assert block will be high. In our example, each of Aa, Ab, and Ac are implemented in their own Assert block. The consequent q is always a combinational prop-osition over ISA state at a single step of execution: it is stateless and is given by the current value sent by the Logic block. However, the antecedent p can be stateful, possibly depending on previous values sent from the Logic block. For example, the individ-ual assertions in our example all have the antecedent
. This proposition is true at time t if and only if is low at time t–1 and high at time t. The Logic block will output a signal that is high when-ever is high and the Assert block will determine when a rising edge of is seen. FinalFilter allows antecedents in one of three forms: p { , st–1 st, st–n}. In other words, p can be defined as True, in which case the assertion will trigger whenever q is false, or p can be defined to be the rising edge of some ISA state s, or p can be defined to be the value of ISA state s at time t–n, where n is also configurable.
The Assert block uses four of the industry standard Open Verification Library assertions:
› always(expression): expression must always be true,
› edge(type, trigger, expression): expression must be true when the trigger goes from 0 to 1 (type = positive),
› next(trigger, expression, cycles): expression must be true cycles clock ticks after trigger goes from 0 to 1,
› delta(signal, min, max): when signal changes value, the difference must be between min and max, inclusive.
Merge. The Merge block takes the outputs from the Assert blocks and combines them as prescribed by the configuration data. It can be viewed as a configurable
truth table. The inputs to the truth table are the Assert block outputs—the component assertions Aa, Ab, and Ac in our running example. The function defining how the component assertions combine (i.e., the out function) is configurable at run time. The truth table is implemented as a hierarchy of look-up tables. For example, with 16 Assert blocks, rather than a single lookup table with 216 rows, the monitor would have four lookup tables with six inputs (26 rows) each. The outputs of the three first-level lookup tables make up the input to a second-level lookup table, the output of which is the output of the Merge block.
We can now complete our running example. Let erra be the output of the Assert block for Aa, and let errb and errc be the output of the Assert blocks for Ab and Ac, respectively. Remembering that the output of each Assert block will be high when the assert triggers, i.e., when the invariant is violated, we combine the results of the component assertions in the following way:
err0=(erra|errb)& errc.
FIGURE 2. FinalFilter configured with assertion A0. Starting from the top of the figure, the components are: ISA-level state, Routing block, Logic blocks, Assert blocks, and Merge block. The Routing block sends ISA-level state elements to the Logic blocks; the Logic blocks condense multibit state and constant inputs down to a single bit output that is sent to the Assert block; the Assert block compares the previous value of its inputs to the current value, outputing the result as a one bit value to the Merge block; the Merge block combines the Assertion block results to form a higher level result that indicates if the programmed invariants still hold; this result is tied to the processor’s exception generation logic.
18 ComputingEdge August 2020
EXPERT OPINION
As desired, err0 will be high whenever A0 is false, i.e., whenever the A0 assertion is triggered.
Configuration Data. The configuration data are pro-vided by trusted software (e.g., the system BIOS) at ini-tialization (originally, we imagine configuration coming from processor or motherboard manufacturers). It is the mechanism by which FinalFilter is configured, and portions of the configuration data are fed into each block at the appropriate stage.
VERIFICATIONWe used the commercial model checking tool Cadence SMV for the verification of the configurable assertion fabric. For each component of FinalFilter shown in Fig-ure 2, we formally specified its behavior and verified that the implementation meets the specification.
In most cases, formally specifying a component's behavior involved little more than extracting the infor-mation from the design documents. However, in two cases, the process of formalizing the specification brought out ambiguities in the design, and it was neces-sary to revisit the design phase of the process. During the course of verification, we found one implementation error: a logical and was used where an or was needed.
Ultimately, the monitor's behavior is determined by the configuration data, and it is up to the proces-sor or motherboard manufacturer to provide a correct configuration. A misconfigured fabric could fail to provide the intended protections. We guard against misconfigurations in three ways.
First, we protect against invalid configurations that would result in unpredictable results. Built in to the design of each block is a check that the incoming configuration data are well formed. We verify that if any of the individual components report an invalid configuration, then FinalFilter will not fire any asser-tion failures. This behavior represents a tradeoff in the design space. On the one hand, an accidentally miscon-figured fabric, which will never trigger an assertion, is not protecting the user. On the other hand, never firing in the presence of misconfigured data has the benefit of being a stable behavior— it is what exists today. An alternative is to always fire when the fabric is miscon-figured, but this would give an attacker an avenue for launching a denial-of-service attack making FinalFilter a new avenue of attack, something we wish to avoid.
Second, we built a software tool to generate the configuration data from higher level assertion state-ments. Although only prototypical, we hope that fur-ther developing this tool will make generating correct configuration data relatively easy for the user.
Third, we built a validation tool to prove properties about individual configurations. We prove the follow-ing sanity checks on the configuration data:•
› There are assertions configured. › None of the assertions are unsatisfiable (e.g.,
the following does not occur { q q}). › The configured assertions, as a whole, are
satisfiable (e.g., the following does not occur {p q; p q}).
› Assertions are not trivially violated (e.g., the following does not occur {p p}).
If any of these checks fail, a misconfiguration error is reported along with information about the offending assertion(s). The user can run this tool before loading the configuration data into FinalFilter. We used the z3 SMT solver as the back end to this tool.
We note that while we formally verify the functional correctness of each module in the filter, we manually audit the connection between modules. That is, we manually check that every module's output signals are appropriately tied to the next module's input signals. There is no logic involved in the composition and our naming convention made the checks straightforward. Our end-to-end verification of the invalid configura-tion signals, mentioned above, does not rely on this manual audit.
EVALUATIONTo evaluate the performance and efficacy of Final-Filter, we implement it inside the OR1200 Processor. The OR1200 is an open source, 32-bit RISC processor with a five-stage pipeline, separate data and instruc-tion caches, and MMU support for virtual memory. It is popular as a research prototype and has been used in industry as well7; it is representative of what you would see in a mid-range phone today.
We wrote a program that automatically generates the FinalFilter hardware for a given number of Assert blocks to support. Generating the hardware program-matically makes it easy to explore the effect of tuning
www.computer.org/computingedge 19
EXPERT OPINION
different parameters, and creates a regular naming and connection pattern that allows us to verify the structural connections of arbitrary filters using an induction type approach.
For a complete system capable of booting Linux, we implemented the processor and filter combination as the heart of a system-on-chip that includes DD2 memory, an Ethernet controller, and a UART controller. We implemented the system-on-chip on the FPGA that comes with the Xilinx XUP-V5 development board. We conservatively clock the system at 50 MHz.
Hardware Area OverheadFigure 3 shows how the hardware area overhead changes as the number of assertions supported by FinalFilter increases. We built filters with support for as little as 1 assertion to as many as 17 assertions (the number required to protect all AMD processors we analyzed in our previous study on security-critical pro-cessor bugs5).
The figure contains data at four points in the fabric design space:
1. None. No optimization, this favors expressibility over overhead.
2. One State. This optimization uses Logic blocks with only one state input. Logic blocks were the biggest contributor to the area of the fabric and 83% of our security-critical invariants used only one input to the Logic block. This also reduces the number of required Routing blocks by 50%.
3. Top six. This optimization replaces the Routing blocks with new Routing blocks capable of handling the six most frequently used state elements. We observe that 76% of invariants require the same six ISA-level state items.
4. Both. This includes the two previous optimizations.
USING FINALFILTERUsing FinalFilter requires having a meaningful set of properties to monitor. In prior work, we took a manual approach to develop a set of security critical proper-ties.5 We studied errata documents to learn what types of exploitable errors can occur and we studied the architecture's specification documents to develop a set of properties necessary—though not sufficient—to
protect security critical state of the processor.In subsequent work, one of the authors has devel-
oped a semiautomated method for learning new secu-rity properties using information gleaned from known exploitable bugs8; and demonstrated that properties developed for one RISC processor may be suitable for use, after some translation, on a second RISC proces-sor, even across architectures.9 However, the develop-ment of security-critical properties for use with Final-Filter or any property-based verification method is still in its infancy and more research is needed.
Case StudyWe configured FinalFilter with 18 assertions we found to be critical to security in our prior work.5 We then introduced into the processor 14 vulnerabilities from a mix of previously published hardware attacks and attacks based on exploitable vulnerabilities from sev-eral years of AMD processor errata. For each one, we wrote a user-space program that exploits the vulnera-bility and reports if the attack was successful. FinalFil-ter is expressive enough to implement all 18 invariants, and the configured filter detects all of the attacks.
FIGURE 3. Hardware overhead with respect to the number of assertions supported by the configurable assertion fabric, evaluated at four optimization levels. The range in the number of assertions represents the range in protection required by the processors in our analyzed set from AMD. The vertical line represents the average number of assertions required to protect the processors in our analyzed set. As a reference point, previous work on deployed-bug patching entails hard-ware overheads of up to 200% and run time overheads of up to 100% in the common case.
20 ComputingEdge August 2020
EXPERT OPINION
PRIOR WORK IN DYNAMIC VERIFICATION
FinalFilter builds on a line of research that uses dynamic verification to catch and patch functional bugs postdeployment. For example, DIVA10 is a sim-plified checker core that verifies the computation results of the full-featured core before the processor commits the results to the ISA level. Narayanasamy et al.11 use instruction rewriting routines to avoid trigger-ing a bug that is found postdeployment.
In this article, we have not addressed the problem of measuring coverage. Boulé et al. 12 add circuitry to assertions to track and measure coverage. The ques-tion of what is a meaningful coverage metric for a set of security properties is an open one, but it is critical: such a measure can give an indication of the number of “unknown unknowns” that remain unprotected.
CONCLUSIONDesign-time verification alone is insufficient; some exploitable vulnerabilities will make it through. Final-Filter, a last line of defense—one that can be formally verified—protects security critical properties of the processor core. We believe the idea is broadly appli-cable and in future work will be exploring the use of a final filter for commercial architectures and for mod-ules outside the processor core.
ACKNOWLEDGMENTThe authors would like to thank the editors for their insightful comments and suggestions, and S. Bellovin for his advice and the phrase “final filter.”
REFERENCES1. M. Hicks, M. Finnicum, S. T. King, M. M. K. Martin, and J.
M. Smith, “Overcoming an untrusted computing base: Detecting and removing malicious hardware automati-cally,” in Proc. IEEE Secur. Privacy, 2010, pp. 159–172.
2. J. Zhang, F. Yuan, L. Wei, Z. Sun, and Q. Xu, “VeriTrust: Verification for hardware trust,” in Proc. ACM Des. Autom. Conf., 2013, pp. 61:1–61:8.
3. A. Waksman, M. Suozzo, and S. Sethumadhavan, “FANCI: Identification of stealthy malicious logic using boolean functional analysis,” in Proc. ACM Conf. Comput. Commun. Secur., 2013, pp. 697–708.
4. M. Bilzor, C. Irvine, T. Huffmire, and T. Levin, “Security checkers: Detecting processor malicious inclusions at runtime,” in Proc. IEEE Hardware Oriented Secur. Trust, 2011, pp. 34–39.
5. M. Hicks, C. Sturton, S. T. King, and J. M. Smith, “SPECS: A lightweight runtime mechanism for protecting software from security-critical processor bugs,” in Proc. ACM Conf. Architectural Support Program. Lang. Oper. Syst., 2015, pp. 517–529.
6. A. Waksman and S. Sethumadhavan, “Silencing hard-ware backdoors,” in Proc. IEEE Symp. Secur. Privacy, 2011, pp. 49–63.
7. R. Rubenstein, “Open Source MCU core steps in to power third generation chip,” Jan. 2014. [Online]. Avail-able: http://www.newelectronics.co.uk/electronics -technology/open-source-mcu- core-steps-in-to -power-third-generation-chip/59110/
8. R. Zhang, N. Stanley, C. Griggs, A. Chi, and C. Sturton, “Identifying security critical properties for the dynamic verification of a processor,” in Proc. ACM Conf. Architec-tural Support Programming Lang. Operating Syst., 2017, pp. 541–554.
9. R. Zhang, C. Deutschbein, P. Huang, and C. Sturton, “End-to-end automated exploit generation for diag-nosing processor designs,” in Proc. IEEE/ACM Symp. Microarchit., 2018, pp. 815–827.
10. T. M. Austin, “DIVA: a reliable substrate for deep sub-micron microarchitecture design,” in Proc. ACM/IEEE MICRO, Haifa, Israel, Nov. 1999, pp. 196–207. [Online]. Available: http://www.eecs.umich.edu/ taustin/papers/MICRO32-diva.pdf
11. S. Narayanasamy, B. Carneal, and B. Calder, “Patching processor design errors,” in Proc. IEEE Int. Conf. Comput. Des., Oct. 2006, pp. 491–498. [Online]. Available: http: //cseweb.ucsd.edu/ calder/papers/ICCD-06-HWPatch.pdf
12. M. Boule, J. Chenard, and Z. Zilic, “Adding debug enhancements to assertion checkers for hardware
DESIGN-TIME VERIFICATION ALONE IS INSUFFICIENT; SOME EXPLOITABLE VULNERABILITIES WILL MAKE IT THROUGH. FINALFILTER, A LAST LINE OF DEFENSE—ONE THAT CAN BE FORMALLY VERIFIED—PROTECTS SECURITY CRITICAL PROPERTIES OF THE PROCESSOR CORE.
www.computer.org/computingedge 21
EXPERT OPINION
emulation and silicon debug,” in Proc. Int. Conf. Comput. Des., 2006, pp. 294–299.
CYNTHIA STURTON is an assistant professor and Peter Thacher Grauer Fellow at the University of North Carolina at Chapel Hill. She leads the Hardware Security @ UNC research group to investigate the use of static and dynamic analysis techniques to protect against vulnerable hardware designs. Her research is funded by several National Science Founda-tion awards, the Semiconductor Research Corporation, Intel, a Junior Faculty Development Award from the University of North Carolina, and a Google Faculty Research Award. She was recently awarded the Computer Science Departmental Teaching Award at the University of North Carolina. She has a BSE from Arizona State University and an MS and a PhD from the University of California, Berkeley. Contact her at [email protected].
MATTHEW HICKS is an assistant professor at Virginia Tech, working at the intersection of security, architecture, and embedded systems, with special emphasis on analog-domain hardware security. Contact him at [email protected].
SAMUEL T. KING was a professor for eight years at the University Illinois Urbana-Champaign. He then left his tenured position at UIUC to push himself intellectually and professionally in industry. He is currently with the Computer Science Department at the University of California Davis. He is interested in building systems for fighting fraud and rethinking our notion of digital identity. He has a PhD from the University of Michigan, an MS from Stanford University, and a BS from UCLA. Contact him at [email protected].
JONATHAN M. SMITH is currently a program manager in the Information Innovation Office (I2O) at the Defense Advanced Projects Research Agency (DARPA) on leave from the Univer-sity of Pennsylvania, where he holds the Olga and Alberico Pompa Professorship of Engineering and Applied Science and is a professor of computer and information science. He was previously a Member of Technical Staff at Bell Telephone Lab-oratories and Bell Communications Research, joining Penn in 1989 after receiving his PhD from Columbia University. He pre-viously served as a Program Manager at DARPA in 2004–2006, and was awarded the Office of the Secretary of Defense Medal for Exceptional Public Service in 2006. He became an IEEE Fellow in 2001. Contact him at [email protected].
From the analytical engine to the supercomputer, from Pascal to von Neumann, from punched cards to CD-ROMs—IEEE Annals of the History of Computing covers the breadth of computer history. � e quarterly publication is an active center for the collection and dissemination of information on historical projects and organizations, oral history activities, and international conferences.
www.computer.org/annals
22 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
EDITORS: Mohamed Kaâniche, [email protected] Richard Kuhn, [email protected]
DEPARTMENT: RESILIENT SECURITY
Cyberattack-Resilient Cyberphysical SystemsBarry M. Horowitz, University of Virginia
A great deal of attention is currently being placed on the development of advanced auto-mation for physical systems, including a wide
array of applications such as automobiles, unmanned air vehicles (UAVs), the Internet of Things, and 3D printers. These automation opportunities introduce cyberattack risks that can lead to loss of human life or serious injury. The cyberattack risks related to physical systems first received national attention in 2011 due to the Stuxnet cyberattack, which disrupted industrial Iranian centrifuges employed in nuclear reactors.1
General recognition of the continuously grow-ing cyberattack risk situations has led a University of Virginia (UVA) research team to conduct studies that address providing cyberattack-resilient designs for cyberphysical systems that can complement solutions that seek to provide defense against cyberattacks. Since 2011, the UVA team, under my direction, has been engaging in research efforts exploring 1) system architectures for achieving resilience, 2) system meth-odologies and analysis tools for prioritizing resilience solutions, and 3) the roles and procedures for engag-ing operators in the real-time management of system reconfigurations that provide resilience. The methods have been demonstrated to be effective across a broad range of applications, including UAVs, automobiles, 3D printers, and others. This article describes this com-prehensive approach to resilience in cyberphysical systems and research advances on the horizon.
DEFINING RESILIENCESystem engineers have been designing resilient elec-tronic systems for many years (e.g., air traffic control
systems and military nuclear weapon command con-trol systems), employing what is referred to as diverse redundancy to permit dynamic reconfigurations of an abnormally behaving system. Diverse redundancy is a system design methodology that employs alter-nate methods for reconfiguring and operating a sys-tem under circumstances where the normal modes of operation become inoperable. In 2009, Riegar et al.2 defined resiliency as the capacity of a system to maintain state awareness and to proactively main-tain a safe level of operational normalcy in response to anomalies, including threats of a malicious and unex-pected nature.
To provide cyber resiliency, a system must be designed to include a monitoring process related to cyberattacks and alternate diverse sets of hardware and software that, when called upon, would permit continued operation of the system. For the research efforts reported on in this article, a system architec-ture that includes the required anticipatory processes for monitoring and reconfiguration control is provided by a subsystem referred to as a sentinel, which, to be viable for its role, should be designed to be far more secure than the system being addressed for resil-iency.3 While the sentinel-based cyberattack detec-tion process is expected to be automated, the level of reconfiguration automation may vary across system functions:
› Totally automated: Sentinel determines what to do and informs appropriately trained system operators regarding automated execution.
› Semiautomated: System operators receive automated recommendation(s) from the senti-nel and, accounting for both situation context and a broader set of information available to them, decide on what to do.
This article originally appeared in
vol. 18, no. 1, 2020
Digital Object Identifier 10.1109/MSEC.2019.2947123 Date of current version: 23 January 2020
www.computer.org/computingedge 23
RESILIENT SECURITY
› Manual: Operators, or higher levels in the system control hierarchy, determine what to do.
In addition, resilience includes containing the immediate consequences of the detected attack and postattack forensic support based upon the data collected for addressing anomalies. Figure 1 provides a representation of a sentinel-based system architecture for providing cyberattack resilience. The employed system architectural approach is referred to as system-aware cybersecurity because attack detec-tion methods are based upon discovery of system operational symptoms that would likely result from successful cyberattacks.
Figure 2 provides a more detailed representation of sentinel functions. As illustrated in the figure, the sentinel is connected to system interfaces from which it receives the data to support its monitoring function. The design of the communication interfaces depends upon a variety of factors, ranging from wired to wire-less communications with a selection of protocols that depend upon the data to be sent and the formats and protocols of the functional subsystems to be mon-itored. The sentinel must then condition the diverse sets of collected data so that they can be integrated and analyzed. This includes setting of appropriate data rates, data formats, and communication protocols for use within the sentinel.
Once the data to be analyzed for resilience pur-poses are ready for use, the sentinel performs the
specific analyses required for detection of a cyberat-tack and determination of the location within the protected system that is under attack. When an attack is detected, the sentinel must prepare messages for the system users containing information regarding the detected attack and the steps required to reconfigure the system for continued operation. These messages must then be assembled for communication and computer control of the subsystems involved in the resilience-related reconfiguration solution.
In addition, the sentinel must prepare and dissemi-nate its results for users engaged in more strategic roles (e.g., machine-learning purposes, forensics, etc.) related to managing resilience. There are a wide variety of possibilities for the hardware/software design of sentinels that are dependent on the system
InternalControls
Reconfiguration Controls
Most Highly Secured
SentinelProviding
System-AwareSecurity
InternalMeasurements
System to BeProtected+ Diverse
Redundance
Outputs
FIGURE 1. The architecture of sentinel-based cyberattack resilience.
System to Be ProtectedSentinel Providing
System-Aware Security
System ControlInformation
Sensors
Mass Storage
DataConditioning
DataIntegration
DataAnalysis
DecisionMaking
SystemsCommunication
Channels
Reconfigurable DiverseRedundant Components
SecurityCommunication
Channels
Actions• Forward Data• Isolate Threat• Restore System
FIGURE 2. The sentinel data flow.
24 ComputingEdge August 2020
RESILIENT SECURITY
being supported. For example, implementation can be through a single computing node or through a highly distributed set of nodes, and selection of the design should be highly dependent on the methods of security that can be applied for protection of the sentinel (see the “Cyberattack Protection of the Sentinel” section).
