Global Supply Chain Trends and Emerging Technologies in the Internet of Things
Our vision is to create a “Smart World,” intelligent infrastructure linking objects, information and people through the computer network. This new infrastructure will allow universal coordination of physical resources through remote monitoring and control by humans and machines. Our objective is to create open standards, protocols and languages to facilitate worldwide adoption of this network–forming the basis for a new “Internet of Things.”[i]
—Dr. David L Brock
Securing the supply chain that rides on digital infrastructure and enhancing supply chain risk management (SCRM) are more important than ever. Risk management is not a new discipline, and neither is cybersecurity. They are not even new ideas. Both risk management and cybersecurity use models, concepts, frameworks, etc. that have existed for decades in other industries and have slowly made their way to the supply chain.
The Rise of the Internet of Things
When most people think of the Internet of Things (IoT), they picture smart devices like their Amazon Echo speaker, Samsung TV, Nest thermostat, or LG refrigerator. For years, IoT devices have been infiltrating every part of the general consumer’s lives and homes with the goal of making devices and individuals more connected and capable, while automating repetitive and tasks that require little to no cognition to complete. Today’s consumers use these devices to check the time, weather, or sports scores; set reminders and leave messages; watch their favorite Netflix shows; adjust the air temperature; and populate their grocery store lists. These are just a sample of the many routine and repetitive tasks for which these devices can be used.
Bo Li and Yulong Li summarized:
Similar to the way the internet connects all computers, the Internet of Things connects most products, machines, and people together. This concept has been realized recently through new technologies in sensor devices, data storage and analysis equipment, and decision-making tools. As the IoT has gained popularity in recent years, the potential to use it in supply chain management (SCM), especially supply chain innovation (SCI), has become much greater.[ii]
Take the Apple Watch, one of the most prolific examples of a connected wearable IoT device that has capitalized on personal health over the past few years. Sensors in the watch track workouts, monitor movement, detect falls, monitor for rapid or skipped heartbeats and heart rates, as well as electrocardiograms. The sensors in the watch include an optical heart rate sensor, an electrical heart sensor, an accelerometer, and a gyroscope.[iii] Data from the sensors is stored on the wearer’s watch and Apple iPhone to be reviewed by the wearer at any time through native Apple-branded mobile apps. The stored data can also be shared with third-party mobile apps installed on the watch or iPhone, such as a mobile Electronic Health Record (EHR), allowing the wearer to review and interpret data in different perspectives and use cases. IoT devices assist the consumer thanks to highly developed software programs or algorithms, commonly referred to as Artificial Intelligence (AI). According to Bringsjord, et al., the type of AI used in IoT technologies most closely aligns to a subfield known as machine learning (ML), which “is concerned with building systems that improve their performance on a task when given examples of ideal performance on the task, or improve their performance with repeated experience on the task.”[iv]
While the IoT devices mentioned have very loose implications for and impact on supply chains, the technologies and concepts in the consumer market have expanded into the commercial market.
Emerging Technology in the Supply Chain
The supply chain is innovating by embracing ML at many different levels and for many different purposes. One such instance of using ML to automate repetitive tasks can be seen at the Manzanillo International Terminal (MIT) near the Atlantic Ocean entrance of the Panama Canal. MIT is part of the “global cargo movement logistics system,” owned by parent company Carrix, which provides trans-shipment operations, including container terminal operations (CTO).[v] CTO is a highly repetitive task that involves large cranes designed to load, unload, and reposition shipping containers around the terminal, and on and off container ships. MIT and Carrix have employed ML to control the process involving the movement of containers using their cranes with humans only involved in overseeing the process through remote monitoring terminals for a large portion of their operations. The cranes use data from Global Positioning Systems (GPS), shipping manifests, and grid coordinate limits to operate within specific spaces around the terminal. The ML controlled cranes receive prioritized inputs from the shipping manifests to determine the most appropriate locations to offload and stage containers as they are prepared for the mode of transportation to the next destination. To ensure that the cranes have limited travel within the terminal, they ride on railroad tracks close to the edge of the pier where the container ships dock. Automation is not present in all of the cranes at the terminal, as MIT also employs remotely piloted cranes. Where crane pilots used to sit in a cab above the containers as they raised and lowered, now there are cameras and controls operated remotely from the same operations center that oversees the automated cranes.
The use of ML is becoming a disruptive technology and is emerging in other areas of supply chains. As logistics companies have seen demand for packages increase without a proportionate rise in the supply of drivers, the gap has driven innovation in autonomous vehicles for long haul shipping, as well as last-mile delivery. Dylan Jennings and Dr. Miguel Figliozzi presented a case study on the use of autonomous vehicles for reductions to energy consumption and CO2 emissions at the 2020 Transportation Research Board’s (TRB) Annual Meeting. In the study conducted by the team, the performance of Autonomous Delivery Robots (ADRs) was analyzed using both the Sidewalk ADR (SADR) in a Starship/Mothership configuration, as well as a Road ADR (RADR) configuration.[vi] In both configurations, firms leverage existing vehicle platforms that include the Ford Transit Connect and Mercedes Benz Sprinter vans to transit between warehouses or grocery stores and target neighborhoods.[vii]
On top of the base chassis, the firms install proprietary technology that includes GPS antennas, monitoring cameras, connected sensors, and starship delivery robots. Similar to the ML used to control the cranes of MIT, the firms building SADRs and RADRs use advanced algorithms to determine delivery route priorities based on data from GPS and individual order information.[viii] The algorithms also parse input data from the GPS antenna, sensors, and cameras while in motion to ensure safe transit on sidewalks and along roadways. Once items are delivered to the intended recipients, the scheduling and routing system is updated with confirmation of receipt of goods.
