Chips are Everywhere
The nation is responding with increasing urgency to supply chain problems affecting everything with chips, from phones to cars, from temperature sensors in concrete to home appliances. We’re discovering that information technology is now embedded in almost everything that we use or do. A team at the CCICADA Center at Rutgers University, in collaboration with the CAOE Center at Arizona State University, has been working for almost a year now, tracking down root causes, and looking for root cures that will make the Information and Communications Technology (ICT) supply chain robust and resilient.
Working with CISA
The CCICADA project stems from work done at the DHS Cybersecurity and Infrastructure Security Agency (CISA) National Risk Management Center (NRMC), specifically the CISA efforts in ICT supply chain risk management. It builds on work of CISA ICT Supply Chain Risk Management Task Force Working Group 2: Threat Evaluation.
The project aims to develop a risk-based methodology that will allow us to make quantitative comparisons of relative risk of different ICT Supply Chain threat scenarios, identify potentially useful countermeasures for different scenarios, and make quantitative comparisons of relative risk reduction of the countermeasures for a particular scenario.
Headed by Fred S. Roberts, a Distinguished Professor of Mathematics who directs CCICADA, the team brings together several disciplines to ferret out what can go wrong, and how to prevent it.
The Problem Begins with Measuring Harm
The problem begins – and, some would say, ends – with figuring out how to measure the harm from various possible potential disruptions to the supply chain. Such disruptions could come from a natural disaster, a counterfeit good, the onboarding of a new vendor, a cyberattack, or in many other ways. Elsayed Elsayed, a Distinguished Professor of Industrial and Systems Engineering, is heading up the research into this crucial aspect of the problem. Should the measure of harm be the total number of shipments delayed? Or does it matter how long they are delayed? When the supply chain is squeezed, is it worse when that happens quickly? Or slowly? And what about the recovery? Is it fast, or slow? Do things get worse when there are shortages, because the market attracts more counterfeiters? Measuring resilience is like a jigsaw puzzle with many pieces and with goals that must fit together. In essence, “How the supply chain can ‘absorb’ the threat and can quickly recover to its expected performance, i.e., its resilience,” said Elsayed. “We are exploring approaches (in consultation with DHS and several companies) that can be implemented and investigating their effectiveness in improving the resilience of the supply chain network. The team is also investigating generic approaches to determine the criticality of network nodes and links so they can be ‘hardened’ against different threats.”
Working with Elsayed, Weihong (Grace) Guo, an Assistant Professor of Industrial and Systems Engineering, is developing sophisticated Monte Carlo simulations of these complex networks. For some problems, such as earthquakes and hurricanes, the simulation looks at the network of factories, suppliers, consumers, and logistical linkages. But for “nasty” problems such as counterfeits, the simulation must track individual chips, or motherboards, singly or in batches. “Simulation allows us to study complex, real-world systems with stochastic elements that cannot be accurately described by a mathematical model,” said Guo, “and it allows us to ‘see’ how threats and countermeasures designed to minimize those threats impact the entire supply chain.”
The work of Elsayed and Guo is being supported by Rutgers students Sachin Patel and Rong Lei, providing an excellent opportunity for students to be involved in first-hand homeland security research. “The students have been full-fledged members of the research effort, contributing modeling insight and programming skills,” said project lead Fred Roberts.
The Real World is Uncertain
Simulation models must recognize that the real world is uncertain. Dr. Eric Rosenberg, now at Georgian Court University, is drawing on his years of experience at Bell Laboratories to tie those uncertainties together in a network where one uncertainty will affect or distort others.
Working with Rutgers undergraduate Brendan Ruskey and programmer/analyst Vladimir Menkov, he uses Optimization Analysis to couple together the simulations and the uncertainties, looking for the key pressure points at which to protect the network. These “root causes” are where we should concentrate our search for effective cures – for “vaccines,” one might say, which prevent these disruptions from spreading throughout our lives, like their own pandemic.
“Vaccines” for the ICT Supply Chain
A “vaccine,” or in other language, a countermeasure, can be applied before a disruption occurs, during, or after. One goal of the project is to assemble lists of countermeasures, and explore their impact. In each case, a countermeasure aims to reduce the risk of damage. Another goal is to address the question: How much does each one really reduce risk?
To learn which “vaccines” work, and how well they work, Paul Kantor, an Emeritus Professor of Information Systems, Christie Nelson, an Assistant Research Professor at CCICADA, and Research Professor Dennis Egan, Assistant Director of CCICADA, are seeking out industry and government experts, through interviews and focus groups. This effort also involves students: Hemant Parmar, Isha Vora, Niles Egan, and Pushpak Mundhada.
“There are reams of guidelines and checklists for protecting the supply chain. And almost nothing is published about how well they work,” says Kantor. The problem is that “when companies find a problem, it feels like a mistake. Not the kind of thing you publish to the world. The kind that you fix quietly, and hope it never happens again.”
New Tools for Virtual Focus Groups
Under COVID-19, all focus groups must be held virtually, and this project has not been an exception. The team has developed new tools for eliciting and sharing information in a virtual Focus Group setting. CCICADA programmer and analyst Vladimir Menkov, working with student intern Niles Egan, has built new tools that let experts share their experience in quantitative terms, while maintaining anonymity, not talking about any specific events that might harm a company’s reputation.
Data from interviews and focus groups informs the modeling and simulation, and simulation results reveal issues for the interviews and focus groups, in a “virtuous research cycle.”
Can Supply Chains be Made as Safe as Plane Flights?
The project team is in touch with government panels that have been examining these problems for years, specifically experts from the private sector working with CISA. Industry and government have been working together on plans to secure the ICT supply chain. The spectacular safety of commercial airlines in the United States has shown what can be achieved when industry and government establish trust, and share information not only about incidents, but also about the much more common “near misses.”
Root Causes and Root Cures of ICT Supply Chain Problems
Taken together, the pieces of CCICADA’s project bring together uncertainty, complex networks, optimization and crucial real-world expertise to help us find the root causes and root cures of supply chain problems. The aim is to develop supply chain “vaccines” that will protect us against future shocks that reverberate around the world.