The anticipated value of employing this type of resilience solution is that it requires the cyberattacker both to understand how the system to be attacked is designed and to develop and employ multiple attacks on diversely redundant subsystems to sufficiently disrupt the targeted system. This, in turn, should impact the cost, time, technical complexity, and risk for creating the desired cyberattacks, with the objec-tive of deterring attackers from going ahead with their desire to be disruptive. Of course, the resilience solu-tion must be sufficiently low cost, timely, low risk, and effective to make it an attractive option.
DETECTING SUCCESSFUL CYBERATTACKS
In this section, I describe mechanisms for cyberattack detection by a sentinel subsystem. To provide quality and cost advantages, the suggested system-aware design approach includes reusable design patterns for detecting successful cyberattacks. Example attack detection design patterns include:
1. discovery of data inconsistencies within the system with no other explainable cause (e.g.,
operator system control inputs are different from the inputs received by the related con-trolled subsystems, diverse sensors provide inconsistent measurements)
2. detection of changes of system operational parameters without authorized and operation-ally correct procedures, resulting in significant performance consequences (e.g., changes to navigation waypoints in a UAV resulting in modification of a UAV’s route, changes to the detection threshold values in a radar system resulting in modification of false alarm/missed detection rates for that radar system, changes in the selection of transmission power levels in a software-controlled radio system that cause communication range and radio interference problems)
3. recognizing significant unexplainable incom-patibilities between internal system communi-cation levels and the presentation of situation awareness information provided to system operators (e.g., air defense system operator provided with low levels of traffic information, but sensors are observed to be communicating information that should be presented at high rates).
While each of these examples applies to a wide variety of physical systems, the implementation of specific solutions will vary across different systems.
Engine1
Engine2
PropulsionController
1
PropulsionController
2
OperatorInterface
1
OperatorInterface
2
Hopper Voter
NetworkSwitch 1Model A
NetworkSwitch 2Model B
NetworkSwitch 2Model C
FIGURE 3.The technical configuration for hopping/voting resilience design pattern for ship propulsion control.
www.computer.org/computingedge 25
RESILIENT SECURITY
The system-aware research efforts have included prototype designs that employed the example design patterns described previously as well as others for detecting cyberattacks on UAVs, police cars, 3D print-ers, and military systems. Note that the consequences of a cyberattack can vary significantly depending upon the actual system being attacked, so risk-based deci-sions are required in terms of which design patterns reduce the risks of attack most significantly. Further-more, as noted previously, resilient system efforts must be directed toward achieving designs that are highly secured.
SYSTEM RECONFIGURATION SOLUTIONS
As illustrated earlier in discussing reusable design pat-terns for cyberattack detection, designs that exploit diverse redundancy for continuing operation also are reusable, but implementation and risk reduction value depend upon the actual system to be protected. In addition, diverse solutions typically do not perform as well as the normal mode of system operation, although they are potentially acceptable for continuing opera-tion. Examples of diverse redundancy opportunities include the following:
› use of diverse sensors for providing situation awareness information (e.g., radar, infrared, audio, video, and many other technologies that can potentially be used as the basis for surveil-lance subsystems)
› use of diverse navigation subsystems (e.g., GPS, inertial navigation)
› use of relatively common subsystems, but designed and produced with different hardware and software by different manufacturers (e.g., different operating systems, application software, microelectronics components, com-munications switches).
As a result, designers of resilient systems must evaluate the losses in performance that could result when the protected system is reconfigured and the operational acceptability of such losses.
Resilience can also be achieved through the integration of multiple approaches for achieving diversity that serve both detection of attacks and
reconfiguration responses. For example, one of the design patterns derived from UVA’s research efforts is referred to as configuration hopping with voting. An experimental application of this design pattern, utiliz-ing multivariant programming4 via the use of three diversely manufactured communication switches and through comparison of message content going into and coming out of the switches, could determine if there was an inappropriately performing switch. If so, the improperly performing switch could be taken out of service while continuing system operation.
In addition, to make matters more complex for a cyberattacker intent on changing message content, the design pattern included the use of a moving target technique,5 dynamically changing which switch is to be operationally employed once every few seconds, with the use of randomly selected times for moving the potential targets. Since the diversely implemented switches were not closely synchronized in terms of order of messages and their timing, use of moving target defense brought with it the potential to create problems due to the timing of message processing within the diverse switches. To address this problem, message content comparisons were done in a batched manner at sufficiently spaced intervals (e.g., 20-s intervals) so as to reduce the percentage of deviating messages due to timing. The sentinel detection algo-rithms were designed to permit missing messages as a normal situation when the deviations occurred close to the switching times, and the operational system depended on its existing communication protocols to assure that missing messages due to dynamic changing of the switch in operation were either resent in a timely manner or were acceptable for loss at low rates.6
Operational prototype-based experiments related to control of a ship’s propulsion system were con-ducted to measure message loss rates. Results indicated that the number of lost messages due to a 20-hop/s resilience design was acceptably low (for a 250-Mb/s data rate involving 1-Kb User Datagram Protocol-formatted packets, results showed packet loss rates of fewer than two packets per 10,000 trans-mitted packets and that operators could dependably continue to carry out their propulsion control-related responsibilities with the reduced level of communica-tion system performance).
26 ComputingEdge August 2020
RESILIENT SECURITY
CYBERATTACK PROTECTION FOR THE SENTINEL
A significant design issue regarding achieving cyber-attack resilience for the protected system is the secu-rity designed into the sentinel, which can consist of a combination of both cyberattack defense and resil-ience solutions. The UVA design concept for sentinels builds on the engineering principle that they should be far less complex than the subsystems they protect, so as to provide the opportunity for employment of advanced security techniques that are limited in the scale and complexity of their application, such as soft-ware verification technologies applied for develop-ment and testing of sentinel software and software execution-related security techniques employed at the microelectronics level. For example, Draper Lab-oratory is currently engaged in research activities focused on achieving system security through hard-ware and firmware.11
In addition, the cost for applying diverse redundancy-based resilience for the sentinel itself can then be addressed within more acceptable cost boundaries. The UVA research efforts included operational demonstrations of prototypes that employed multivariant programming and moving target defenses within a sentinel design. These tech-niques proved to be effectively employed because the sentinels were designed to consist of algorithms for detection that were each implementable with fewer than 1,000 lines of code. The research served to support the concept that simple designs can indeed provide effective system resilience solutions and the basis for greater trust of the sentinel than would otherwise be possible.
RISK-BASED PRIORITIZATION OF ALTERNATIVE RESILIENCE SOLUTIONS
A critical aspect of cyberattack-resilient system design is the prioritization and selection of alternative system solutions. Part of the UVA research effort has focused on the development of a risk-based method-ology for prioritizing potential solutions. Referred to as cybersecurity requirements methodology (CSRM), the process for prioritizing potential system solutions involves collaboration among three small groups of participants (two to three members per group)
and requires approximately two months of effort to develop the results. The three groups are
› the blue team, consisting of individuals with significant operational experience regarding systems in the domain of the specific system under consideration for resilience solutions
› the red team, consisting of individuals with combined experience in both cybersecurity defense and offense
› a system engineering (SE) team, with experience in development of system requirements related to resilience.
Cyberattack risk analysis involves identifica-tion of potential system problems that can result in significant consequences and the likelihood of these problems occurring. The CSRM approach looks to the blue team to identify and prioritize potential system problems related to the operation of system functions and the corresponding consequences related to these problems that are of greatest concern.
The identified problems can range from func-tions being implemented improperly, to deviations from the technical performance specifications, to loss of functions (note that the blue team is not asked to relate the problems of concern to cyberat-tacks, but to any functional issue associated with the system’s hardware, software or operational procedures). UVA’s CSRM research project included a case trial discussed next, for which the U.S. Army provided the blue team. The SE team is called upon to derive system-level descriptions of potential cyberattack-resilient solutions that would address the higher-consequence concerns expressed by the blue team. A critical aspect of the SE team’s effort is to utilize rapid prototyping as a mechanism for addressing the operational issues regarding the role of the human operators in reconfiguration decision making and execution of switchovers. To arrive at viable operational solutions, the SE team is expected to coordinate and adjust its resilience solutions based upon suggestions from the blue team.
For the use case trial, members of UVA and Virginia Commonwealth University (VCU) served as the SE team. To assure sufficient specificity in the resulting SE system descriptions, SysML, a formal approach
www.computer.org/computingedge 27
RESILIENT SECURITY
that employs available support tools for describing systems, is used. The use of such tools is an important ingredient of assuring that high-priority solutions will be properly understood by the red team and, if selected for implementation, designed as intended. The red team is provided with the SE team’s potential solution descriptions and is called upon to evaluate how each of them would potentially impact the decisions of cyberattackers, based upon the added complexity of attacks, extended time to implement and test attacks, cost of attacks, risk of discovery, and so forth.
The red team is also called upon to evaluate the potential effectiveness of the resilience solutions, compared to use of additional conventional cyber defense solutions, and to assess the potential for a cyberattack to disrupt the detection or reconfigura-tion functions of the potential resilience solutions.
An important aspect of CSRM is the use of exist-ing historical data bases, openly available through the MITRE Corporation, related to cyberattacks and their causes and the use of a UVA/VCU set of analy-sis tools intended to support the red team’s analy-sis efforts. The red team members combine their analyses to prioritize the SE team’s suggested resil-ience solutions based upon the influence on attack likelihoods and the advantage offered compared to extended use of cyberattack defense solutions. The SE team uses the red team results to modify its pro-posed designs and to suggest a prioritization based upon the integrated assessments of the blue and red teams.
The three teams together finalize their inte-grated prioritization, and the SE team modifies its SysML system description of the recommended, highest-priority resilience solutions. This result, com-bined with cost assessments for each of the consid-ered solutions, provides a basis for decision making regarding implementation of cyberattack resilience design features.
ROLE OF SYSTEM OPERATORSAn important aspect of designing cyberattack-resilient systems relates to the roles of the human system oper-ators. An important aspect of the UVA research effort required the development of prototype resilient sys-tems, including systems for UAVs and police cars. The prototype systems included the development of
reconfiguration procedures for operators to follow in response to sentinel alerts.
Based upon use trials, it became apparent that uncertainties related to the reasons for the cyber-attack can greatly influence the reconfiguration responses of operators. For example, consider a cyber-attack that would change navigation waypoints for a UAV conducting a search and rescue mission. Possi-bilities related to the purpose of the attack can range from the attacker wishing to 1) disrupt that search and rescue mission, 2) disrupt the air traffic control system in the area surrounding the UAV, or 3) steal the UAV by directing it to a specific location.
The best response to the detected attack could be different depending upon the actual purpose of the attack, and the human operators may have a broader context of the risk posed by the detected attack than the sentinel that made the detection. UVA’s experimental research included the involve-ment of Air Force pilots remotely controlling UAVs and ground-based vehicles in simulated situations. Results have shown that operators can significantly delay resilience-related responses due to their uncertainty about how best to respond, and, in general, they are not prepared to confidently select sentinel-recommended solutions.12
To date, the experiments have proven to be very useful in illuminating issues that need attention related to operator response to detected cyberat-tacks, but the research has not yet matured to the point where specific human/machine team solution concepts are ready for recommendation. In addition to receiving continued research attention, over time, feedback from actual operational situations will need to be gathered to develop acceptable arrangements for operators to participate in system reconfiguration decision making related to cyberattacks.
Based upon the results gathered from the eight years of study conducted by UVA’s cyberattack
resilience research team, the opportunity to employ cyberattack resilience capabilities in cyberphysical systems appears to be a promising complement to cyber defense solutions. It has been shown that sim-pler sentinel-based solutions can be candidates for immediate trial implementations, and it is suggested that this would be a productive step for introducing
28 ComputingEdge August 2020
RESILIENT SECURITY
cyberattack resilience solutions into practice. However, while the UVA research efforts have dem-onstrated how resilience solutions can provide important benefits, continued research is needed. Research needs to include:
1. continued identification of cost-effective reusable resilience design patterns
2. development of analysis tools that support risk-related selection of solutions for employ-ment as well as test and evaluation methodolo-gies for candidate solutions
3. experimental-based efforts related to address-ing operator roles and performance in deci-sions related to system reconfiguration
4. broadening resilience solutions to address information systems as well as physical systems
5. defining and implementing field data collection and evaluation methodologies to support improvement of machine algorithms and opera-tor processes.
ACKNOWLEDGMENTSThis material is based, in part, upon work supported by the Stevens Institute of Technology through the Systems Engineering Research Center (SERC) under U.S. Department of Defense (DOD) Contract HQ0034-13-D-0004. SERC is a federally funded Univer-sity Affiliated Research Center managed by Stevens Institute of Technology. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessar-ily reflect the views of the DOD.
REFERENCES1. N. Falliere, L. O. Murchu, and E. Chien, “W32.Stuxnet
dossier,” Symantec Corporation. Mountain View, CA, 2011. [Online]. Available: https://www.symantec.com /content/en/us/enterprise/media/security_response /whitepapers/w32_stuxnet_dossier.pdf
2. C. G. Rieger, Di Gertman, and M. A. McQueen, “Resilient control systems: Next generation design research,” in Proc. 2nd Conf. Human Systems Interactions, 2009, pp. 632–636.
3. R. A. Jones and B. M. Horowitz, “System-aware cyber security architecture,” in Proc. IEEE 2011 Eighth Int.
Conf. Information Technology: New Generations, pp. 914–917.
4. M. Franz, “Making multivariant programming practical and inexpensive,” IEEE Security Privacy, vol. 16, no. 3, pp. 90–94, May/June 2018.
5. M. Albanese and S. Jajodia, “Defending from stealthy botnets using moving target defenses,” IEEE Security Privacy, vol. 16, no. 1, pp. 92–97, Jan./Feb. 2018.
6. G. L. Babineau, R. A. Jones, and B. M. Horowitz, “A system-aware cyber security method for shipboard control systems with a method described to evaluate cyber security solutions,” IEEE Int. Conf. Technolo-gies for Homeland Security (HST), 2012. doi: 10.1109 /THS.2012.6459832.
7. B. T. Carter, G. Bakirtzis, C. R. Elks, and C. H. Fleming, “A systems approach for eliciting mission-centric security requirements,” Annu. IEEE Int. Systems Conf. (SysCon), 2018, pp. 1–8.
8. B. M. Horowitz, “Cybersecurity for unmanned aerial vehicle missions,” AFCEA SIGNAL, Apr. 2016, pp. 40–43.
9. K. J. Higgins, “State trooper vehicles hacked,” Dark Reading, Sept. 2015. [Online]. Available: https: //www.darkreading.com/attacks-breaches/state -trooper-vehicles-hacked-/d/d-id/1322415?
10. C. Gay, B. Horowitz, P. Bobko, J. Elshaw, and I. Kim, “Operator suspicion and decision responses to cyber-attacks on unmanned ground vehicle systems,” Proc. Hum. Factors Ergon. Soc. Annu. Meet., vol. 61, no. 1, pp. 226–230, Sept. 28, 2017. doi: 10.1177 /1541931213601540.
11. Draper, “Inherently secure pocessor.” Accessed on: Oct. 2019. [Online]. Available: https://www .draper.com /explore-solutions/inherently-secure-processor.
12. C. Gay, B. Horowitz, J. J. Elshaw, P. Bobko, and I. Kim, “Operator suspicion and human–machine team performance under mission scenarios of unmanned ground vehicle operation,” IEEE Access, vol. 7, pp. 36,371–36,379, 2019. doi: 10.1109/ACCESS .2019.2901258.
BARRY M. HOROWITZ is the Munster Professor of Systems Engineering at the University of Virginia, Charlottesville. His research interests include system architecture and design. Contact him at h8e@virginia .edu.
PURPOSE: The IEEE Computer Society is the world’s largest association of computing professionals and is the leading provider of technical information in the field.
MEMBERSHIP: Members receive the monthly magazine Computer, discounts, and opportunities to serve (all activities are led by volunteer members). Membership is open to all IEEE members, affiliate society members, and others interested in the computer field.
COMPUTER SOCIETY WEBSITE: www.computer.org
OMBUDSMAN: Direct unresolved complaints to [email protected].
CHAPTERS: Regular and student chapters worldwide provide the opportunity to interact with colleagues, hear technical experts, and serve the local professional community.
AVAILABLE INFORMATION: To check membership status, report an address change, or obtain more information on any of the following, email Customer Service at [email protected] or call +1 714 821 8380 (international) or our toll-free number, +1 800 272 6657 (US):
• Membership applications• Publications catalog• Draft standards and order forms• Technical committee list• Technical committee application• Chapter start-up procedures• Student scholarship information• Volunteer leaders/staff directory• IEEE senior member grade application (requires 10 years
practice and significant performance in five of those 10)
PUBLICATIONS AND ACTIVITIESComputer: The flagship publication of the IEEE Computer Society, Computer publishes peer-reviewed technical content that covers all aspects of computer science, computer engineering, technology, and applications.
Periodicals: The society publishes 12 magazines and 18 journals. Refer to membership application or request information as noted above.
Conference Proceedings & Books: Conference Publishing Services publishes more than 275 titles every year.
Standards Working Groups: More than 150 groups produce IEEE standards used throughout the world.
Technical Committees: TCs provide professional interaction in more than 30 technical areas and directly influence computer engineering conferences and publications.
Conferences/Education: The society holds about 200 conferences each year and sponsors many educational activities, including computing science accreditation.
Certifications: The society offers three software developer credentials. For more information, visit www.computer.org/certification.
BOARD OF GOVERNORS MEETING
24 – 25 September 2020 in McLean, Virginia, USA
EXECUTIVE COMMITTEE
revised 1 May 2020
President: Leila De Floriani President-Elect: Forrest Shull Past President: Cecilia Metra First VP: Riccardo Mariani; Second VP: Sy‐Yen Kuo Secretary: Dimitrios Serpanos; Treasurer: David Lomet VP, Membership & Geographic Activities: Yervant ZorianVP, Professional & Educational Activities: Sy-Yen Kuo VP, Publications: Fabrizio Lombardi VP, Standards Activities: Riccardo MarianiVP, Technical & Conference Activities: William D. Gropp 2019–2020 IEEE Division VIII Director: Elizabeth L. Burd 2020-2021 IEEE Division V Director: Thomas M. Conte 2020 IEEE Division VIII Director-Elect: Christina M. Schober
BOARD OF GOVERNORS Term Expiring 2020: Andy T. Chen, John D. Johnson, Sy-Yen Kuo, David Lomet, Dimitrios Serpanos, Hayato YamanaTerm Expiring 2021: M. Brian Blake, Fred Douglis, Carlos E. Jimenez-Gomez, Ramalatha Marimuthu, Erik Jan Marinissen, Kunio UchiyamaTerm Expiring 2022: Nils Aschenbruck, Ernesto Cuadros‐Vargas, David S. Ebert, William Gropp, Grace Lewis, Stefano Zanero
EXECUTIVE STAFFExecutive Director: Melissa A. RussellDirector, Governance & Associate Executive Director: Anne Marie KellyDirector, Finance & Accounting: Sunny HwangDirector, Information Technology & Services: Sumit Kacker Director, Marketing & Sales: Michelle TubbDirector, Membership Development: Eric Berkowitz
COMPUTER SOCIETY OFFICESWashington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036-4928; Phone: +1 202 371 0101; Fax: +1 202 728 9614; Email: [email protected] Alamitos: 10662 Los Vaqueros Cir., Los Alamitos, CA 90720; Phone: +1 714 821 8380; Email: [email protected]
MEMBERSHIP & PUBLICATION ORDERS Phone: +1 800 678 4333; Fax: +1 714 821 4641; Email: [email protected]
IEEE BOARD OF DIRECTORSPresident: Toshio FukudaPresident-Elect: Susan K. “Kathy” LandPast President: José M.F. MouraSecretary: Kathleen A. KramerTreasurer: Joseph V. LillieDirector & President, IEEE-USA: Jim Conrad Director & President, Standards Association: Robert S. Fish Director & VP, Educational Activities: Stephen Phillips Director & VP, Membership & Geographic Activities: Kukjin ChunDirector & VP, Publication Services & Products: Tapan Sarkar Director & VP, Technical Activities: Kazuhiro Kosuge
30 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
EDITOR: Jinan Fiaidhi, Lakehead University, [email protected]
DEPARTMENT: EXTREME AUTOMATION
EDI with Blockchain as an Enabler for Extreme AutomationJinan Fiaidhi and Sabah Mohammed, Lakehead University
Sami Mohammed, University of Victoria
E xtreme automation is the latest initiative to have emerged from several “hands-free” inno-vations like autonomous ships and subma-
rines, autonomous passenger aircraft, drone freight delivery, autonomous robotic surgery, automated knowledge discovery, currier package delivery, and self-writing software. In such markets, every company is a software company in some way and customers expect software to perform flawlessly and effectively. When it doesn’t, the brand suffers.
In the supply chain, everything from attracting cus-tomers and securing deals to managing transactions and follow-ups based on B2C (business-to-consumer) or B2B (business-to-business) platforms needs to be transparent, secure, and able to be changed on the fly. Everything needs to happen at lightning speed because winning market share requires the use of highly dynamic, fast-moving environments. Healthcare supply-chain management deals with the informa-tional and physical resources (such as manufacturing, procuring, storing, and transporting different product types such as surgical supplies, medical devices, and pharmaceuticals) needed for delivering services to the end customer (see Figure 1).
According to a recent Allied Market Research report,1 the healthcare supply-chain management market is segmented based on delivery model, soft-ware, hardware, end customer, and geography. Based on the delivery model, the market segments covered in the report are cloud-based, web-based, and on prem-ise. In addition, healthcare supply-chain management software includes supplier management software, procurement software, transportation management software, and others. The hardware segment consists of barcode and RFID systems and others. End custom-ers served by the market consist of healthcare provid-ers, suppliers, distributors, and others. The market for
healthcare supply-chain management is segmented based on geography: North America; Europe; Latin America, Middle East, and Africa (LAMEA); and Asia Pacific. Similar segmentations are also seen in other industries, as supply-chain management is more complex in the era of globalization and extreme automation.
There are many factors that need to be consid-ered and must be part of more effective solutions, like understanding that outsourcing, product per-sonalization, authentication, and transportation are all part of the new business reality. In this new era, supply-chain visibility must be carefully defined in a consistent way across industries. ERP (enterprise resource planning)-to-ERP connectivity is not the answer when electronic data interchange (EDI) is the only workhorse of visibility. B2B and B2C efforts are now three decades old, yet the primary EDI mecha-nisms are based on fragmented and manual efforts. However, trying to install a new ERP system and a new EDI system at the same time doesn’t double risks—it squares them.2 Business leaders in the era of extreme automation need to pave a new path to solve these new challenges.
EDI STRENGTHS AND WEAKNESSES
EDI is the universal language for B2B and B2C com-munication, and has changed the way that companies share information, ensuring that data isn’t compro-mised by human error. EDI has become the common language for interchanging files and information such as product activity data, purchase orders, and ship-ment and billing notices. Rather than sending faxes or emails for each individual event, EDI allows comput-ers to communicate directly with each other, ensur-ing greater accuracy and instantaneous notice.3 EDI
This article originally appeared in
vol. 20, no. 4, 2018
www.computer.org/computingedge 31
can scale to include different collaborating partners by introducing a portal or cloud layer that partners can access securely without a data-integration solu-tion. An example of such a solution is the Edicom por-tal (see Figure 2).
However, businesses are moving away from the standardization principles that brought forth greater efficiency in the retail industry and inadvertently introduced more work for vendors that must collect data from numerous retailers. Improving supply-chain visibility is critical as supply chains grow more com-plex with more collaborating partners. Having differ-ent vendor portals will damage the efficiency of B2B and B2C communicating networks. EDI as a universal
language is a slow-moving ship and there are no ben-efits for a single company in a partner network to change unless other trading partners also follow. This was one of the main reasons XML never really took off, although it was (and still is) a far superior format for electronic business transactions than the clunky 30-year-old flat-file formats used by traditional EDI standards, such as EDIFACT and ANSI X12.4
EDI needs a distributed ledger technology (DLT) for shared and synchronized digital data that is geo-graphically spread across multiple sites, countries, or institutions. With a DLT, there is no central administra-tor or centralized data storage. Without DLT, EDI mes-sages will have major difficulties mapping messages
FIGURE 1. End-to-end healthcare supply chain.
FIGURE 2. Scaling electronic data interchange (EDI) for collaborating partners through the use of web portals (Source: www .edicomgroup.com/solutions/edi/components/partner_web_portal.html)
32 ComputingEdge August 2020
EXTREME AUTOMATION
between partners. Each message has many sectors that, arranged in a particular way, constitute the “map” for the message. The segments are populated with data, such as customer number, product number, gross price, and net price. There are numerous opportunities for error—if a product number is changed on the send-ing or receiving end, data is entered incorrectly, new master data isn’t uploaded into someone’s system, a suffix or prefix is added to a value in one of the sec-tions, a trading partner changes part of the map and fails to communicate the change, or a required field is blank, other partners will not be informed. Thus, new methods are needed to keep these records—ranging from emails to spreadsheets to third-party services—in sync.
EDI cannot support the complex supply-chain processes of today because the data transfer between the various ERP systems opens up potentially critical situations. Customers and suppliers need a shared view of the actual supply situation and an automated early detection system. This will efficiently control organizations’ supply chains, enabling them to col-laboratively resolve identified problems and avoid costly bottlenecks. Trust is key to the success of global cross-organization collaboration, and trust comes with transparent processes. DLT promises to share, facilitate, verify, or enforce the negotiation or performance of a contract. This is why a DLT system is needed along with an existing EDI.
THE BLOCKCHAIN DLT SYSTEMBlockchain systems form a decentralized ledger, a type of database that is stored in several different physi-cal locations. Processing is distributed among multi-ple stakeholders, and each party receives real-time updates in a completely secure system. These aspects make a decentralized ledger an ideal system for the creation, issuing, and execution of contracts that can
help protect business models and enable collabora-tion.5 However, blockchain is not an alternative to EDI systems, although it offers a way for trading partners to communicate quickly and clearly without the risk of errors or repudiation.
Consider how transactions take place through EDI systems, which typically involve a buyer, a seller, and a third-party logistics provider. EDI system transactions hinge upon one-way, point-to-point communication, meaning that two of the three parties can exchange messages with one another, but the third party is left out. Because blockchain is a shared ledger, everyone can see what is going on. Disputes would not hap-pen, repudiation would be unnecessary, and sharing information would be much more efficient.6 Another advantage of blockchain technology is the security and integrity of distributed networks. Although it started as a disrupting technology in the financial industry for the decentralized digital currency Bitcoin, blockchain finds more and more use cases in other industries such as energy and freight.7
A study by IBM found that 16 percent of surveyed healthcare executives had solid plans to implement a blockchain solution this year, while 56 percent expected to by 2020.8 Healthcare companies, tech innovators, and the rest of the healthcare industry are grappling with what is possible now and what block-chain could solve in the future. The overall vision for blockchain to disrupt healthcare in the future would be to create a common database of health information that physicians and providers could access no matter what electronic medical system they used, provide higher security and privacy, decrease the admin time for physicians so they have more time to spend on patient care, and improve the sharing of research results to facilitate new treatment therapies.9
ADVANTAGES OF BLOCKCHAIN Blockchain won’t be a cure-all for the industry today, but it would certainly be a step in the right direction. The healthcare industry is drowning in data—clinical trials, patient medical records, complex billing, med-ical research, and more. Adoption and implementa-tion of blockchain will be an evolution over time as blockchain applications are vetted and adopted and as the industry comes together to solve collabora-tion and governance issues. As it always is with new
TRUST IS KEY TO THE SUCCESS OF GLOBAL CROSS-ORGANIZATION COLLABORATION, AND TRUST COMES WITH TRANSPARENT PROCESSES.
www.computer.org/computingedge 33
EXTREME AUTOMATION
technologies, the full possibility of what might tran-spire in the future is unknown at this time. However, there are many advantages of using blockchain for an industry like healthcare. Among these advantages are the following.
› Transparency and collaboration. Blockchain is a solid mechanism for documenting a transac-tion across the supply chain and sharing it with stakeholders. The system works without a central repository or single administrator.
› Medical data management. Blockchain has great potential to link medical data across systems and stakeholders. An example of the success of blockchain in managing healthcare data is the MedRec system.10 MedRec intends to improve electronic medical records and allow patients’ records to be accessed securely by any provider who needs it. The goal is to give patients and their healthcare providers one-stop access to their entire medical history across all providers they have ever seen. Additionally, if patients wish to grant researchers access to their personal medical records, the data would be provided anonymously to be used for research, which could make medical break-throughs happen faster.
› Scalability and availability. Blockchain 2.0 is solving the scalability issues for writing transactions. Anyone worldwide can access the decentralized datasets.
› Security and privacy. Establishing a trust network depends on the healthcare system as an intermediary to establish point-to-point sharing and bookkeeping of the exchanged data. A node does not have to reveal the physical identity of the person or organization and the payload can have a digital signature with private cryptographic keys.
› Patient–provider relationship contract. This contract links two nodes in the system, where one node stores and manages medical records for the other. This relationship could exist between a particular care provider and a patient, but extends to cover any pairwise data steward-ship interaction.
› Summary contract. This serves as a trail of
breadcrumbs, where each participant in the sys-tem can locate a summary of their relationships with other participants. The summary contract encodes a list of references to patient–provider relationship contracts, showing current and previous engagements with other nodes on the system. Each relationship also stores a “status” variable, indicating when the relationship was established and whether it has been approved by the patient.
› Reduced transaction costs. The use of near-real-time processing would make the system more efficient.
› Innovation. The dominance of open source models is a driver for computing innovation. IBM, Microsoft, and Bitcoin published their solutions on the open source repository Github. Blockchain-as-a-Service solutions like Microsoft Azure make it easy for anyone in the world to use the service.
SMART CONTRACTSBlockchain uses a smart contract, which stores the ground rules of the contract, automatically executes the contract, verifies its compliance, and evaluates the outcome without the need for a third party. Smart con-tracts are visible to all users and remove the need for a middleman. The supply-chain industry needs smart contracts for the next generation of global distribution systems. As an example, a smart contract starts when a patient schedules surgery. At this point, the contract performs the initial setup of the blockchain and mines for other related caregiver nodes. Caregiver partners join the private blockchain, where no one person is the owner of the data and all partners are part of a con-sortium or community of practice. All partners can write and read data into or from the blockchain. When partner A writes data into the blockchain, that data can be validated by the consortium. Once the data is validated it can be shared with other nodes including external repositories. A smart contract is pre-written code that utilizes both EDI and blockchain commu-nication protocols. Figure 3 illustrates the EDI block-chain for a surgery supply-chain cycle.
Generally speaking, if a business can satisfy the checklist below, it has a good use case for EDI and blockchain.11
34 ComputingEdge August 2020
EXTREME AUTOMATION
› Multiple parties need to be able to view, and possibly edit, the same data.
› Parties form a supply chain with the ability to communicate with third parties.
› There is a lack of trust between parties trying to conduct transactions.
› Several of the transactions are sequential in the supply chain, and all parties conducting the transactions need to know the interdependen-cies of those transactions.
› Middlemen are in the ecosystem mainly because of the lack of trust among the parties that need to conduct transactions.
› Parties would gain financially if transaction times can be reduced.
The use of smart contracts will allow the advance-ment of multiple services that were suffering from bottleneck delays because of complex logistics and privacy protocols. Suppose a patient has agreed that their clinical or medical data can be used by anyone in clinical research who can satisfy a smart contract by putting this data into a public blockchain. The enforce-ment of the smart contract can provide add-on services to facilitate collaboration and interoperability, similar to interoperable electronic healthcare record systems
like the Fast Healthcare Interoper-ability Resources (FHIR) system.12 In this case, the smart contract would include:
› upfront micro-payment for the access,
› requirement for escrow of the crypto coin to be unlocked to the patient if other terms are violated,
› terms of protection of the data, › kinds of clinical trials allowed
(for example, heart conditions but not brain),
› agreement to keep all research public,
› agreement to contact patient if patient could benefit from new treatment detected,
› agreement to contact patientif some treatable medical condition not previ-ously known is discovered, and
› agreement to not contact patient if a terminal condition is detected.
A clinical trial firm that meets these requirements would satisfy the contract and gain access to the data. If the firm violated any of the terms, the smart contract would automatically transfer the escrow coin to the patient. The possibility of using smart contracts with patients’ medical records gives patients control over their data.
According to Forbes, pharmaceutical companies incur an estimated annual loss of $200 billion due to counterfeit drugs globally.13 Using smart contracts, it is possible to trace drugs over their whole lifecycle. Each ingredient and substance is numbered and tracked with geographic and other relevant information. The tracking data is then added to the blockchain (only the metadata is put in the blockchain for efficiency reasons).
CONCLUSIONAlthough blockchain has enormous potential, it is important to remember that no new technol-ogy succeeds with the “rip-and-replace” method.
FIGURE 3. Blockchain with EDI for the surgery supply chain.
www.computer.org/computingedge 35
EXTREME AUTOMATION
Organizations using blockchain will have a greater impact if they augment existing, well-established technologies such as EDI systems. Using smart con-tracts that take into account legacy protocols like EDI and blockchain will benefit the ecosystem of every industry, including healthcare. The healthcare indus-try will need to adapt to the changing care delivery and the new financial model as it will save many billions of dollars, according to recent industry survey.14,15
REFERENCES1. Healthcare Supply Chain Management Market By
Software (Supplier Management Software, Transporta-tion Software And Procurement Software), Hardware (System, Barcode And RFID), Delivery Model (On Premise, Cloud Based And Web Based)—Global Opportunity Analysis And Industry Forecast, 2017-2023, report, Allied Market Research, 2017; www.alliedmarketresearch .com/healthcare-supply-chain-management-market.
2. M. Torman, “‘EDI’ Comes Before ‘ERP’,” Cleo, blog, 17 December 2012; www.cleo.com/blog/edi-comes -before-erp.
3. “The Reasons Of EDI Failure,”GeoViz, blog, 1 August 2015; www.geo-viz.com/blog/the-reasons-of-edi-failure.
4. M. Wallgren, “EDI And Blockchain—A Match Made In Heaven?,” LinkedIn, blog, 26 March 2018; www.linkedin .com/pulse/edi-blockchain-match-made-heaven -mathias-wallgren.
5. “Smart Contracts And Blockchain In The Electronics Industry,”Orbweaver, blog, 19 January 2018; www .orbweaver.com/blog/smart-contracts-and-blockchain -in-the-electronics-industry.
6. B. Lester, “How Blockchain Technology Augments EDI Systems,” Remedi, blog, 15 March 2018; www.remedi .com/blog/how-blockchain-technology-augments -edi-systems.
7. M. Buchhorn-Roth, “Blockchain And EDI For Secure Data Exchange In Supply Chains,” LinkedIn, blog, 14 November 2018; www.linkedin.com/pulse/blockchain -edi-secure-data-exchange-supply-chains-buchhorn-roth.
8. H. Fraser, “How Blockchains Can Provide New Benefits For Healthcare,” IBM, blog, 20 February 2017; www.ibm .com/blogs/think/2017/02/blockchain-healthcare.
9. B. Marr, “This Is Why Blockchains Will Transform Health-care,” Forbes, blog, 29 November 2017; www.forbes .com/sites/bernardmarr/2017/11/29/this-is-why -blockchains-will-transform-healthcare/#1593b3381ebe.
10. A. Ekblaw et al., A Case Study For Blockchain In Health-care: ‘MedRec’ Prototype For Electronic Health Records And Medical Research Data, white paper, August 2016; www.healthit.gov/sites/default/files/5-56-onc _blockchainchallenge_mitwhitepaper.pdf.
11. P. Srinivasan, “Healthcare Blockchain: How Smart Contracts Could Revolutionize Care Delivery,” Prolifics, blog, 2017; www.prolifics.com/blog/healthcare -blockchain-how-smart-contracts-could-revolutionize -care-delivery.
12. J. Moehrke, “Healthcare Blockchain—Big-Data Pseud-onyms On FHIR,” Healthcare Exchange Standards, blog, 18 May 2016; https://healthcaresecprivacy.blogspot .com/2016/05/healthcare-blockchain-big-data.html.
13. J. Moehrke, “Healthcare Use Of Blockchain Thru Creative Use Of Smart-Contracts,” Healthcare Exchange Standards, blog, 10 November 2017; https://healthcaresecprivacy.blogspot.com/2017/11 /healthcare-use-of-blockchain-thru.html.
14. R. Das, “Does Blockchain Have A Place In Healthcare?,” Forbes, blog, 8 May 2017; www.forbes.com/sites /reenitadas/2017/05/08/does-blockchain-have-a -place-in-healthcare.
15. Blockchain: A Healthcare Industry View, Capgemini, 2017; www.capgemini.com/wp-content/uploads/2017/07 /blockchain-a_healthcare_industry_view_2017_web.pdf.
JINAN FIAIDHI is a full professor and professional engineer with the Department of Computer Science and founder of the Smart Health FabLab at Lakehead University. She is an adjunct research professor at the University of Western Ontario, editor in chief of the new IGI Global International Journal of Extreme Automation in Healthcare, and chair of Big Data for eHealth with IEEE Communications Society. Contact her at [email protected].
SABAH MOHAMMED is a full professor and professional engineer with the Department of Computer Science and co-founder of the Smart Health FabLab at Lakehead Univer-sity. He is also an adjunct professor at the University of West-ern Ontario and chair of Smart and Connected Health with IEEE Communications Society. Contact him at mohammed @lakeheadu.ca.
SAMI MOHAMMED is a graduate student in the Computer Science Department at the University of Victoria. Contact him at [email protected].
36 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
EDITOR: Jeffrey Voas, NIST, [email protected]
DEPARTMENT: CYBERTRUST
Blockchain and Electronic Healthcare RecordsNir Kshetri, University of North Carolina at Greensboro
There is a growing need to both secure patient health data from unauthorized breaches and at the same time make access to such data easier for patients. Blockchain may provide a solution.
C yberattacks against healthcare providers pose serious concerns. In 2015 alone, data breaches in healthcare exceeded 112 million
records.1 Current infrastructure cannot guarantee the privacy and security of patient data, and the failure to prevent access to healthcare information by unau-thorized persons can harm patients.
The current model of handling electronic health-care records (EHRs) presents yet another problem: healthcare organizations have shown a tendency to act as custodians or stewards of patient data. This leads to inefficiency and delay in patient care. For instance, a patient’s treatment may be delayed simply because medical information sent from one service provider does not reach another in a timely manner.
Blockchain may offer a solution for addressing cur-rent EHR practice limitations. Blockchain initiatives have been implemented by governments, the private sector, and public–private partnership projects. The U.S. Food and Drug Administration (FDA) and IBM Watson Health have teamed up to investigate the potential benefits of blockchain in healthcare; initial efforts have focused on oncology-related data and a blockchain framework.
Blockchain enables the collection of data from a variety of sources and keeps those data in an audit trail of transactions. Blocks hold transaction and other data, and the accountability and transpar-ency of transactions are maintained during this data-exchange process. The FDA and IBM believe that
blockchain can support the exchange of data from multiple sources on agreed-to terms and for purposes that a patient approves of and consents to. These terms may include EHRs, clinical trials, genomic data, and information gathered from new sources, such as mobile devices, wearables, and Internet of Things devices.2
In the blockchain world, permissionless and permissioned chains exist. In a permissionless block-chain such as the open-platform bitcoin, anyone can join. Conversely, private or permissioned blockchains are restrictive, and access must be granted by some authority (e.g., https://www.americanbanker.com /opinion/a - p ub l ic - or- p r i vate - b l o ckcha in - n e w -ethereum-project-could-mean-both). Permissioned blockchains, which are more effective in sharing and managing EHRs, make it possible to share real-time data among participants of healthcare systems and conduct secure transactions. After a transaction is completed by consensus, a permanent record is pro-duced and added to the existing blockchain as a new block (https://tinyurl.com/ycuvnrxw).
In this article, we look at the possible roles of blockchain in strengthening the security and privacy of EHRs and improving efficiency. However, blockchain enforces transparency, which may jeopardize privacy without the proper design considerations.
CHALLENGES OF THE CURRENT EHR APPROACH
Current EHR models present problems providing effi-cient healthcare and guaranteeing the security and privacy of patient data. Several of these problems are described in the following.
This article originally appeared in
vol. 51, no. 12, 2018
Digital Object Identifier 10.1109/MC.2018.2880021 Date of publication: 5 February 2019
www.computer.org/computingedge 37
Data storageCurrent models rely on passwords containing shared secrets that are exchanged and stored on poten-tially insecure clouds. This approach has led to well-publicized cyberdisasters, such as one in Decem-ber 2014, where hackers broke into the servers of U.S. health insurer Anthem and stole sensitive informa-tion on 80 million customers and employees.3 Such a breach is less likely to occur in a blockchain model because data are not centrally stored.
Data sharingIn a nonblockchain world, healthcare organizations typically follow three models to facilitate the interop-erability of medical data: push, pull, and view.4 In a push model, medical information is sent from one pro-vider to another (e.g., from an emergency room physi-cian to a primary care doctor). In a pull model, a pro-vider asks another provider for information (e.g., a cardiothoracic surgeon consulting with a primary care doctor). Finally, in the view model, a provider looks at another provider’s patient record. For example, a cardi-ologist may examine a patient X-ray taken at an urgent care center.
Access to healthcare data must be accompanied by obligations to the data. It is important for health-care companies handling identifiable information to structure such obligations by associating metadata (i.e., information about information) using data sets.5 In the current infrastructure, this is more easily said than done. A major drawback of the models describing patient data are that they are not audited in a stan-dardized way. The lack of audit trails means that there is no guarantee of data integrity from the point of data generation to the point of data usage, thus making it difficult to identify the perpetrators of data breaches. Some hospitals still rely on paper medical records and even paper towels.
Fraud is rampant in the medical industry. There have been instances of employees stealing patients’
personal data and misusing them (https:// tinyurl.com /y7b8rfta) as well as cases of fraudulent claims submit-ted to insurance providers using falsified patient medi-cal information and fake identities of doctors. In one scam, employees and doctors at a Long Island-based medical practice defrauded Medicare and Medicaid of US$50 million over a 12-year period by submitting bogus healthcare claims using patients’ EHRs (https: //tinyurl.com/y9lrhaqt).
Current healthcare systems also fail patients when it comes to informed consent (https://tinyurl.com /yclk4lxd). In the pull model, consent often occurs on an informal and ad hoc basis. Due to time constraints, doctors are often unable to help patients understand the processes related to consent. As a result, patients may not know what questions or whom to ask. It may also not be possible for patients to receive straightfor-ward answers. While patients have the right to stipu-late with whom their information may be exchanged, some healthcare organizations lack the capacity to record and implement such stipulations.
EfficiencyWith respect to efficiency, current practice leaves a great deal to be desired. For instance, in the push model, if a patient is transferred to a different hospital, the new hospital may not be able to access the data “pushed” from the first hospital. Patients often feel the frustration of repeatedly supplying the same infor-mation to different healthcare providers or different people associated with the same healthcare provider (https://tinyurl.com/y7x83a87).
Current approaches fail to manage medical records generated by multiple healthcare institutions. Because data are scattered across various medical institutions, patient data may become lost (https: //tinyurl.com/y7x83a87).
Regulations and policies governing these approaches vary greatly across jurisdictions based on inter alia, local practice, and national privacy
38 ComputingEdge August 2020
CYBERTRUST
policy enforcement. In the United States, laws vary with respect to whether a consent form is required to disclose patient records, the types of medical records patients can access, and procedures for providing patient records to a third party (http://www.apa.org /monitor/jan03/hipaa.aspx).
BLOCKCHAIN BENEFITSTo understand blockchain’s ability to address secu-rity and privacy issues (not only related to EHRs), we consider blockchain from the perspective of identity and access management, which involves controlling information such as patient identity on computer net-works. The key issues in identity and access manage-ment concern 1) information that authenticates the subject’s identity, 2) information that describes the information (metadata), and 3) actions that various participants are authorized to know and perform.
The first three rows in Table 1 show current issues related to identity and access management in health-care that may be improved upon by using blockchain.
As previously mentioned, there are drawbacks to existing identity-management techniques that rely on password-based systems. In a blockchain model, a patient’s full medical records may be stored in a blockchain ledger’s key ring and encrypted using the patient’s private key. While a blockchain-based system is not 100% foolproof (e.g., a person’s private key can be stolen), it is thought to be more secure than most other current systems.
Blockchain offers audit trails, i.e., documentation of the events related to the creation, modification, and deletion of electronic records, thus resulting in transparency. Researchers at the MIT Media Lab and Boston’s Beth Israel Deaconess Medical Center proposed MedRec, a blockchain-based decentralized record management system to handle EHRs. MedRec manages authentication, confidentiality, account-ability, and data sharing.7 Using this system, patients can access their medical information from different providers and treatment sites. An immutable log of all transactions involving a patient’s information is
Key issuesin identity and access management Explanation and examples
Challenges with the currentsystem
Blockchain’s potential toaddress the challenge
Informationauthenticatingthe subject’sidentity
Information to verify that someone is whohe/she claims to be. Examples include ausername and password or a thumbprint.
Current identity-managementtechniques in hospitals rely onpassword-based systems, whichinvolve shared secrets thatare exchanged and stored oninsecure systems.
In blockchain-based identityauthentication, eachtransaction needs to be signedby the correct private key.Only the patient has theprivate key.
Information describing the information
Information about di�erent pieces of data �owamong participants (e.g., healthcare vendorand patients) and records of data transaction.Information about users’ preferencesregarding how their data can be used.Consent management records betweenpatients and healthcare services providers.
There are no audit trails of whoaccessed patients’ data. Somehospitals still rely on papermedical records.
The presence of an audittrail means that there iscomplete documentation ofevents related to the creation,modi�cation, and deletion ofelectronic records.
Actions that various participants are authorized to perform
An access policy speci�es access rights andprivileges of each participant. For example,insurance companies cannot have access topatients’ con�dential medical records.
Various parties are authorizedto take actions based onpatients’ data.Patients often have no controlover their own data.
Blockchain preventsunauthorized andillegitimate access to data.Patients hold ownership andultimate control over theirinformation.
Ine�cient administrative, logistical, andservice delivery processes lead to higher costs,lost time, and fewer bene�ts.6
A consumer has access to her/his up-to-date healthcareinformation and can forwardto a healthcare serviceprovider as and when needed.
Ine�cient procedures totransfer data across healthcareservices providers.Policy and regulatoryheterogeneity acrossjurisdictions.
TABLE 1. Improving security and efficiency in healthcare: Blockchain’s potential improvements.
www.computer.org/computingedge 39
CYBERTRUST
created and provided to the patient.7 MedRec does not store patients’ health records; rather, its system stores the record’s signature in a blockchain. The signature provides assurance that the record’s unaltered copy is the one that is obtainable.
Using blockchain, patients hold ownership and ultimate control over their information and decide where their records can travel. In this way, the locus of control is shifted from the institution providing healthcare to the patient. For patients who do not want to manage their data, service organizations may evolve allowing patients to delegate that task to them.4
Ensuring that healthcare providers authorize the right person and only the right person is a challenge for implementing blockchain-based models in EHRs in most countries. By adopting a unique digital ID for the identification and authentication of patients, nations can achieve a higher degree of effectiveness for such models. By doing so, they can also improve the quality of healthcare, eliminate insurance fraud, and enhance administrative efficiency.8
The bottom row in Table 1 shows how blockchain reduces inefficiency. A key benefit of blockchain-based EHRs is that there is no entity between the patient and his or her medical records. Moreover, there is no need to create custom functionality for each EHR vendor.4 In the previous example, a patient’s treatment will not be delayed simply because medical information sent from a service provider to a hospital was not received; patients can securely share this information with dif-ferent providers throughout their lifetimes.4 If there is any change in the patient’s condition, the data related to these changes are communicated to the ledger by authorized parties.9 Thus, timely access to accurate and up-to-date information should improve the effi-ciency of patient care.
BLOCKCHAIN CHALLENGESThere are challenges and limitations facing block-chain’s management of EHRs. The main barriers to introducing blockchain may be educational rather than technical (http://www.economist.com/news /business/21722869-anti-establishment-technology -faces-ironic-turn-fortune-governments-may-be-big -backers). There has been a general lack of awareness of blockchain’s benefits to the medical field.
There are also control- and ownership-related fac-tors, i.e., healthcare providers may encounter barriers that prevent them from moving to blockchain. The psy-chological challenges healthcare organizations face must be recognized and dealt with so that concerns related to privacy, security, and integrity are addressed. The current mindset among many healthcare provid-ers is that they are the only “steward” of patient data in their respective organizations.9 It might be difficult to change this culture, but evidence suggests it is neces-sary. Additionally, not all individuals are in a position to handle their medical data themselves; e.g., older persons or patients with mental illness and dementia may be unable to utilize blockchain to hold ownership and ultimate control over their information.
Furthermore, there are EHR privacy laws such as the Health Insurance Portability and Accountability Act of 1996 that must be enforced (https://tinyurl .com/ydcllwzz). As mentioned previously, blockchain’s transparency is not always conducive to privacy. We believe, however, that when appropriate encryption is used for the actual hard patient data and proper con-trol is applied to a specific patient’s chain, these two competing forms of trust can occur simultaneously.
There are also scalability challenges associated with blockchains because the size of medical records increases. Using blockchain, a patient’s complete medical records must be stored at each node that par-ticipates in the network. This may create data-storage and bandwidth problems.10
LOOKING FORWARDAll access to healthcare data should be monitored and logged, and unmonitored access to identifiable infor-mation should be prohibited. It may not be realistic or feasible to achieve this goal for current EHR models yet. In many healthcare organizations, mechanisms do not exist to ensure that patient data are not accessed by unauthorized users, and current EHR infrastructure may not meet patient privacy requirements.
These challenges may be addressed with block-chain, which can solve the broader problem of systems relying on password-based security and authentica-tion. The blockchain ledger includes an audit trail and data that are time-stamped, which allows the patient to know (within reason) who made what changes and when. Third parties such as healthcare providers can
40 ComputingEdge August 2020
CYBERTRUST
see patient data with the patient’s permission, but they are not required or expected to store the data. In this way, a blockchain-based model is superior to exist-ing data-governance models.
In recent years, significant initiatives have been undertaken in a range of settings that use block-
chain to strengthen the security and privacy of health-care data. The main focus of many of those initiatives has been on audit trails. Blockchain may also lead to more efficient healthcare practices by addressing existing inefficiencies that cause lost time, poorer care, and higher costs.
ACKNOWLEDGMENT I thank Jeff Voas for his contributions to this article.
REFERENCES 1. D. Munro , Data breaches in healthcare totaled over 112
million records in 2015 . 2015 . [Online]. Available: https://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#5a1974687b07
2. F. Bazzoli , FDA, IBM Watson Health to study application of blockchain technology . 2017 . [Online]. Available: https://www.healthdatamanagement.com/news/fda-ibm-watson-health-to-study-application-of-blockchain-technology
3. A. W. Mathews and D. Yadron , Health insurer Anthem hit by hackers . 2015 . [Online]. Available: https://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720
4. J. D. Halamka , A. Lippman , and A. Ekblaw , The potential for blockchain to transform electronic health records . 2017 . [Online]. Available: https://hbr.org/2017/03/the-potential-for-blockchain-to-transform-electronic-health-records
5. P. M. Schwartz and D. J. Solove , “ The PII problem: Privacy and a new concept of personally identifiable information ,” New York Univ. Law Rev. , vol. 86 , pp. 1814 – 1894 , 2011 .
6. H. de Koning , J. P. Verver , J. van den Heuvel , S. Bisgaard , and R. J. Does “ Lean Six Sigma in healthcare ,” J. Healthcare Quality , vol. 28 , no. 2 , pp. 4 – 11 , 2006 .
7. A. Ekblaw , A. Azaria , J. D. Halamka , and A. Lippman , “ A case study for blockchain in healthcare: ‘MedRec’ prototype for electronic health records and medical
research data ,” MIT Media Lab., Beth Israel Deaconess Med. Center , Boston, MA , White Paper, 2016 .
8. The World Bank . ( 2018 ). The role of digital identification for healthcare: The emerging use cases . The World Bank . Washington, D.C . [Online]. Available: http://pubdocs.worldbank.org/en/595741519657604541/DigitalIdentification-HealthcareReportFinal.pdf
9. L. Silverma , How bitcoin technology could securely share medical records among your doctors . 2017 . [Online]. Available: http://keranews.org/post/how-bitcoin-technology-could-securely-share-medical-records-among-your-doctors
10. L. A. Linn and M. B. Koo , Blockchain for health data and its potential use in health IT and healthcare-related research . 2016 . [Online]. Available: https:/www.healthit.gov/sites/default/files/11-74-ablockchainforhealthcare.pdf
NIR KSHETRI is a professor of management at the Bryan School of Business and Economics at the University of North Carolina at Greensboro. Contact him at [email protected] .
The #1 AI Magazine www.computer.org/intelligent
IEEE
Cutting Edgestay on the
P U T T I N G A I I N T O P R A C T I C E
IEE
E
January/fEbruary 2016
Also in this issue: aI’s 10 to Watch 56 real-Time Taxi Dispatching 68 from flu Trends to Cybersecurity 84
www.computer.org/intelligent
IEEE Ja
nu
ary/FEBru
ary 2016
On
line B
ehA
viO
rA
l An
Aly
sis VO
LuM
E 31 nu
MBEr 1
IS-31-01-C1 Cover-1 January 11, 2016 6:06 PM
IEEE Intelligent Systems provides peer-
reviewed, cutting-edge articles on the
theory and applications of systems
that perceive, reason, learn, and
act intelligently.
of Artificial Intelligence
Evolving Career Opportunities Need Your SkillsExplore new options—upload your resume today
Changes in the marketplace shift demands for vital skills and talent. The IEEE Computer Society Jobs Board is a valuable resource tool to keep job seekers up to date on the dynamic career opportunities offered by employers.
Take advantage of these special resources for job seekers:
No matter what your career level, the IEEE Computer Society Jobs Board keeps you connected to workplace trends and exciting career prospects.
JOB ALERTS
CAREER ADVICE
WEBINARSTEMPLATES
RESUMES VIEWED BY TOP EMPLOYERS
www.computer.org/jobs
42 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
O rganizations increasingly share data, cre-dentials, software code, applications, net-works, and infrastructures with “trusted”
supply chain partners. Supply chains can be sources of cyber-vulnerabilities. One estimate has suggested that supply chains account for 80% of all cyber breaches (https://www.industryweek.com/supply -chain/can-t-turn-back-time-cybersecurity-must-be -dealt). Insecure supply chains have fostered well- known cyberattacks.
In a quest to break large organizations’ networks, cyber-criminals may look beyond the first-tier sup-ply chain partners. According to Accenture's Cyber Threatscape Report (2018), hackers have an increased focus on exploiting third- and fourth-party supply chain partners to infiltrate large organizations.1 Another trend has been attacks on hardware products via backdoors and with malware insertion.2
VULNERABILITIES AND EXPLOITSSupply chains are vulnerable and subject to exploita-tion. Table 1 provides examples.
Consider software development. By attacking smaller software providers, hackers have been able to infiltrate larger organizations that rely on software. For example, in a British Airways (BA) case, hackers attacked third-party code that ran payment authoriza-tion by injecting their own malicious code into it. This meant that the hackers did not need to access or pen-etrate BA networks.4 The hackers also obtained CVV numbers, however BA reported that it had not stored the CVV numbers. This suggests that the CVV numbers were intercepted when transactions occurred (https: //www.bbc.com/news/uk-england-london-45440850). According to the cyber security company RiskIQ, the BA hackers employed a “cross-site scripting” attack. In
such attacks, criminals exploit a third-party website to launch cyberattacks against other entities.
Nation-states can also exploit supply chains for spying. For example, according to the cybersecurity company Area 1, several nations may have collabo-rated to launch a cyberattack on the Saudi oil company Aramco in 2017 (https://foreignpolicy.com/2017/12/21 /cyber-at t ack-t ar get s-safet y-system -at-saudi -aramco/).
CHALLENGESChallenges exist in securing supply chains. For example, companies may assign a lower priority to supply chain risks than other types of risks. A survey conducted among the members of Consumer Packaged Goods Vertical Strategy Group revealed that while 100% of the respondents assessed IT risks, only 75% assessed supply chain risks. Likewise, only 75% considered min-imizing supply chain cyber risks as a third-party risk management goal.3 Furthermore, although most orga-nizations conduct annual risk assessments, those may be insufficient to deal with the challenges fac-ing supply chains (https://thehill.com/blogs/congress -blog/technolog y/403958-washington-to-finally -focus-on-threat-to-supply-chain-risk).
Trust in any supply chain is a complex problem that is hard to measure and achieve. Supply chains of large organizations are often complicated and involve large numbers of partners and products. For example, one cybersecurity firm noted that one of its client's supply chains involved more than 5000 com-panies (https://finfeed.com/small-caps/technology /british-airways-data-breach-throws-whitehawks-us -government-contract-into-light/). Thus, it is challeng-ing to monitor supply chains with so many stakehold-ers involved, and particularly in real-time. A survey found that 72% of companies lacked full visibility into their supply chains.4
While the problem has been recognized since the 1970s, the severity of this issue is compounded
Digital Object Identifier 10.1109/MITP.2019.2895423 Date of current version 27 March 2019.
COLUMN: IT TRENDS
Supply Chain TrustNir Kshetri, University of North Carolina at Greensboro
Jeffrey Voas, Fellow, IEEE
This article originally appeared in
vol. 21, no. 2, 2019
www.computer.org/computingedge 43
IT TRENDS
by the rapid internationalization of technology and the global division of labor (https://krebsonsecurity .com/2018/10/supply-chain-security-101-an-experts -view/). Simply blocking foreign companies from being dominant suppliers may not be effective. For example, China controls of a large proportion of the global supply chain yet offers no guarantee that their products have security built-in since the designs of those products may occur in other countries (https: //www.nytimes.com/2018/10/12/technology/the-week -in-tech-fears-of-the-supply-chain-in-china.html).
In some countries, electronic components pro-duced in those countries are sold by various “white label” firms. If security flaws are identified in com-ponents that were “white labeled,” it may be difficult to know which companies white-labelled a specific component, and it will be difficult to inform consum-ers about these flaws. In another scenario, when a security hole is found in a specific vendor product, that vendor may simply go out of business and restart under a different name (https://krebsonsecurity.com /2 0 18/ 10/s up p l y - c ha in - s e c ur i t y - i s -t h e - w h o l e -enchilada-but-whos-willing-to-pay-for-it/). And when white-labeling occurs, the original manufacturer may have little incentive to increase trust in their products beyond what the rebranding companies require.
Another problem is related to the lack of regula-tory and enforcement mechanisms. Some govern-ment methods for monitoring supply chain trust focus more on preventing counterfeit products than on espionage activities (https://www.techrepublic .com/article/5-tips-to-secure-your-supply-chain -from-cyberattacks/).
And finally, consumers are often more interested in price and functionality. Increased security often makes devices slower and more expensive. Moreover, security flaws may not directly affect device own-ers but affect others. Even if owners know that their devices are being used to launch cyberattacks, the end-victims are often unknown. Manufacturers have few incentives to make securer devices until custom-ers demand it.
POSSIBLE APPROACHESTable 2 presents four potential avenues for enhancing supply chain security and trust.
GovernmentsRegulatory measures are one approach intended to increase supply chain trust. Efforts to do this have already been undertaken. In September 2018, the Trump Administration released a National Cybersecu-rity Strategy that requires federal agencies to invest in more secure supply chain technologies (Feldman, 2018).5
There have also been attempts to introduce for-mal legislation to increase trust in supply chains. In September 2018, the U.S. Senate Homeland Security and Governmental Affairs Committee approved the Federal Acquisition Supply Chain Security Act. The Act is intended to improve information sharing within the intelligence community. It also estab-lishes an inter-agency process to exclude companies from contracting with the federal government if it deemed that they may pose threats to the federal supply chain.6
Supply chain partner compromisedEffectReported inOrganization
Flaws in the enterprise platform (h�ps://www.wired.com/story/equifax-breach-no-excuse/) that collected website performancedata and served malicious content (h�p://www.latimes.com/business/la-fi-equifax-social-security-numbers-20171012-story.html).
40 million creditand debit-cardaccounts and 70million people.
40 000 U.K. users
380 000 customers
143 million people2017
September 2018
Early 2018
December 2013
Equifax
British Airways
Ticketmaster
Target Started with stealing credentials of Target’s HVAC vendor (h�ps://www.csoonline.com/article/2601021/security0/11-steps-a�ackers-took-to-crack-target.html). The hackers then used the stolen cre-dentials to gain access to Target-hosted web services that werededicated to vendors.
Customer-service chatbot supplied by a third-party (h�ps://www.bbc.co.uk/news/technology-44642567).
Third-party so�ware code used to run payment authorization.
TABLE 1. Examples of cyberattacks involving supply chain partners.
44 ComputingEdge August 2020
IT TRENDS
Government agencies have also taken steps to increase awareness of supply chain risks by provid-ing guidelines to strengthen security. In 2013, the U.S. Department of Homeland Security (DHS) released guidelines that outline device manufacturers’ roles and obligations related to IoT security. DHS urged companies producing IoT products to “build security in” at the design phase.
Government stakeholders can also consider teaming with private sector stakeholders to monitor vulnerabilities and share relevant information. This could lead to greater awareness and recognition of supply chain cyber-threats (https://www.weforum .org/agenda/2018/06/managing-risk-in-the-energy -sector-s-cyber-supply-chain). A recent report by MITRE on securing the U.S. Pentagon's cyber supply chain recommended the establishment of a National Supply Chain Intelligence Center. The report recom-mended that the Center be co-led by civilian and military agencies (Https://Advance.lexis.com/api /document?collection=news&id=urn:contentItem :5TG6-7771-JBHM-S2HW-00000-00&context=1516831).
Industry and Trade AssociationsIndustry groups and trade associations may also be able to play a role here.
One is an example of this occurred in January 2017; a group including Cisco, Bosch, Bank of New York Mel-lon, Foxconn, Dutch cybersecurity company Gemalto, and other blockchain startups came together to
develop a team that plans to establish blockchain pro-tocols for IoT devices, applications, and networks (bit.ly /2kNtm7w).
Note that blockchain has the potential to strengthen supply chain trust. Blockchain can facilitate the handling and dealing with crisis situations such as product recalls. Blockchain's public transparency offers traceability allowing for a backward trace to the origin of a final product's raw materials. Furthermore, transactions recorded in blocks might be able to pre-dict and identify the end-users of vulnerable products.
The reason that blockchain holds promise here is that the blocks can register the time of transaction, the location of transaction, price, parties involved, and other information as an item changes ownership and moves through a workflow or manufacturing process. Blockchain's distributed ledger technology can also track raw materials as they move through a supply chain over time. Blockchain can also register updates, patches, and part replacements applied to end-products throughout their lifetime. This offers tracking of vulnerabilities and notifications for end-users.
MANUFACTURERS AND SERVICE PROVIDERS
Manufacturers and service providers can lever-age their buying power to strengthen trust in supply chains. How? They can evaluate the security practices of supply chain partners and insist that applicable
Examples/RemarksMechanismsLevel
National/state Increasing investment in technological andhuman capabilities.Introducing formal legislation tosecure supply chains.Increasing awareness of supply chain risks andproviding guidelines to strengthen security.
The U.S.: National Cybersecurity Strategy requires federalagencies to invest more in secure supply chain technologies.The Federal Acquisition Supply Chain Security Act. DHSguidelines that outline device manufacturers’ roles andobligations surrounding IoT security.
Industry group/trade association
Fill the regulatory vacuum.Resource and expertise advantages.
Diverse networking, engineering, financial, electronics,cybersecurity, and blockchain businesses team to developblockchain functionality to improve supply chain trust.
Manufacturersand serviceproviders
Ensure that supply chain partners follow securitystandards. Continuously monitor supply chaincyber risks.Develop and implement new ways to assessand deal with supply chain risks.
Purchasing power.
Organizations employ Cyber Risk Frameworks to identifyrisks associated with sub-contractors.
Consumers Changing consumer mindset to require vendors to followresponsible security practices.
TABLE 2. Possible measures at various levels to secure supply chains.
www.computer.org/computingedge 45
IT TRENDS
security standards are followed. Furthermore, com-pliance can sometimes be mandated through con-tracts (https://www.cbronline.com/solutions/us - organisations-not-battle-ready-in-war-against -cybercrime-4280918/), however, determination of compliance is often elusive.
Manufacturers and service providers may also consider developing new ways to assess and mitigate supply chain risks. For example, artificial intelligence and machine learning may be able to fight specific types of malware attacks in software supply chains. Over time, such tools “learn” to detect unusual patterns in various supply chain environ-ments (http://www.cioandleader.com/article/2018 /02/22/india-invest-heavily-ai-based-tools-counter -cyber-attacks-cisco). IBM's AI platform, Watson, is being used to provide predictive analytics to minimize disruptions and risks (https://www.forbes .com/sites/andrewarnold/2018/05/26/how -the -internet-of-things-impacts-supply-chain/).
Solutions that focus on risks associated with sup-ply chain partners, subcontractors, and vendors can also be employed. WhiteHawk's 360 Risk Framework evaluates software vendors and service providers. The first customer of WhiteHawk's product was a U.S.-based financial institution whose goal was to identify the institution's exposure to cybersecurity risks induced by its 50 most important subcontractors. The identified subcontractors were expected to address their cyber risks (https://finfeed.com/small-caps /technology/whitehawk-wins-us325k-first-sale-cyber -risk-product/).
And finally, it may be useful to contract for the external services that will continuously monitor the cyber risks associated with third-party vendors (https: //threatpost.com/five-weakest-links-in-cybersecurity -that-target-the-supply-chain/137453/). Realize that if only an annual risk assessment is performed, security problems may be discovered too late for mitigation and after damage occurs. More frequent assessments should provide a fuller picture of supply chain risks so that more timely mitigation measures can be applied.
CONSUMERSConsumer buying power can also be leveraged to strengthen supply chain trust. For instance, con-sumers could add pressure to manufacturers to
incorporate security “best practices” into develop-ment life cycles. If consumers demanded more secure products and services, manufacturers might be more likely to source their components from contractors with known and demonstrated levels of security.
An encouraging trend here involves consumer mindset. Recent surveys have suggested that con-sumers expect businesses to follow responsible security practices. According to the RSA Data Privacy & Security Report that was based on a survey of 7500 consumers in France, Germany, Italy, the UK and the U.S., 62% of the respondents said that they would blame the company, not the hacker, if their data is breached.7 Likewise, a survey of 1000 U.K. consum-ers commissioned by FireEye indicated that 72% of consumers would stop purchasing from a company if a security breach was found to be linked to the com-pany's failure to prioritize security and privacy (http: //www.itproportal.com/2016/05/11/high-profile-data -breaches-affecting-consumer-trust-in-big-brands/).
SUMMARYSupply chains are increasingly vulnerable and threat-ened. Trust in supply chains is a difficult proposition. Adversaries can inject malware and other malicious defects anytime during manufacturing and design. And it is hard to assess trust for international sup-ply chains.
The problem of trusting supply chains is unlikely to go away soon. It is an analogous problem to that of drug smuggling—smugglers continue to find new ways to hide their illegal products during transport while law enforcement tries to catch up.
So, in closing, let us revisit our title: Supply Chain Trust, a topic that is both timely and timeless. Is trust here possible? “Yes,” but with caveats, and probably many.
DISCLAIMERThe authors are completely responsible for the con-tent in this paper. The opinions expressed here are completely their own.
REFERENCES1. J. Ray et al., “Cyber threatscape report 2018,” 2018.
Available: https://www.accenture.com/gb-en/insights /security/cyber-threatscape-report-2018
46 ComputingEdge August 2020
IT TRENDS
2. L. Newman , “ There’s no good fix if the supply chain gets hacked ,” 2018 . Available: https://www.wired.com/story/supply-chain-hacks-cybersecurity-worst-case-scenario/
3. PCU , “ Consumer packaged goods sector needs decisive, unified action in the face of third party risks ,” Plus Company Updates(PCU), Oct. 3, 2018 . Available: https://advance.lexis.com/api/document?collection = news&id = urn:contentItem:5TD9-23N1-J9XT-P0J4-00000-00&context=1516831
4. P. Myerson , “ Can’t turn back time: Cybersecurity must be dealt with ,” Ind. Week , Jan. 2017 . Available: https://www.industryweek.com/supply-chain/can-t-turn-back-time-cybersecurity-must-be-dealt
5. V. Feldman , “ Trump administration moves to address cybersecurity concerns, congress funds cyber pro-grams ,” 2018 ; Nat. Law Rev. , Retrieved from Nexis Uni.
6. “Senate Panel Clears Supply-Chain Bill Intended To ‘Bridge’ Gaps With DOD, ” Inside Pentagon , Oct. 4,
2018 . Available: https://advance.lexis.com/api/document?collection=news&id=urn:contentItem:5TDG-6NR1-DY0P-G376-00000-00&context=1516831
7. M. Nadeau , “ General data protection regulation (GDPR) requirements, deadlines and facts ,” 2018 . Available: https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
NIR KSHETRI is a Professor of management with the Bryan School of Business and Economics, the University of North Carolina at Greensboro, Greensboro, NC, USA. Contact him at [email protected] .
JEFFREY VOAS was a Cofounder of Cigital, is Computer ’s Cybertrust column editor, and is an IEEE Fellow. Contact him at [email protected] .
IEEE Computer Graphics and Applications bridges the theory and practice of computer graphics. Subscribe to CG&A and
• stay current on the latest tools and applications and gain invaluable practical and research knowledge,
• discover cutting-edge applications and learn more about the latest techniques, and
• benefit from CG&A’s active and connected editorial board.
September/October 2016
IEEE CO
MPU
TER G
RA
PHIC
S AN
D A
PPLICAT
ION
S Sep
temb
er/Octo
ber 2
016
Spo
rts Data V
isualizatio
n
VO
LUM
E 36 N
UM
BER 5
c1.indd 1 8/22/16 2:59 PM
November/December 2016
IEEE CO
MPU
TER G
RA
PHIC
S AN
D A
PPLICAT
ION
S N
ovem
ber/D
ecemb
er 2016
D
efense A
pp
lication
s V
OLU
ME 3
6 N
UM
BER 6
DefenseApplications
c1.indd 1 10/24/16 3:44 PM
January/February 2017
IEEE CO
MPU
TER G
RA
PHIC
S AN
D A
PPLICAT
ION
S Jan
uary/Feb
ruary 2
017
Water, Sky, an
d th
e Hu
man
Elemen
t V
OLU
ME 37
NU
MB
ER 1
c1.indd 1 12/14/16 12:21 PM
July/August 2016
IEEE CO
MPU
TER G
RA
PHIC
S AN
D A
PPLICAT
ION
S Ju
ly/Au
gu
st 2016
Q
uality A
ssessmen
t and
Perceptio
n in
Co
mp
uter G
raph
ics V
OLU
ME 3
6 N
UM
BER 4
Quality Assessment
andPerceptionin Computer Graphics
c1.indd 1 6/22/16 1:20 PM AAAAAAAAAAAAAAAAAA&&&&&&&&&&&&&&&&&&&&&&GGGGGGGGGGGGGGGGGGGGGGCCCCCCCCCCCCwww.computer.org/cga
IEEE INTERNATIONAL SYMPOSIUM ON HARDWARE -ORIENTED SECURITY AND TRUST
REGISTER NOW
!
REGISTER NOW: www.hostsymposium.org
6–9 Dec. 2020 • San Jose, CA, USA • DoubleTree by Hilton
Join dedicated professionals at the IEEE International Symposium on Hardware Oriented Security and Trust (HOST) for an in-depth look into hardware-based security research and development.
Key Topics:
• Semiconductor design, test and failure analysis
• Computer architecture• Systems security
• Cryptography and cryptanalysis
• Imaging and microscopy
Discover innovations from outside your sphere of infl uence at HOST. Learn about new research that is critical to your future projects. Meet face-to-face with researchers and experts for inspiration, solutions, and practical ideas you can put to use immediately.
6–9 Dec. 2020 • San Jose, CA
HOST2020
48 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
EDITOR: Mik Kersten, Tasktop, [email protected]
DEPARTMENT: ON DEVOPS
To Transform to Have Agility, Don’t Do a Capital A, Capital T Agile TransformationJonathan Smart
H istorically, in large, old, complex organiza-tions (the horses rather than the unicorns) that have adopted agile and DevOps princi-
ples and practices, the adoption has been at the team level. From my experience of delivering software with agile principles since the early 1990s, these “islands of agile” most often arise despite the firm, not because of the firm, owing to employees with a growth mind-set willing to take a personal risk.
The agile islands are a local optimization in the end-to-end value stream. A 90 percent reduction in a development team’s lead time might have a negli-gible impact on the time from when customer needs are identified to when those needs are met. Look to the right, the constraint could be IT operations staff, who are incentivized to protect uptime, batching up change. Look to the left, the constraint is the portfolio management and funding black hole, with an annual
cycle. Look up, there’s a command-and-control leader-ship style, with low levels of psychological safety. Look around, other teams aren’t agile and dependencies aren’t broken, such that the end-to-end lead time for customer value doesn’t decrease.
As of 2017, only 10 percent of Fortune 500 compa-nies from 1955 were still in the Fortune 500.1 At the cur-rent churn rate of the S&P 500, half of the firms will be replaced over the next 10 years.2 Tectonic shifts in the competitive landscape are occurring owing to
› cloud computing; › mobile devices’ prevalence and capabilities; › increased communication bandwidth and
information transparency; › increased venture capital funding chasing a
return, owing to historically low interest rates and volatility;
This article originally appeared in
vol. 35, no. 6, 2018
FROM THE EDITOR
The concept of “flow” is a common thread in DevOps. In a previous On DevOps article (“Modular Archi-tectures Make You Agile in the Long Run,” Jan./Feb. 2018, pp. 104–108), Dan Sturtevant summarized how our thinking about software architecture needs to change to support flow. But software architecture alone isn’t enough. If we’re going to take a holistic view of DevOps and agile development, we need to consider how the organization and business need to change. This is easy to consider on a small scale but is an entirely different problem when an organization has tens of thousands of IT staff. Consequently, few people have the experience of implementing flow at scale. Jon Smart, Head of Ways of Working at Barclays, is a rare exception and one of the best thinkers I know on this topic. Here, he shares his experi-ences on how to shift our perspective on organizational transformation and objectives to take DevOps’ benefits from the small scale of startups and “unicorns” to the massively more complex scale of enter-prise IT. —Mik Kersten
www.computer.org/computingedge 49
ON DEVOPS
› government regulation increasing competition; and
› increased competition from nontraditional born-agile competitors.
These shifts are leading companies to realize that a business-as-usual approach won’t result in business as usual.
In recent years, enterprise-wide DevOps and agile at scale have surged. Compared to nearly 30 years of “lightweight methodologies” for team-level software development, this is a new field. DevOps emerged as a term in 2009, with scaled agile frameworks com-ing out comparatively recently: SAFe (Scaled Agile Framework) in 2011, Disciplined Agile in 2012, and LeSS (Large-Scale Scrum) in 2013. However, relatively little research is available about these frameworks’ effec-tiveness in practice, especially on an enterprise scale.
Here, I share lessons learned from being a servant leader for agility at scale across Barclays since 2015. Barclays is a global financial-services firm, with 80,000 employees in 40 countries, founded in 1690 in the City of London. Every day Barclays processes the equiva-lent of one-third of the UK’s annual GDP—approxi-mately £600 billion. Barclays meets a financial need of almost 50 percent of UK adults and operates in a highly regulated industry.
Context is key; the context here is large, old,
complex, not born-agile organizations with many diverse product offerings, colleagues, and custom-ers, used to working in a traditional way. Reinventing organizations with legacy and complexity as we enter the digital revolution is a difficult and interesting challenge in which only the most adaptable will sur-vive. On the basis of my experience, here are the main antipatterns related to scaling agility and DevOps, paired with the patterns that have helped us succeed at Barclays’ scale.
ANTIPATTERN 1: DOING A CAPITAL A, CAPITAL T AGILE TRANSFORMATION
A capital A, capital T Agile Transformation, from an employee’s perspective, implies involuntary, manda-tory change being done to you, whether you like it or not. The capital T denotes that you must change; the capital A denotes exactly how you’ll change. This pro-vokes fear and resistance for many reasons,3 includ-ing the fear for your survival, which in turn leads to less rational thought as the primitive brain takes over.4
Dan Pink posited three key drivers of motivation: autonomy, purpose, and mastery.5 In this antipattern, two of those drivers—autonomy and mastery—have been taken away. If the “why” isn’t well articulated, meaningful purpose is also removed, eliminating all three key drivers.
ShockSurpriseor shockat the event
Mor
al &
com
pete
nce
Time
DenialDisbelief;looking forevidence thatit is’t true
FrustrationRecognitionthat thingsare different;sometimesangry
DepressionLow mood;lacking inenergy
ExperimentInitialengagementwith newsituation
DecisionLearning howto work in thenew situation;feeling morepositive
IntegrationChangesintegrated;a renewedindividual
FIGURE 1. The Kübler-Ross curve.8 The behaviors during grief also hold true in the context of corporate change.
50 ComputingEdge August 2020
ON DEVOPS
PATTERN 1: START WITH “WHY,” AND FOCUS ON OUTCOMES
As Simon Sinek articulated, start with “why.”6 There should be a clear, well-communicated “why” of the need to change. The “why” should be more than prof-itability, shareholder returns, or stock price. In “The Irrational Side of Change Management,” Carolyn Aiken and Scott Keller stated,
What the leader cares about (and typically bases at least 80 percent of his or her message to others on) does not tap into roughly 80 percent of the workforce’s primary motivators.7
This research shows that employees are most motivated by a purpose that’s split equally across five forms of impact: society, the customer, the company, the team, and the individual.
From the “why,” identify high-level, thematic desired outcomes, rather than agile for agile’s sake. For us, the desired outcomes are described as Better, Value, Sooner, Safer, and Happier, each of which is measurable.
ANTIPATTERN 2: THE BIGGER THE CAPITAL T, THE BIGGER THE CHANGE CURVE
The Kübler-Ross Curve (see Figure 1) originated from psychiatrist Elisabeth Kübler-Ross’s work on grief. We’ve repeatedly observed these behaviors to hold true in the context of change, via feedback from employee surveys.
The bigger the capital T Transformation, the bigger the change curve. If embarking on one large Transfor-mation, expect a deep dip in the curve. Such a trans-formation doesn’t apply an agile mind-set to increase organizational agility. It will make the journey more challenging, with more denial, frustration, and anger. The change stands a higher chance of cultural rejec-tion, with more ammunition for those averse to change.
PATTERN 2: ACHIEVE BIG THROUGH SMALL
Instead of a big-bang transformation, with one big dip in the curve, achieve a big outcome through early, fre-quent, and small slices of value. Pursue evolutionary and continuous transformation aligned to outcomes,
linking together a series of smaller change curves. Start in areas that are naturally receptive. The dips aren’t as deep, the learning comes quicker, there’s less risk, and the champions, who have been trying to do this despite the firm in the past, are best placed to beat a path through the organizational jungle.
ANTIPATTERN 3: ONE SIZE FITS ALLOften combined with the previous antipatterns is the imposition of a one-size-fits-all approach across an organization. Large, old organizations are heteroge-neous, not homogeneous. A one-size-fits-all approach won’t maximize the desired outcomes. Scaling is about complexity, diversity, and building a learning and con-tinuous improvement (CI) capability.
With many unique contexts, the practices should differ:
Principles + Context = Practices9
PATTERN 3: FOCUS ON THE OUT-COMES, WITH AN EMPOWERED AND FEDERATED MODEL
Each area has autonomy and is empowered via a fed-erated model to improve on the desired outcomes as it sees fit, with fast feedback supported by training, coaching, and data. The context, culture, history, start-ing point, and impediments are unique. There’s no sil-ver bullet. People are more likely to accept change if they have autonomy and empowerment to figure out the “how” for themselves, building mastery in the pro-cess.5 There should be a small “center of enablement” team that provides servant leadership, coordination, and sharing and owns the resolution of impediments that span business units.
A few areas exist that share a common approach, to ensure organizational consistency. This includes consistent role names (e.g., Product Owner, Agile Team Lead, and Architecture Owner), a consistent target-state organizational-design model, and, espe-cially for regulated firms, a consistent lifecycle that supports continuous delivery.
ANTIPATTERN 4: TRANSFORMATION TREATED AS A PROJECT WITH AN END DATE
A capital T Transformation is launched with fanfare and an initiative name, articulated as a program with
www.computer.org/computingedge 51
ON DEVOPS
an end date, at which the transformation will be done. There’s a significant investment, with significant sav-ings predicted, which further fuels the capital T in Transformation with the need to do more, faster.
PATTERN 4: TRANSFORMATION IS CONTINUOUS
For organizational agility, there is no end date. Trans-formation is never done; it’s a constant process of learning, retrospection, experimentation, and improve-ment. The environment in which organizations oper-ate changes constantly, more quickly and unpredict-ably than ever. Progress is tracked via measures in line with the overall desired outcomes. The goals are to be the best at being better and become a learning organization.
ANTIPATTERN 5: LEADERS SAY, “TELL ME WHEN IT’S DONE”
Leaders have initiated an agile transformation, and the behavior observed is “tell me when it’s done,” with arms metaphorically crossed and little or no change in the leader’s or leadership team’s behavior.
As Frederic Laloux commented,
The level of consciousness of an organization cannot exceed the level of consciousness of its leader.10
PATTERN 5: LEADERS GO FIRSTTransformational leadership is a critical factor for suc-cessful ongoing continuous transformations. The 2017 State of DevOps Report showed that teams with the least transformative leaders were half as likely to exhibit high IT performance.11
Leadership can’t be outsourced. It can be sup-ported with coaching, training, and advice to shortcut learning. The first team to adopt continuous transfor-mation should be the leadership team, role-modeling the desired behaviors.
ANTIPATTERN 6: MIDDLE MANAGEMENT HAS NO ROLE
A common antipattern is when middle management, also called the “Frozen Middle,” has no clear role to play in the continuous transformation.12
Middle management not only has a hard job of delivering complex change and keeping stakeholders
happy but also now needs to change the way of work-ing at the same time, to a way it hasn’t experienced before. This can be deeply unsettling. Not only am I flying the plane through storms, with expectations on the landing time, I’m also now being asked to both fly it differently and upgrade the plane mid-flight.
PATTERN 6: MIDDLE MANAGEMENT HAS AN EXPLICIT ROLE
Middle management, as well as leaders, needs an explicit role in the continuous transformation. That role is being a coach, trainer, and teacher to one or more mentees, as per the Toyota Improvement Kata:
The primary task of Toyota’s managers and leaders does not revolve around improvement per se, but around increasing the improvement capability of people.13
This gives leaders at all levels a role to play that’s built into the daily work rather than simultaneously being classroom based and empowering the mentee.
ANTIPATTERN 7: NOT INSTITUTIONALIZING THE CHANGE
As John Kotter observed, one antipattern is the failure to institutionalize the change.12 This is manifested in not tackling systemic or behavioral norms in the orga-nization, such that as soon as a key leader who’s cham-pioning the change moves on, the organization snaps back to how it used to be with surprising speed.
According to Accelerating Performance, organiza-tions take five years to move up one performance sec-tor and only 18 months to slip back again.14
PATTERN 7: INSTITUTIONALIZE THE CHANGE
For large, old, bureaucratic, complex organizations, especially regulated ones, driving change through offi-cial standards can be effective. We’ve rewritten inter-nal standards and the product development lifecycle to embed desired behaviors, such as continuous deliv-ery, long-lived products, and a focus on outcomes over output.
This isn’t scary or intimidating; the “A word” isn’t being used. Internal audits are your friend; they help to independently verify that the standards are imple-mented and driving the right outcomes.
52 ComputingEdge August 2020
ON DEVOPS
ANTIPATTERN 8: MEASURING NOTHING OR THE WRONG THINGS
There are five easy ways to reduce the likelihood of a transformation’s success via the inappropriate use of metrics. First, don’t take a data-driven approach. Second, focus on team-level metrics (such as veloc-ity or the “say–do ratio”) and weaponize them. Third, measure just one thing, such that it’s achieved at the expense of other things (for example, measuring flow at the expense of quality). Fourth, measure the work-ers, not the work system, aiming for busy people. Finally, align top-down targets with anything other than outcomes.
PATTERN 8: MEASURE THE DESIRED OUTCOMES
Take a data-driven approach, with measures that are in line with the desired outcomes (for example, flow, inci-dents, and the colleague and customer Net Promoter Score). Make this data transparent to all, showing the trend over time.
Focus on the work, not the workers
The biggest issues will be where the work isn’t—that is, the big wait times due to handoffs and depen-dencies. Measure the flow efficiency in the value stream. In our experience, and anecdotally from other large companies, work typically is being worked on only 10 percent of the time between when it starts and when it reaches the customer’s hands.
ANTIPATTERN 9: NOT PRIORITIZING TECHNICAL EXCELLENCE
The 2017 State of DevOps Report showed that the gap between high- and low-performing organizations is closing regarding deployment frequency and lead time.11 However, the gap is widening for the change failure rate and mean time to recovery. This implies that the low-performing teams are working to improve speed but aren’t sufficiently prioritizing technical excellence or building quality into the process.
PATTERN 9: PRIORITIZE TECHNICAL EXCELLENCE
Along with adopting agile ways of working and reduc-ing lead time, it’s equally important to prioritize
investment in automation and the shifting left of qual-ity (that is, incorporating testing early during devel-opment), with test-first development and high levels of automation. Tests, code quality analysis, and secu-rity scanning are built into the CI pipeline, with the assembly line stopping when an issue arises. Quality becomes part of everyone’s job.
So, here are the takeaways from this article:
› Have a compelling “why.” › Focus on outcomes, not agile for agile’s sake. › Achieve big through small. › Foster autonomy, purpose, and mastery with
psychological safety. › Don’t take a one-size-fits-all approach. › Pursue continuous transformation and CI. › Leaders go first. › Give middle management a role. › Institutionalize the change. › Measure the desired outcomes. › Prioritize technical excellence.
In short, apply an agile mind-set to the rollout of agility, and treat it as a tool in the toolbox to achieve desired organizational outcomes. Approach con-tinuous transformation as a capability to be nurtured rather than as a project with a silver-bullet solution. Be the best at being better.
REFERENCES1. M.J. Perry, “Fortune 500 Firms 1955 v. 2017: Only 60
Remain, Thanks to the Creative Destruction That Fuels Economic Prosperity,” Am. Enterprise Inst., 20 Oct. 2017; http://www.aei.org/publication/fortune-500 -firms-1955-v-2017-only-12-remain-thanks-to-the -creative-destruction-that-fuels-economic-prosperity.
2. S.D. Anthony, S.P. Viguerie, and A. Waldeck, Corporate Longevity: Turbulence Ahead for Large Organizations, Innosight, 2016; https://www.innosight.com/wp -content/uploads/2016/08/Corporate-Longevity-2016 -Final.pdf.
3. R.M. Kanter, “Ten Reasons People Resist Change,” Harvard Business Rev., 25 Sept. 2012; https://hbr.org /2012/09/ten-reasons-people-resist-chang.
4. R. Maurer, One Small Step Can Change Your Life: The Kaizen Way, Workman, 2014.
www.computer.org/computingedge 53
ON DEVOPS
5. D.H. Pink, Drive: The Surprising Truth about What Motivates Us, Riverhead Books, 2009.
6. S. Sinek, “Start with Why,” TED Talk, Sept. 2009; https: //www.ted.com/talks/simon_sinek_how_great _leaders_inspire_action.
7. C. Aiken and S. Keller, “The Irrational Side of Change Management,” McKinsey Q., Apr. 2009; https: //www.mckinsey.com/business-functions /organization/our-insights/the-irrational-side-of -change-management.
8. Anastasia, “Understanding the Kubler-Ross Curve,” Cleverism, 24 June 2015; https://www.cleverism.com /understanding-kubler-ross-change-curve.
9. D. North, “Kicking the Complexity Habit,” 2014; http: //gotocon.com/dl/goto-chicago-2014/slides/DanNorth _KickingTheComplexityHabit.pdf.
10. F. Laloux, Reinventing Organizations, Nelson Parker, 2014.
11. N. Forsgren et al., 2017 State of DevOps Report, Puppet, 2017; https://puppet.com/resources/whitepaper/state -of-devops-report.
12. J.P. Kotter, Leading Change, Harvard Business Rev. Press, 2012.
13. M. Rother, Toyota Kata: Managing People for Improvement, Adaptiveness, and Superior Results, McGraw-Hill, 2009, p. 186.
14. C Price and S. Toye, Accelerating Performance: How Organizations Can Mobilize, Execute, and Transform with Agility, 2017, John Wiley & Sons.
JONATHAN SMART is Head of Ways of Work-ing at Barclays. Contact him through https://www.linkedin.com/in/jonathansmart.
Advertising Coordinator
Debbie SimsEmail: [email protected]: +1 714-816-2138 | Fax: +1 714-821-4010
Advertising Sales Contacts
Mid-Atlantic US:Dawn ScodaEmail: [email protected]: +1 732-772-0160Cell: +1 732-685-6068 | Fax: +1 732-772-0164
Southwest US, California:Mike HughesEmail: [email protected]: +1 805-208-5882
Northeast, Europe, the Middle East and Africa:David Schissler Email: [email protected]: +1 508-394-4026
Central US, Northwest US, Southeast US, Asia/Pacific:Eric Kincaid Email: [email protected]: +1 214-553-8513 | Fax: +1 888-886-8599Cell: +1 214-673-3742
Midwest US: Dave JonesEmail: [email protected]: +1 708-442-5633 Fax: +1 888-886-8599Cell: +1 708-624-9901
Jobs Board (West Coast and Asia), Classified Line Ads
Heather BounadiesEmail: [email protected]: +1 623-233-6575
Jobs Board (East Coast and Europe), SE Radio Podcast
Marie ThompsonEmail: [email protected]: +1 714-813-5094
ADVERTISER INFORMATION
54 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
EDITOR: Christof Ebert, Vector Consulting Services, [email protected]
DEPARTMENT: SOFTWARE TECHNOLOGY
Enterprise ArchitectureRicardo Perez-Castillo, Francisco Ruiz, Mario Piattini, and Christof Ebert
Enterprise Architecture (EA) allows companies to proactively assess and adjust policies and systems to achieve target business goals
that monetize relevant business disruptions. The notion and modeling technologies of EA originally stem from the 1980s. With growing digital transfor-mation needs, today EA is widely used in industry as a technology-driven, continuous-change process for companies and our entire society.1 It allows companies to model IT and thus evaluate change needs, including traditional IT, business processes, cloud services, and distributed embedded systems. Therefore, it facili-tates the growing needs of converging systems, such as IT services and distributed embedded systems, as in automotive electronics.6
EA is a coherent set of principles, methods, and models used in designing and comprehending the structure of a company, including their business pro-cesses, information systems, and IT infrastructure.2
It aligns business and the IT landscape in companies concurrently by managing the increasing system complexity. EA management (EAM) provides a way to holistically understand any system’s fundamental
organization through all embodied elements, such as people and their motivations, processes, services, applications, IT resources, and so forth. In this way, EA increases IT efficiency while continuing business innovation.
EA FRAMEWORKS AND MODELING LANGUAGES
Several EA frameworks and standards have recently emerged and achieved relevance. TOGAF3 has been widely adopted in the market—currently 80% of Global 50 companies and 60% of Fortune 500 compa-nies employ it—so it can be considered the de facto standard. TOGAF provides the architecture develop-ment method (ADM), which is a methodology for the iterative development of EA. Aside from the TOGAF framework, The Open Group released ArchiMate,4 a modeling language that represents different archi-tectural information; see “Example of the ArchiMate Model.” It allows EA modeling from different view-points, in which the position within the cells in Figure 1 highlights the stakeholders’ concerns. ArchiMate considers two dimensions: layers and aspects. Core layers represent the three levels at which it is pos-sible to model an enterprise in ArchiMate, i.e., busi-ness, application, and technology. Aspects refers to the active structure, behavior, and passive structure.
This article originally appeared in
vol. 36, no. 4, 2019
FROM THE EDITOR
Digital transformation demands a thorough understanding of technology and impacts. Enterprise archi-tecture (EA) allows companies to model and assess their IT systems, business processes, and distrib-uted services. Authors Ricardo Perez-Castillo, Francisco Ruiz, Mario Piattini, and I dive into EA and state-of-the-practice technologies for EA modeling. As usual, a case study provides direct insight from an ongoing project. I look forward to hearing from both readers and prospective column authors about this column and the technologies you want to know more about. —Christof Ebert
Digital Object Identifier 10.1109/MS.2019.2909329 Date of publication: 18 June 2019
www.computer.org/computingedge 55
SOFTWARE TECHNOLOGY
The full framework in ArchiMate 3 also includes additional layers for strategy, physical and implemen-tation/migration elements, and a fourth aspect with motivational (why) elements.
Apart from TOGAF, other EA frameworks include DoDAF or MODAF (provided as a defense architecture framework by defense agencies) and the Zachman archi-tecture framework, among other proprietary frameworks and model-ing languages used by certain EAM tools or in specific domains.
BENEFITS OF EAMCompanies that implement an EAM can achieve sev-eral benefits,5 which can be classified in benefits for business managers and those for IT practitioners.
Business managers receive the following benefits.
› EAM improves the decision-making process. Since EA models can represent an enterprise’s layers and their elements’ modularly, managers make decisions in the context of a whole rather than an isolated part.
› Agile adaptability occurs because EAM facilitates the knowledge acquisition that is necessary for changing systems and adopting new components. In other words, it is a tool for digital transformation.
› There is business process improvement and reengineering since EAM can be used to improve the operating procedures by modeling and understanding business processes.
› EAM handles the impact of staff turnover. EA models can gather knowledge from the staff and then business solutions from third-party organizations are consistently compliant with the current EA models.
The following benefits are for IT and software (SW) practitioners.
› EAM is a tool for managing complexity. It improves the scoping and coordination of
software and services, as well as information systems projects in general, by depicting interde-pendencies in a usable way. New approaches to address the issue of making software, as DevOps or micro services, have important advantages but the tail of the coin is the increased complex-ity. This is the reason that software development organizations, departments, or teams must increasingly consider EAM.
› EAM can be employed to detect technical resource oversight and, therefore, can identify and remove redundancies.
› EAM controls and shares knowledge modularly. Thus, EA models can be visualized across different levels, which offers different views for different stakeholders according to their concerns while other irrelevant elements are abstracted.
› Since this kind of resources and systems can be aligned to business strategies and are better placed for responsiveness, IT/software visibility improves.
EAM ToolsEAM includes EA modeling, although it is not limited to this activity. EAM also handles the maintenance and continuous improvement of EA models, different kinds of analysis, and a plan for moving forward toward a desired future state of the organization, among other important activities. Companies can address all of these elements because the proliferation of tools
Passive Structure Behavior Active Structure
Business
Application(Information
Systems)
Technology
Business Objects Business ServicesBusiness Processes
Business RolesBusiness Actors
Data Objects App ServicesApp Functions App Components Layers
Aspects
Data StoreOther IT Artifacts
IT ServicesIT Functions
IT SystemsIT and
Network Devices
FIGURE 1. The ArchiMate 3 core framework (adapted from The Open Group4).
56 ComputingEdge August 2020
SOFTWARE TECHNOLOGY
EXAMPLE OF THE ARCHIMATE MODEL
T he following is a real case study. We supported an IT company in establishing DevOps and migrat-
ing their previous enterprise architecture (EA). Figure S1 shows the underlying ArchiMate model to support DevOps in an organization. To address the complexity, which is standard in current software development, EA incorporates the viewpoint mechanism that is based on the divide and conquer principle, which offers each stakeholder only the aspects that are of interest to
their concerns. The top part of Figure S1 shows an ArchiMate 3 model with the architecture to support DevOps in an organization. This model is based on the viewpoint shown at the bottom part of Figure S1, which was devised thinking in a DevOps team, integrating ele-ments of development and operations.
Figure S1 presents relevant elements in every layer of the organization according to those depicted in Figure 1. Notice that the graphical notation of
DevOps Ecosystems
Artifact
InfrastructureFunction
InfrastructureService
InfrastructureInterface
Node
Device
Location
CommunicationPath
NetworkSystemSo�ware
DevOps RoleApplication
FunctionApplicationComponent
Specific Business LogicSW Internally Operated
Any Element ofDevOps Ecosystem
There are alsoaggregation
relationships of eachtype of element
with itself.
Viewpoint
(a)
(b)
View
DevOps Supportto Projects DevOps Platform
DevOps-DevelopmentWeb Portal
AgileProjects
ManagementWiki IDE
Repositoryand Version
ControlCode
AnalysisContinuousIntegratior
Test CasesManagement
TestingAutomatior
BurndownDiagrams
MonitoringReports
DevOpsSupportManager
Selenium
JMeter
TestLink
Jenkins
SonarQube
SVN
Git
SCM-Manager
ECLIPSE
VisualStudio
Confluence
JIRA
JIRAAgile
DevOps: 1 Server Code Analysis
IT Infrastructure for DevOps Ecosystem
FIGURE S1. An example of the ArchiMate model representing DevOps in an organization. (a) The view and (b) corresponding viewpoint. IDE: integrated development environment; SCM: software control management; SVN: subversion.
www.computer.org/computingedge 57
SOFTWARE TECHNOLOGY
covers most of these activities. The following are some common, critical capabilities that must be assessed in any EAM tool.
› Frameworks and standards: EAM tools can support different kinds of frameworks and EA methodologies. Thus, they often provide best-practice workflows to enable rapid deploy-ment and implementation. However, many enterprise architects must implement their own workflows. In addition, it is important to consider the available modeling languages that EAM tools support, as well as the repository metamodel used, to manage all the EA information.
› Modeling: This capability refers to the extent to which the tool allows modeling of all the concepts and elements depicted by the sup-ported frameworks and standards. Usability makes the difference. Additionally, there are two approaches, integration and single point of truth, regarding the information base the EAM modelers use. It depends on whether or not data is collected from a variety of sources.
› Visualization: This refers to efficiently showing adequate information in an acceptable way to the suitable people. An EAM tool should address enterprise cartography challenges, which are based on the following problems that traditional cartography deals with: - representing (map) a real-world object, i.e., an
enterprise in EAM - eliminating irrelevant characteristics of
the mapped object to the purpose, which is essential to represent the enterprise in a relevant and useful manner
- orchestrating the elements of the map to best
convey its message to its audience according to their specific needs and expectations.
› Decision analysis: Models and EA informa-tion analyses are useful for making informed decisions. In this sense, both visualization and collaborative communication capabilities con-tribute to the success of such decision-making processes.
› Administration and configurability: There are two main approaches regarding the functional-ity provided by the tool out of the box: preconfig-ured (EAM solutions) and customization (EAM platforms).
Table 1 collects some of these EAM tools by provid-ing the following: name, frameworks and standards supported, benefits for enterprise architects, stronger points for IT/software practitioners, and pricing infor-mation. The tools collected in Table 1 were selected according to several industrial reports provided by well-known consulting companies (e.g., Gartner or Forrester, among other) and our personal experience using some of these EAM tools, which are presented in alphabetical order.
HINTS FOR IT AND SOFTWARE PRACTITIONERS
EA allows IT and software practitioners to manage the complexity of IS and technologies and to align these systems/technologies with their organization’s strat-egy. Thus, IT and software development teams should integrate people who are skilled and competent for planning and designing EA, as well as for deploying and maintaining it, with an EA profile. This new EA profile for IT/software practitioners should consider the fol-lowing points.
ArchiMate takes many elements from other well-known modeling languages, such as Unified Modeling Language or Business Process Model and Notation (BPMN). It is relevant to note that ArchiMate is not an alternative to UML or BPMN but an umbrella to integrate UML, BPMN, and any other kind of specific
model. For instance, BPMN is the language suit-able to represent the internal details (white box) of processes while ArchiMate has been considered to represent the things around each process (black box), expressed in relationships with roles, services, organizational structures, strategies, motivations, data, or applications.
sidebar cont.
58 ComputingEdge August 2020
SOFTWARE TECHNOLOGY
Tool
Fram
ewor
ks a
nd s
tand
ards
Usef
ulne
ss fo
r ent
erpr
ise
arch
itect
sUs
eful
ness
for I
T/so
ftw
are
prac
titio
ners
Pric
ing
Alfa
bet E
AM•
TOG
AF/A
rchi
Mat
e to
gui
de th
e EA
pr
actic
e, a
s w
ell a
s Za
chm
an•
Oth
er in
dust
ry-s
peci
�c fr
ame
-w
orks
(e.g
., TM
For
um o
r DoD
AF)
•Id
enti�
es c
ost d
river
s to
redu
ce o
pera
tiona
l exp
ense
s an
d ke
eps
trac
k of
IT in
vest
-m
ents
to a
ssur
e bu
sine
ss g
row
th•
Mas
ter p
lann
ing
prov
ides
the
IT o
rgan
izat
ion
with
a c
lear
ove
rvie
w o
f the
rele
vant
as
pect
s of
the
IT la
ndsc
ape
in o
rder
to u
nder
stan
d ho
w s
trat
egic
dec
isio
ns w
ill
and
shou
ld im
pact
the
IT’s
tact
ics
and
dire
ctio
n ov
er ti
me
•Es
tabl
ishe
s ke
y el
emen
ts o
f EA
gove
rnan
ce, e
ncom
pass
ing
ente
rpris
e-w
ide
poli
-ci
es fo
r the
des
ign,
impl
emen
tatio
n, a
nd a
utom
atio
n of
EA
proc
esse
s
•IT
str
ateg
y an
d pl
anni
ng p
roce
ss•
Alig
n IT
str
uctu
res
with
ope
ratio
nal o
bjec
tives
and
•
proc
esse
s to
ens
ure
that
IT tr
ansf
orm
atio
n•
Thre
e de
ploy
men
t opt
ions
: clo
ud, S
aaS,
and
web
Pric
ing
has
to b
e re
ques
ted
from
com
mer
cial
de
part
men
t
Arch
i•
Arch
iMat
e (n
ativ
e su
ppor
t) an
d al
igne
d w
ith T
OG
AF•
Prov
ides
a c
anva
s-m
odel
ing
tool
kit t
hat c
an b
e us
ed to
des
ign
and
crea
te re
usab
le
canv
as te
mpl
ates
•Si
nce
it is
ope
n so
urce
, it i
s fr
ee a
lthou
gh th
e su
ppor
t is
limite
d
•In
tegr
atio
n w
ith o
ther
tool
s is
lim
ited
but i
s ba
sed
on th
e Ec
lipse
pla
tfor
m, a
nd s
ever
al p
lugi
ns a
re a
vaila
ble
to
expa
nd th
e m
ain
func
tiona
lity
Free
, OSS
Avol
utio
n Ab
acus
•O
ver 1
00 in
dust
ry-s
tand
ard
mod
-el
ing
fram
ewor
ks a
nd n
otat
ions
(e
.g.,
TOG
AF, A
rchi
Mat
e, P
EAF)
•O
ffer
s ch
art r
oad
map
s fo
r IT
and
busi
ness
sys
tem
s an
d pr
oces
ses
Can
asse
ss s
cena
rios
usi
ng a
lgor
ithm
s an
d tr
adeo
ff a
naly
sis
tech
niqu
es•
(dis
cret
e ev
ent,
Mon
te C
arlo
, and
so
on)
•Ad
vanc
ed v
isua
lizat
ion
mod
els
•Pr
ovid
es a
RES
T AP
I tha
t sim
pli�
es e
xter
nal i
nteg
ratio
ns
sign
i�ca
ntly
•In
tegr
ates
diff
eren
t dat
a so
urce
s lim
ited
Thre
e pr
icin
g pl
ans
BiZZ
desi
gn
Ente
rpris
e St
udio
•St
rong
ly fo
cuse
s on
TO
GAF
, Ar
chiM
ate,
BPM
N, a
nd U
ML,
am
ong
othe
rs•
Nat
ive
Arch
iMat
e 3
supp
ort f
or
cons
iste
nt m
odel
ing
•St
rong
sup
port
and
inte
grat
ion
with
TO
GAF
AD
M•
Supp
orts
mot
ivat
iona
l dia
gram
s•
Busi
ness
des
ign
capa
bilit
ies
and
anal
yses
as
wel
l as
supp
ort f
or d
ecis
ion
mak
ing
with
cus
tom
izab
le v
iew
s an
d da
shbo
ards
•Ex
tra
feat
ures
suc
h as
tran
sfor
mat
ion
road
map
ping
, cap
abili
ty m
appi
ng, a
nd ri
sk
asse
ssm
ent
•Pr
ovid
es c
oher
ent d
ata
gove
rnan
ce s
truc
ture
with
role
s an
d re
spon
sibi
litie
s lin
ked
to y
our a
rchi
tect
ure
and
orga
niza
tion
•So
me
diag
ram
s ca
n be
gen
erat
ed a
utom
atic
ally
Pric
ing
has
to b
e re
ques
ted
from
com
mer
cial
de
part
men
t
BOC
Gro
up
ADO
IT•
TOG
AF a
nd A
rchi
Mat
e•
BizB
ok, B
IAN
•CO
BIT
and
ITIL
•Su
ppor
t for
str
ateg
ic c
ompa
ny p
lann
ing
•Su
ppor
t for
clo
ud m
igra
tion,
whi
ch h
elps
to id
entif
y an
d an
alyz
e th
e m
ost
valu
able
IT a
sset
s, c
ost d
river
s, a
nd th
e in
form
atio
n, te
chno
logy
, and
sec
urity
ris
ks o
f mig
ratin
g to
the
clou
d
•Co
ntin
uous
ly o
ptim
ize
your
app
licat
ion
and
tech
nolo
gy
port
folio
Pric
ing
has
to b
e re
ques
ted
•Av
aila
ble
as a
pro
duct
or
Saa
S•
ADO
IT: c
omm
unity
ed
ition
free
Dra
gon1
•Pr
oprie
tary
not
atio
n bu
t sup
port
s TO
GAF
(AD
M) a
nd A
rchi
Mat
e am
ong
othe
rs
•Ad
vanc
ed m
odel
ing
and
visu
aliz
atio
n fe
atur
es•
A se
t of d
iffer
ent w
eb-b
ased
tool
s to
sup
port
dec
isio
n m
anag
emen
t, EA
, pro
ject
m
anag
emen
t, ris
k m
anag
emen
t, go
vern
ance
, com
plia
nce,
IT p
ortf
olio
man
age
-m
ent,
and
busi
ness
pro
cess
ana
lysi
s
•Ra
tiona
lize
appl
icat
ions
in a
sm
art w
ay u
sing
an
appl
ica-
tion
land
scap
e di
agra
m•
Adva
nced
impo
rtin
g/ex
port
ing
func
tiona
litie
s be
twee
n di
ffer
ent E
A re
posi
torie
s
Two
vers
ions
: US$
390–
3,98
0/ye
ar (i
ndiv
idua
l)US
$45,
000/
year
(c
ompa
ny)
EAM
s•
Cust
omiz
ed a
rchi
tect
ural
re
pres
enta
tions
and
nav
igat
ion
path
s; c
an e
xtra
ct in
form
atio
n fr
om B
PMN
, UM
L, A
rchi
Mat
e, a
nd
IDEF
, am
ong
othe
rs
•An
EA
tool
on
its o
wn
that
inte
grat
es a
nd h
arve
sts
oper
atio
nal i
nfor
mat
ion
to
enric
h ar
chite
ctur
e an
alys
is a
nd d
ecis
ion
mak
ing
•Li
ve a
rchi
tect
ure:
see
the
arch
itect
ure
of th
e or
gani
zatio
n as
em
ergi
ng fr
om o
ngo
-in
g in
to fo
rese
en p
roje
cts
thro
ugh
hist
oriz
atio
n•
Supp
ort e
nter
pris
e ca
rtog
raph
y
•Ar
chite
ctur
al v
iew
s m
ust b
e ge
nera
ted
auto
mat
ical
ly,
sinc
e “h
andm
ade”
mod
els
do re
quire
a m
ajor
eff
ort t
o up
-da
te a
nd re
fer t
o a
sing
le p
oint
in ti
me,
esp
ecia
lly w
here
so
ftw
are
prac
titio
ners
are
not
ski
lled
enou
gh in
EA
Pric
ing
has
to b
e re
ques
ted
from
com
mer
cial
de
part
men
t.Fo
ur d
iffer
ent p
lans
.
Esse
ntia
l•
Spec
i�c
base
d on
the
Pro
-té
gé O
ntol
ogy
Proj
ect.
Avai
labl
e cu
stom
-bui
lt Pr
oteg
e ex
tens
ions
•Pr
ovid
es a
�ex
ible
and
ext
ensi
ble
mea
ns to
gen
erat
e th
e vi
ews
on th
e m
odel
ca
ptur
ed u
sing
the
esse
ntia
l mod
eler
•Al
low
org
aniz
atio
ns to
de�
ne a
nd p
ublis
h cu
stom
vie
ws
and
repo
rts
to m
eet t
heir
indi
vidu
al n
eeds
•A
Java
-bas
ed w
eb a
pplic
atio
n th
at r
uns
on a
ny s
tand
ard
Java
ser
ver p
latf
orm
•
Uses
a k
now
ledg
e re
posi
tory
opt
iona
lly s
uppo
rted
by
an
RDBM
S
Free
, OSS
Futu
re te
ch
syst
ems
Envi
sion
VIP
•D
oDAF
, pra
gmat
ic E
A, T
OG
AF,
UML,
BPM
N, Z
achm
an•
Inte
grat
es s
ever
al k
inds
of m
odel
s, n
ot o
nly
EA m
odel
s•
Envi
sion
you
r fut
ure:
“to
be”
mod
els
show
the
inve
stm
ent r
equi
red
and
bene
�ts
to
be g
aine
d by
re-e
ngin
eerin
g
•Pr
actit
ione
rs c
an a
pply
�lte
rs a
nd r
ules
to m
anag
e an
d an
alyz
e m
odel
s us
ing
tech
niqu
es s
uch
as s
prea
dshe
et-
like
mat
rix a
naly
sis,
pow
erfu
l rep
ort w
ritin
g to
ols,
and
SQ
L qu
erie
s•
Mod
els
and
othe
r inf
orm
atio
n ca
n be
exp
orte
d to
oth
er
prod
uctiv
ity a
pplic
atio
ns a
nd d
atab
ases
Pric
ing
has
to b
e re
ques
ted
from
com
mer
cial
de
part
men
t •
Avai
labl
e as
a p
rodu
ct
and
SaaS
TABL
E 1.
EA
M s
uite
s.
www.computer.org/computingedge 59
SOFTWARE TECHNOLOGY
IBM
Rat
iona
l So
ftw
are
Arch
itect
•Pr
opri
etar
y; A
rchi
Mat
e is
sup
-po
rted
thro
ugh
third
-par
ty p
lugi
ns•
Allo
w e
nter
pris
e an
alys
is fo
r mak
ing
fast
, val
ue-b
ased
dec
isio
ns•
This
is n
ot o
nly
an E
AM to
ol b
ut a
gen
eral
-pur
pose
tool
•So
lutio
ns fo
r Dev
Ops
and
con
tinuo
us e
ngin
eerin
g•
Prov
ides
inte
grat
ion
with
man
y ot
her p
rodu
cts,
esp
ecia
lly
thos
e fr
om th
e IB
M e
cosy
stem
US$5
00–2
,200
/yea
r
Lean
ix•
Fram
ewor
k an
d st
anda
rd
inde
pend
ent,
but T
OG
AF c
an b
e im
plem
ente
d w
ith L
eani
x
•O
ffer
s th
e po
ssib
ility
of f
ollo
win
g th
e TO
GAF
AD
M m
etho
dolo
gy a
nd s
uppo
rt a
n ag
ile v
ersi
on o
f tha
t met
hodo
logy
•In
tegr
atio
n w
ith m
any
othe
r sof
twar
e en
gine
erin
g to
ols
(e.g
., G
itHub
, GitL
ab, J
enki
ns, C
on�u
ence
, Pen
taho
, Ta
blea
u, S
AP)
On
dem
and:
has
to b
e re
ques
ted,
two
pric
ing
plan
sAd
vanc
ed fe
atur
es:
US$5
,700
/mon
th
Mod
elio
•TO
GAF
•UM
L, B
PMN
•So
aML,
Sys
ML
•O
pen
sour
ce e
dito
r sup
port
ing
TOG
AF w
ith a
n ex
tens
ion
mec
hani
sm•
Not
an
EAM
tool
itse
lf, it
is a
gen
eral
-pur
pose
mod
elin
g to
ols
that
sup
port
s EA
m
odel
ing
•Fl
e xib
le e
xten
sion
mec
hani
sm•
Scrip
ting
lang
uage
sup
port
(Jyt
hon)
Free
, OSS
Meg
a H
opex
EA
sui
te•
DoD
AF, N
AF, T
OG
AF, A
rchi
Mat
e;
diff
eren
t pro
duct
s re
leas
ed fo
r ev
ery
fram
ewor
k/st
anda
rd
•Cr
eate
s gr
aphi
cal r
epre
sent
atio
ns o
f AD
M p
hase
s to
use
as
a gu
idel
ine
for
arch
itect
ure
proj
ects
•M
aps
TOG
AF A
DM
ste
ps a
nd d
eliv
erab
les
to th
e co
rres
pond
ing
conc
epts
, rep
orts
, an
d di
agra
ms
•Co
mpl
ies
with
the
TOG
AF a
rchi
tect
ure
cont
ent f
ram
ewor
k
•H
elps
pra
ctiti
oner
s to
des
ign
and
impl
emen
t agi
le IT
sy
stem
s, s
trea
mlin
ed b
usin
ess
proc
esse
s, a
nd o
ptim
ized
op
erat
ing
fram
ewor
ks a
ligne
d w
ith th
eir b
usin
ess
stra
tegi
es•
Adva
nced
repo
rtin
g fe
atur
es
Pric
ing
has
to b
e re
ques
ted
from
com
mer
cial
de
part
men
t
Orb
us
soft
war
e iS
erve
r
•TO
GAF
and
Arc
hiM
ate
•D
oDAF
, MoD
AF, F
EAF
•UM
L•
IT4I
T•
ITIL
•Le
vera
ge p
rede
�ned
met
a m
odel
s fo
r maj
or s
tand
ards
suc
h as
TO
GAF
and
Arc
hi-
Mat
e ac
cele
ratin
g ad
optio
n•
Com
mun
icat
ion
impr
oved
sin
ce a
rchi
tect
ure
view
s, re
port
s, a
nd d
ashb
oard
s ca
n be
pub
lishe
d ou
t to
key
stak
ehol
ders
and
the
wid
er b
usin
ess
•M
anag
es th
e IT
Val
ue C
hain
thro
ugh
the
IT4I
T Re
fere
nce
Arch
itect
ure
stan
dard
•Im
port
and
syn
chro
nize
dat
a vi
a RE
ST A
PI fr
om C
MD
Bs o
r ot
her m
odel
ing
tool
s an
d sy
stem
s.•
Inte
grat
ion
with
Of�
ce a
nd V
isio
and
oth
er M
icro
soft
tool
s
Pric
ing
has
to b
e re
ques
ted
from
com
mer
cial
de
part
men
t
Plan
view
En
terp
rise
One
•TO
GAF
cer
ti�ed
; how
ever
, it u
ses
a pr
oprie
tary
met
amod
el•
Supp
orts
sea
rcha
ble
tech
nolo
gy li
fecy
cles
and
vis
ualiz
atio
ns; E
A te
ams
can
proa
ctiv
ely
plan
and
prio
ritiz
e te
chno
logy
upd
ates
and
sta
ndar
diza
tion
acro
ss th
e en
terp
rise
•D
e�ni
tion
of h
ow to
ach
ieve
the
digi
tal s
trat
egy
with
road
map
s th
at c
onne
ct
prog
ram
s, p
roje
cts,
cap
abili
ties,
IT, a
nd in
vest
men
ts•
Adva
nced
ana
lysi
s fe
atur
es fo
r bus
ines
s-ca
pabi
lity
plan
ning
, sce
nario
mod
elin
g,
and
impa
ct a
naly
sis
•M
anag
es a
pplic
atio
n po
rtfo
lios
to a
chie
ve b
usin
ess
goal
s•
Visu
aliz
es th
e co
mpl
ex re
latio
nshi
ps b
etw
een
busi
ness
ca
pabi
litie
s an
d te
chno
logi
es•
Inte
ract
ive
anal
ysis
com
bine
d w
ith c
ompr
ehen
sive
mod
el-
ing
reve
als
depe
nden
cies
bet
wee
n ap
plic
atio
ns a
nd IT
•Co
llabo
ratio
n w
ith s
take
hold
ers
to c
reat
e te
chno
logy
pl
ans
Pric
ing
has
to b
e re
ques
ted
from
com
mer
cial
de
part
men
t
Spar
x en
terp
rise
arch
itect
•TO
GAF
, AD
M, A
rchi
Mat
e•
BPM
N•
UML
•N
ot a
spe
ci�c
-pur
pose
EAM
sui
te•
Prov
ides
dyn
amic
mod
el s
imul
atio
n th
at a
llow
s ar
chite
cts
to v
erify
the
corr
ectn
ess
of b
ehav
iora
l mod
els
and
gain
a b
ette
r und
erst
andi
ng o
f how
a b
usin
ess
syst
em
wor
ks•
Trac
eabi
lity
of E
A m
odel
ele
men
ts w
ith c
ode
•An
inte
grat
ed s
oftw
are-
deve
lopm
ent e
nviro
nmen
t with
a
built
-in
EA m
odel
ing
tool
•So
urce
cod
e ro
und-
trip
•M
any
tem
plat
es fo
r gen
erat
ing
code
from
mod
els,
and
re
vers
e en
gine
erin
g fr
om s
ever
al p
rogr
amm
ing
lang
uage
s•
Nav
igat
ion
betw
een
mod
els
and
code
Four
ver
sion
s:US
$229
–69
9/lic
ense
(s
tand
ard)
US$2
99–8
99/li
cens
e (�
oatin
g)
Qua
liWar
e X
•EA
3 , Z
achm
an, T
OG
AF, O
IO E
A,
FEAF
-II,
DN
DAF
, Arc
hiM
ate,
ED
ML,
UM
L, B
PMN
, DM
N
•Pr
ovid
es a
n ov
ervi
ew o
f how
the
orga
niza
tion
exec
utes
its
stra
tegy
and
mak
es
com
plex
pro
cess
es c
lear
for t
he e
mpl
oyee
s w
ho p
erfo
rm th
em•
Supp
orts
risk
man
agem
ent a
nd h
andl
ing
unce
rtai
ntie
s re
late
d to
exe
cutin
g th
e bu
sine
ss s
trat
egy
•M
anag
es a
pplic
atio
n lif
ecyc
les
and
crea
tes
over
view
s of
w
here
and
for w
hat a
pplic
atio
ns a
re u
sed
•Es
timat
es th
e to
tal c
ost o
f ow
ners
hip,
retu
rn o
n in
vest
-m
ent,
and
busi
ness
val
ue o
f IT
•Id
entif
y re
dund
ant I
T an
d m
ake
wel
l-in
form
ed s
trat
egic
de
cisi
ons
on te
chno
logy
inve
stm
ents
Pric
ing
has
to b
e re
ques
ted
from
com
mer
cial
de
part
men
t
Visu
al
Para
digm
en
terp
rise
editi
on
•TO
GAF
, Arc
hiM
ate
•PM
BOK
•UM
L, E
R, D
FD
•N
ot a
n EA
M to
ol it
self,
it is
a g
ener
al-p
urpo
se m
odel
ing
tool
s th
at s
uppo
rt E
A m
odel
ing
but i
t sup
port
s TO
GAF
AD
M m
etho
dolo
gy a
nd is
Arc
hiM
ate
com
plia
nt•
High
usa
bilit
y of
the
grap
hica
l mod
eler
•Su
ppor
ts p
roje
ct-m
anag
emen
t life
cycl
e gu
ide-
thro
ugh
with
agi
le d
evel
opm
ent f
eatu
res
•In
tegr
ates
the
EA re
posi
tory
with
oth
er a
pplic
atio
n el
e-m
ents
in U
ML
diag
ram
s
Subs
crip
tion:
US$
89/
mon
thPe
rpet
ual:
US$2
,000
API:
appl
icat
ion
prog
ram
min
g in
terfa
ce; P
EAF:
pra
gmat
ic e
nter
pris
e ar
chite
ctur
e fra
mew
ork;
BIA
N: B
anki
ng In
dust
ry A
rchi
tect
ure
Netw
ork;
COB
IT: C
ontro
l Obj
ectiv
es fo
r Inf
orm
atio
n an
d Re
late
d Te
chno
logi
es; I
TIL:
Info
rmat
ion
Tech
nolo
gy In
frast
ruct
ure
Libr
ary;
IDEF
: int
egra
tion
de�n
ition
; RE
ST: R
epre
sent
atio
nal S
tate
Tra
nsfe
r; RD
BMS:
rela
tiona
l dat
abas
e m
anag
emen
t sys
tem
; SQL
: stru
ctur
ed q
uery
lang
uage
; OSS
: ope
n so
urce
sys
tem
s; S
aaS:
sof
twar
e as
a s
ervi
ce; S
oaM
L: s
ervi
ce o
rient
ed a
rchi
tect
ure
Mod
elin
g La
ngua
ge; S
ysM
L: s
yste
ms
Mod
elin
g La
ngua
ge; N
AF: N
ATO
Arch
itect
ure
Fram
ewor
k (In
a r
ecur
sive
way
, NAT
O, N
orth
Atla
ntic
Tre
aty
Orga
niza
tion)
; MoD
AF: M
inis
try o
f Def
ence
Arc
hite
ctur
e Fr
amew
ork;
FEA
F: fe
dera
l-ent
erpr
ise-
arch
itect
ure-
fram
ewor
k; IT
4IT:
info
rmat
ion
tech
nolo
gy fo
r in
form
atio
n te
chno
logy
; EA:
ent
erpr
ise
arch
itect
ure;
OI O
EA:
En
terp
rise
Arch
itect
ure
Met
hod
for T
he D
anis
h M
inis
try o
f Sci
ence
, Tec
hnol
ogy
and
Inno
vatio
n; D
NDAF
: Dep
artm
ent o
f Nat
iona
l Def
ence
/Can
adia
n Ar
med
For
ces
Arch
itect
ure
Fram
ewor
k; E
DML:
Eve
ryw
here
Dis
play
s M
arku
p La
ngua
ge; D
MN:
Dec
isio
n M
odel
and
Not
atio
n; P
MBO
K: P
roje
ct
Man
agem
ent B
ody
of K
now
ledg
e; E
R: e
ntity
-rel
atio
nshi
p; D
FD: d
ata
�ow
dia
gram
; CM
DB: c
on�g
urat
ion
man
agem
ent d
atab
ase.
Tool
Fram
ewor
ks a
nd s
tand
ards
Usef
ulne
ss fo
r ent
erpr
ise
arch
itect
sUs
eful
ness
for I
T/so
ftw
are
prac
titio
ners
Pric
ing
TABL
E 1.
EA
M s
uite
s (c
ont.)
.
API:
appl
icat
ion
prog
ram
min
g in
terf
ace;
PEA
F: p
ragm
atic
ent
erpr
ise
arch
itect
ure
fram
ewor
k; B
IAN
: Ban
king
Indu
stry
Arc
hite
ctur
e N
etw
ork;
CO
BIT:
Con
trol
Obj
ectiv
es fo
r Inf
orm
atio
n an
d Re
late
d Te
chno
logi
es; I
TIL:
Info
rmat
ion
Tech
nolo
gy In
fras
truc
ture
Li
brar
y; ID
EF: i
nteg
ratio
n de
finiti
on; R
EST:
Repr
esen
tatio
nal S
tate
Tra
nsfe
r; RD
BMS:
rela
tiona
l dat
abas
e m
anag
emen
t sys
tem
; SQ
L: s
truc
ture
d qu
ery
lang
uage
; OSS
: ope
n so
urce
sys
tem
s; S
aaS:
soft
war
e as
a s
ervi
ce; S
oaM
L: s
ervi
ce o
rient
ed a
rchi
tect
ure
Mod
elin
g La
ngua
ge; S
ysM
L: s
yste
ms
Mod
elin
g La
ngua
ge; N
AF: N
ATO
Arc
hite
ctur
e Fr
amew
ork
(In a
recu
rsiv
e w
ay, N
ATO
, Nor
th A
tlant
ic T
reat
y O
rgan
izat
ion)
; MoD
AF: M
inis
try
of D
efen
ce A
rchi
tect
ure
Fram
ewor
k; F
EAF:
fede
ral-e
nter
pris
e-ar
chite
ctur
e-fr
amew
ork;
IT
4IT:
info
rmat
ion
tech
nolo
gy fo
r inf
orm
atio
n te
chno
logy
; EA:
ent
erpr
ise
arch
itect
ure;
OIO
EA:
Ent
erpr
ise
Arch
itect
ure
Met
hod
for T
he D
anis
h M
inis
try
of S
cien
ce, T
echn
olog
y an
d In
nova
tion;
DN
DAF
: Dep
artm
ent o
f Nat
iona
l Def
ence
/Can
adia
n Ar
med
For
ces
Arch
itect
ure
Fram
ewor
k; E
DM
L: E
very
whe
re D
ispl
ays
Mar
kup
Lang
uage
; DM
N: D
ecis
ion
Mod
el a
nd N
otat
ion;
PM
BOK:
Pro
ject
Man
agem
ent B
ody
of K
now
ledg
e; E
R: e
ntit
y-re
latio
nshi
p; D
FD: d
ata
flow
dia
gram
; CM
DB:
con
figur
atio
n m
anag
emen
t dat
abas
e.
60 ComputingEdge August 2020
SOFTWARE TECHNOLOGY
› EAM can be used for consolidating certain applications and technology in organizations. As a result, technology-management costs can be reduced or at least controlled.
› An appropriate EAM implementation can improve technology-management planning, as well as the effectiveness of IT investments, since these concerns are aligned with the company’s strategy.
› EA is an additional tool to manage an application portfolio. Thus, EAM contributes by improv-ing quality and reducing the risk of software delivery. In a broader point of view, IT asset portfolios can be also managed through a single repository in an EAM tool. Aside from applica-tions, this portfolio also includes infrastructure, IT resources, and services.
› EA improves engagement, analysis, and com-munication skills. Practitioners can realize and understand the business concerns supported (and aligned with) the applications they devel-oped or IT infrastructures they managed on a daily basis.
› Since EAM is a mechanism for making relevant decisions at the strategical level, IT/software practitioners should be able to model certain EA views from the IT/software assets they manage in an inductive way (e.g., with reverse engineer-ing techniques) while these models are aligned with the overall business strategy.
THE CONVERGENCE OF EA AND EMBEDDED IT
The traditional division between IT and embedded sys-tems is disappearing. Increasingly, embedded systems and devices have over-the-air connectivity for soft-ware upgrades, feature activation, and cloud services such as predictive maintenance. However, IT solutions connect to devices and create the Internet of Things (IoT). Embedded electronics, such as micro devices with sensors and actuators connected through the IoT, facilitate ubiquity. Data analytics, cloud storage and services, convergent interactivity and cognition, augmented reality with visualization and simulation, pattern recognition, machine learning, and artificial intelligence facilitate a convergence of IT and embed-ded systems.1 Underlying these, we identify enabling
methods, techniques, and tools, such as agile scaling and blockchain, to ensure security and trust in distrib-uted transactions, as well as microservices and open application programming interfaces that support soft-ware architectures.
EA adoption has been increasing; it can be used for planning, aligning, controlling, and organizing system complexity, which is a growing problem for IT and SW project managers. The increased complexity is due to the convergence of various trends.
› There is a broad spectrum of IT infrastructure that supports IS (e.g., cloud, IoT, edge comput-ing, and so forth).
› The internal structure of SW systems has increased with more layers and new compo-nents types or architectural paradigms, such as SOA and microservices.
› Customers are demanding more, in less time and with fewer problems, which has led to work in different ways (e.g., Lean, Agile, and DevOps).
These new software architectures and IT devices cannot be developed in isolation, without paying attention to business goals and enterprise drivers, which makes EAM critical. Actually, the new version 3 of ArchiMate has been extended with a physical sublayer,4 with which it is now possible to model and manage all kinds of cyberphysical system elements, such as embedded software or IoT sensors, in an integrated way. For example, it can be used for full traceability between all of the components of a car, hardware, software, and other purely physical non-IT applications.
The convergence of enterprise IT and embedded systems can best be observed in the fast-changing automotive market. A modern car has 50–120 embed-ded microcontrollers and is connected by various external interfaces to a variety of cloud and info-tainment technologies. Onboard software is in the hundred-millions of lines of code range and growing exponentially. Automotive software product lines and variants are among the largest and most complex in all industries. It is said that the automobile is rap-idly becoming a “computer on wheels.” Automotive original equipment manufacturers are implement-ing cars with next-generation production processes
www.computer.org/computingedge 61
SOFTWARE TECHNOLOGY
and vehicles with connected embedded sensors and actuators to obtain better intelligence and control. They adopt information and communication technol-ogy workflows from their IT systems to each single car. From a user experience perspective, the evolution is even more drastic. People have been buying cars for decades, but they now want mobility services. The car per se has ceased to attract users. This is best seen at the latest OOP IT conference (#OOPmuc), where global market leader Volkswagen boasted that they are hiring the people who want to get rid of cars.
REFERENCES1. C. Ebert and C. H. C. Duarte, “Digital transformation,”
IEEE Softw., vol. 35, no. 4, pp. 16–21, 2018.2. M. Lankhorst, Enterprise Architecture at Work:
Modelling, Communication and Analysis. Berlin: Springer-Verlag, 2017.
3. The Open Group, “TOGAF, enterprise ed., version 9.1,” U.K., 2011. [Online]. Available: http://www.togaf.org
4. The Open Group, “The ArchiMate 3.0 enterprise architecture modeling language,” U.K., 2016. [Online]. Available: http://www.opengroup.org/subjectareas /enterprise/archimate-overview
5. H. Shah and M. E. Kourdi, “Frameworks for enterprise architecture,” IT Prof., vol. 9, no. 5, pp. 36–41, 2007.
6. C. Ebert and A. Dubey, “Convergence of enterprise IT and embedded systems,” IEEE Softw., vol. 36, no. 3, pp. 92–97, May 2019.
RICARDO PEREZ-CASTILLO is a researcher at the Information Technologies and Systems Institute, University of Castilla-La Mancha (UCLM), Spain. His research interests include
architecture-driven modernization, model-driven develop-ment, business-process archaeology, and enterprise archi-tecture. Perez-Castillo received a Ph.D. in computer science from UCLM. Contact him at [email protected].
FRANCISCO RUIZ is a full professor at the Information Technologies and Systems Insti-tute, University of Castilla-La Mancha (UCLM), Spain. His research interests include
enterprise architecture, business-process technology, and software engineering. Ruiz received a Ph.D. in computer sci-ence from UCLM. Contact him at [email protected].
MARIO PIATTINI is the director of the Alarcos Research Group and a full professor at the University of Castilla-La Mancha, Spain. His research interests include software and data
quality, information-systems audit and security, and IT gover-nance. Piattini received a Ph.D. in computer science from Madrid Technical University, Spain. Contact him at mario [email protected].
CHRISTOF EBERT is the managing director of Vector Consulting Services and is a professor at the University of Stuttgart, Germany, and the Sorbonne, Paris. He is on the editorial
board of IEEE Software. He is a Senior Member of the IEEE. Contact him at [email protected].
IEEE Software seeks
practical, readable articles
that will appeal to experts
and nonexperts alike. The
magazine aims to deliver
reliable information to software
developers and managers to
help them stay on top of rapid
technology change. Submissions
must be original and no more
than 4,700 words, including 250
words for each table and � gure.
Call for Articles
Author guidelines: www.computer.org/software/author
Further details: [email protected]
www.computer.org/software
REGISTRATION IS OPEN! qce.quantum.ieee.org
The Future Directions Quantum Initiative invites you to IEEE Quantum Week 2020—the inaugural IEEE International Conference on Quantum Computing
and Engineering (QCE).
IEEEQUANTUMWEEK
NEW EVENT
12–16
OCTOBER 2020
Council on Superconductivity
CALL FOR SPECIAL ISSUE PROPOSALS
Computer solicits special issue proposals from lead experts. Proposed themes/issues should address timely, emerging topics that will be of broad interest to Computer’s readership. Special issues are an important component of Computer, as they deliver essential research insights and well-developed perspectives on new and established technologies and computing strategies.
We encourage submissions of high-quality proposals for the 2021 editorial calendar. Of particular interest are proposals centered on:
• offsite educational and business continuitytechnology challenges,
• privacy related to personal location trackingand surveillance (digital and physical),
• artificial intelligence and machine learning,
• technology’s role in disrupted supply chains,
• misinformation and disinformation (fakeinformation—malicious or non-malicious), and
• cyberwarfare/cyberterrorism
Proposal guidelines are available at: www.computer.org/csdl/magazine/co/write-for-us/15911
Deadline for proposal submission: 15 September 2020
04.20
vol. 53 no. 4 www.computer.org/computer
Com
puter
APRIL 2020
CO
MPLEX
ITY VER
SUS TR
UST
Volume 53 Num
ber 4
DATA ANALYSIS ANDCYBERPHYSICAL
SYSTEMS
03.20
vol. 53 no. 3 www.computer.org/computer
Com
puter
MA
RCH
2020D
ATA A
NA
LYSIS AN
D C
YB
ERPH
YSICA
L SYSTEMS
Volume 53 Num
ber 3
Com
puter
AP
RIL 20
16B
IG D
ATA
Volume 49 Num
ber 4
www.computer.org/computer
FASTER PATENTING, P. 10 SKIN IN THE UI GAME, P. 83
04.16
Outlook
01.20
vol. 53 no. 1 www.computer.org/computer
Com
puter
JAN
UA
RY 2020O
UTLO
OK
Volume 53 Num
ber 1
Com
puter
OC
TOB
ER 20
16
ENER
GY-EFFIC
IENT C
OM
PU
TING
Volum
e 49 Number 10
www.computer.org/computer
10.16
DIGITAL HEALTH: E-COACHING
AND REMOTE MONITORING
02.20
vol. 53 no. 2
Com
puter
FEBRU
ARY
2020D
IGITA
L HEA
LTH: E-C
OA
CH
ING
AN
D R
EMO
TE MO
NITO
RIN
GVolum
e 53 Number 2 www.computer.org/computer
EMERGENCYRESPONSE
Com
puter
MA
Y 2
016
EM
ER
GE
NC
Y R
ES
PO
NS
EVolum
e 49 Num
ber 5
www.computer.org/computer
IOT STANDARDS, P. 87 CYBERSECURITY’S FORMAL METHODISTS, P. 102
05.16
Technology Predictions
12.19
vol. 52 no. 12 www.computer.org/computer
Com
puter
DEC
EMB
ER 2019TEC
HN
OLO
GY PR
EDIC
TION
SVolum
e 52 Number 12
Com
puter
JUN
E2
016
SE
CU
RIT
YTH
RE
ATS
Volume 49 N
umber 6
www.computer.org/computer
TO ROBOT, WITH LOVE, P. 88FUN WITH SENTIENT TOOLS, P. 95
06.16
50 YEARS OF NETWORKING
10.19
vol. 52 no. 10 www.computer.org/computer
A Half-Century of the Arpanet 14
Com
puter
OC
TOB
ER 201950 Y
EAR
S OF N
ETWO
RK
ING
Volume 52 Num
ber 10
Software and Cybersecurity ■ Big Data: Privacy Versus Accessibility ■ Resiliency in Cloud Computing
November/December 2018Vol. 16, No. 6
CYBERSECURITY AND PRIVACY ISSUES IN BRAZIL
IEEE SECU
RITY &
PRIVAC
Y A
I ETHIC
S V
OLU
ME 16
NU
MBER 3
MAY/JU
NE 2018
WWW.CO
MPU
TER.ORG
/SECURIT
Y
E-Currency and Fairness ■ Ransomware Defense ■ A National Cybersecurity Policy
May/June 2018Vol. 16, No. 3
IEEE SECU
RITY &
PRIVAC
Y PRIVA
CY A
ND
AU
TOM
ATED A
IRPORT SC
REENIN
G
VO
LUM
E 17 N
UM
BER 2 M
ARC
H/A
PRIL 2019 WWW.CO
MPU
TER.ORG
/SECURIT
Y
March/April 2019Vol. 17, No. 2
IEEE SECU
RITY &
PRIVAC
Y D
IGITA
L FOREN
SICS, PA
RT 2 V
OLU
ME 17
NU
MBER 1
JAN
UA
RY/FEBRUA
RY 2019 WWW.CO
MPU
TER.ORG
/SECURIT
Y
Blockchain Technologies ■ The Fuzzing Revival ■ Cybersecurity for the Public Interest
January/February 2019Vol. 17, No. 1
Resiliency in Cloud Computing
November/December 2018Vol. 16, No. 6
Join the IEEE Computer Society for subscription discounts today!www.computer.org/product/magazines/security-and-privacy
IEEE Security & Privacy is a bimonthly magazine communicating advances in security, privacy, and dependability in a way that is useful to a broad section of the professional community.
The magazine provides articles with both a practical and research bent by the top thinkers in the fi eld of security and privacy, along with case studies, surveys, tutorials, columns, and in-depth interviews. Topics include:
• Internet, software, hardware, and systems security• Legal and ethical issues and privacy concerns• Privacy-enhancing technologies• Data analytics for security and privacy• Usable security• Integrated security design methods• Security of critical infrastructures• Pedagogical and curricular issues in security education• Security issues in wireless and mobile networks• Real-world cryptography• Emerging technologies, operational resilience,
and edge computing• Cybercrime and forensics, and much more
www.computer.org/security
w w w . c o m p u t e r . o r g / i n t e r n e t
IEEE IN
TERNET CO
MPU
TING
July/August 2018
Evolution of Rack-Scale System
s
Volum
e 22 Num
ber 4
VOLUME 22, NUMBER 4 JULY/AUGUST 2018
Evolution of Rack-Scale Systems
w w w . c o m p u t e r . o r g / i n t e r n e t
VOLUME 22, NUMBER 2 MARCH/APRIL 2018
Healthcare Informatics and Privacy
w w w . c o m p u t e r . o r g / i n t e r n e t
IEEE IN
TERNET CO
MPU
TING
M
ay/June 2018
Connected and Autonomous Vehicles
Volum
e 22 Num
ber 3
VOLUME 22, NUMBER 3 MAY/JUNE 2018
Connected and Autonomous Vehicles
w w w . c o m p u t e r . o r g / i n t e r n e t
IEEE IN
TERNET CO
MPU
TING
January/February 2018
IoT-Enhanced H
uman Experience
Volum
e 22 Num
ber 1
VOLUME 22, NUMBER 1 JANUARY/FEBRUARY 2018
IoT-Enhanced Human Experience
Join the IEEE Computer Society for subscription discounts today!www.computer.org/product/magazines/internet-computing
IEEE Internet Computing delivers novel content from academic and industry experts on the latest developments and key trends in Internet technologies and applications.
Written by and for both users and developers, the bimonthly magazine covers a wide range of topics, including:
• Applications• Architectures• Big data analytics• Cloud and edge computing• Information management• Middleware• Security and privacy• Standards• And much more
In addition to peer-reviewed articles, IEEE Internet Computing features industry reports, surveys, tutorials, columns, and news.
www.computer.org/internet
features industry reports, surveys, tutorials, columns, and news.
features industry reports, surveys, tutorials, columns, and news.
features industry reports, surveys, tutorials, columns, and news.
features industry reports, surveys, tutorials, columns, and news.
features industry reports, surveys, tutorials, columns, and news. reports, surveys, tutorials, columns, and news. reports, surveys, tutorials, columns, and news.
66 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE
Conference Calendar
IEEE Computer Society conferences are valuable forums for learning on broad and dynamically shi� ing topics from within the computing profession. With over 200 conferences featuring leading experts and thought lead-
ers, we have an event that is right for you. Questions? Contact [email protected].
SEPTEMBER7 September
• EuroS&P (IEEE European Sym-posium on Security & Privacy), virtual
14 September• CLUSTER (IEEE Int’l Conf. on
Cluster Computing), virtual21 September
• ASE (IEEE/ACM Int’l Conf. on Automated Software Eng.), Melbourne, Australia
24 September• BigMM (IEEE Int’l Conf. on Mul-
timedia Big Data), virtual27 September
• ICSME (IEEE Int’l Conf. on So� -ware Maintenance and Evolu-tion), virtual
28 September• SecDev (IEEE Secure Develop-
ment), virtual
OCTOBER3 October
• PACT (Int’l Conf. on Parallel Architectures and Compila-tion Techniques), virtual
5 October• EDOC (IEEE Int’l Enterprise
Distributed Object Computing Conf.), virtual
12 October• ISSRE (IEEE Int’l Symposium
on Software Reliability Eng.), virtual
16 October• ICEBE (IEEE Int’ l Conf. on
e-Business Eng.), Guangzhou, China
17 October• MICRO (IEEE/ACM Int’l Sym-
posium on Microarchitecture), Athens, Greece
18 October• ICCD (IEEE Int’l Conf. on Com-
puter Design), virtual• MODELS (ACM/IEEE Int’l Conf.
on Model-Driven Eng. Lan-guages and Systems), Mon-treal, Canada
19 October• DFT (IEEE Int’l Symposium on
Defect and Fault Tolerance in VLSI and Nanotechnology Systems), Frascati, Italy
21 October• FIE (IEEE Frontiers in Educa-
tion Conf.), Uppsala, Sweden25 October
• VIS (IEEE Visualization Conf.), virtual
NOVEMBER6 November
• CCEM (IEEE Int’ l Conf. on Cloud Computing in Emerg-ing Markets), virtual
• SmartCloud (IEEE Int’l Conf. on Smart Cloud), Washington, DC, USA
9 November• ICTAI (IEEE Int’l Conf. on Tools
with Artificial Intelligence), virtual
• IR C ( IEEE In t ’ l C o n f. o n Robotic Computing), Taic-hung, Taiwan
• ISMVL (IEEE Int’l Symposium on Multiple-Valued Logic), Miyazaki, Japan
11 November• SEC (IEEE/ACM Symposium on
Edge Computing), San Jose, USA
15 November• SC, Atlanta, USA
16 November• FOCS (IEEE Symposium on
Foundations of Computer Sci-ence), Durham, USA
• LCN (IEEE Conf. on Local Com-puter Net works), S ydney, Australia
29 November • ICDCS (IEEE Int’l Conf. on Dis-
tributed Computing Systems), Singapore
30 November• ICHI (IEEE Int’l Conf. on Health-
care Informatics), Oldenburg, Germany
DECEMBER2 December
• CSDE (IEEE Asia-Pacifi c Conf. on Computer Science and Data Eng.), Gold Coast, Australia
• ISM (IEEE Int’l Symposium on Multimedia), Naples, Italy
6 December • HOST (IEEE Int’l Symposium on
Hardware-Oriented Security and Trust), San Jose, USA
7 December • BDCAT (IEEE/ACM Int’l Conf.
on Big Data Computing, Appli-cations and Technologies), virtual
• UCC (IEEE/ACM Int’l Conf. on Utility and Cloud Computing), virtual
9 December • CC (IEEE Int’l Conf. on Conver-
sational Computing), Irvine, USA
• AIKE (IEEE Int’l Conf. on Arti-ficial Intelligence and Knowl-edge Eng.), Irvine, USA
10 December • BigData (IEEE Int’l Conf. on Big
Data), virtual14 December
• CloudCom (IEEE Int’l Conf. on Cloud Computing Technol-ogy and Science), Bangkok, Thailand
• HPCC (IEEE Int’l Conf. on High Performance Computing and Communications), Cuvu, Fij i
16 December • BIBM (IEEE Int ’ l Conf. on
Bioinformatics and Biomedi-cine), virtual
• HiPC (IEEE Int’l Conf. on High-Per f or manc e C ompu t ing , Data, and Analytics), virtual
29 December • BigDataSE (IEEE Int’l Conf. on
Big Data Science and Eng.), Guangzhou, China
• EUC (IEEE Int’l Conf. on Embed-ded and Ubiquitous Comput-ing), Guangzhou, China
• TrustCom (IEEE Int’l Conf. on Trust, Security and Privacy in Computing and Communica-tions), Guangzhou, China
2021
JANUARY5 January
• WACV (IEEE Winter Conf. on Applications of Computer Vision), Waikoloa, USA
17 January • BigComp (IEEE Int’l Conf. on
Big Data and Smart Comput-ing), Bangkok, Thailand
27 January • IC SC (IEEE Int ’ l Conf. on
Semantic Computing), Laguna Hills, USA
MARCH22 March
• PerCom (IEEE Int’l Conf. on Per-vasive Computing and Com-munications), Kassel, Germany
• MIPR (IEEE Int’l Conf. on Multi-media Information Processing and Retrieval), Tokyo, Japan
APRIL12 April
• ICST (IEEE Conf. on Software Testing, Verification and Val-idation), Porto de Galinhas, Brazil
MAY17 May
• IPDPS (IEEE Int’l Parallel and Distributed Processing Sym-posium), Portland, Oregon, USA
23 May • SP (IEEE Symposium on Secu-
rity and Privacy), San Fran-cisco, USA
Learn more about IEEE Computer Society conferencescomputer.org/conferences
ce8con(all).indd 73 7/13/20 12:05 PM
Submit your paper today!Visit www.computer.org/oj to learn more.
Get Published in the New IEEE Open Journal of the Computer Society
Submit a paper today to the premier new open access journal in computing and information technology.
Your research will benefit from
the IEEE marketing launch and
5 million unique monthly users
of the IEEE Xplore® Digital Library.
Plus, this journal is fully open
and compliant with funder
mandates, including Plan S.