The AES Corporation, an energy management company, provides sustainable energy solutions in 14 different countries. AI has been incorporated into the daily operations of AES facilities, as well as customer solutions. AI has been helping AES site operations in the areas of predictive maintenance for critical components, as well as the monitoring and interpretation of power plant components that feed analytics dashboards. The infrastructure incorporates network and internet-connected sensors at various points and components in the power generation and storage value chain. These sensors provide constant input data that is processed and displayed to operations personnel, company leadership, and their customers as operating temperatures & pressures, usage and transmission rates, battery storage capacities and health, and other important metrics and notifications, all at the speed of relevance. Speaking at The AI Summit San Francisco in December of 2017, AES Vice President and Chief Technology Officer Chris Shelton said, “Digital solutions are a multiplier of value, making both existing systems and investments in new forms of energy more profitable. AI can ensure we utilize the millions of connected assets on the electricity grid to their full potential, from utility-scale solar and wind farms down to the washing machines and toaster ovens in our homes. Improved awareness, classification, and prediction of outcomes made possible by digital intelligence will enhance business value for utilities and energy consumers alike, fundamentally enabling more abundant and sustainable power for society.”[ix] A November 2019 agreement with Google secured a 10-year partnership to deliver renewable power to a data center in Chile.[x] Uplight, a company in which AES has invested more than $53 million, will leverage the underlying Google Cloud suite of capabilities to deliver advanced analytics powered by AI to enhance their “…end-to-end energy action system, to increase customer satisfaction, and reduce carbon emissions.”[xi]
The health industry has seen a significant rise in connected technologies that take direct inputs from patients, equipment, and providers to build profiles and results compiled by low-level applications and higher-level ML algorithms. Advances in supply chain technologies are used to manage inventory and resupply with AI helping to predict correct levels of medications and avoid overstock or backorders.[xii] While the use of inventory management is not unique to healthcare institutions, Chris Sullivan from Zebra Technologies, “…sees several areas where IoT technology is benefitting healthcare providers… Hospitals can benefit from machine-to-machine automation, tracking, and replenishment capabilities as consumption occurs.” As a leading inventory management technology company, Zebra offers multifunctional mobile connected solutions for healthcare that are capable of: medication administration and tracking prescriptions, inventory management, voice calls, secure text messaging, push-to-talk (PTT), alarms and alerts, blood transfusion administration, electronic health record access, and breast milk management.[xiii] Functionality on the Zebra devices is enabled with mobile applications developed to read barcodes and RFID tags, capture images, and securely communicate within and outside hospitals over WiFi and cellular networks.[xiv]
As part of the logistics arm of healthcare, UPS is enabling more accurate tracking of time and temperature-sensitive packages by leveraging IoT sensors as part of a new Healthcare and Life Sciences unit. According to an October 2019 press release, “It will leverage UPS’s Smart Global Logistics Network package tracking capabilities, combined with new, next-generation, on-package sensor technology to enable priority flow paths, sortation, contingency actions and delivery services for critical healthcare shipments. This new portfolio will provide UPS’s most comprehensive priority-handling services for chain of custody, time-dependent, and temperature-sensitive packages to help increase on-time reliability.”[xv]
AT&T is another capability provider of connected devices for the health industry, what they refer to as the Internet of Medical Things (IoMT). In this category, AT&T concentrates on delivering:
- Secure JACS tablets explicitly designed to comply with the Health Insurance Portability & Accountability Act (HIPAA)
- Enables secure IoT patient monitoring
- Connects to EHR for visual recording of patient conditions
- “Facilitates teleconferencing and remote patient-to-doctor video calls”[xvi]
- HIPAA compliant hub to wirelessly connect patient home health IoT monitors for secure transmission of health data
- Uses Bluetooth Low Energy (BLE) to connect with other IoT medical devices in the patient’s home
- Transmits data to cloud-based EHR for medical personnel review over AT&T 4G LTE cellular network
- Aira service to aid visually impaired customers with smart glasses and smartphones that connect with live agents to provide navigation in hospitals and places of business[xvii]
Distributed ledgers are another emerging technology in the supply chain, originally intended as a means of adding digital timestamps to documents that could not be altered. Blockchain is an example of a distributed ledger that has introduced some disruption to supply chains. Bitcoin is one of the best examples of blockchain technology, which was created in 2009 by Satoshi Nakamoto.[xviii] With distributed ledgers, data is written to blocks in a chain—known as the blockchain—and copies of blockchain are stored across multiple decentralized nodes in a network. Traditional databases store records across tables in a centralized database file. In a distributed ledger network, each node maintains a copy of the blockchain and transactional data is validated across a majority of the nodes before writing to the next block. The dispersed nature of distributed ledgers adds high levels of complexity, which benefits data security as the likelihood of data manipulation from nefarious actors is significantly less likely.
In the supply chain, distributed ledger technology is especially attractive for increasing confidence in suppliers, products, and statuses. Companies like IBM and TradeLens have developed solutions at different levels in the technology stack. TradeLens is a cloud-based transactional platform-based application dedicated to supply chain and logistics focused on: Shippers and Beneficial Cargo Owners (BCOs), Third Party Logistics (3PLs) and Freight Forwarders, Intermodal Operators, Authorities, Ports and Terminals, Ocean Carriers, Financial Services, and Software Developers.[xix]
The TradeLens platform runs in the IBM cloud and uses IBM’s private distributed blockchain network, or Blockchain-as-a-Service (BaaS), to write, store, and share customer supply chain and logistics data reliably and securely.[xx] As customers subscribe and add data to the TradeLens platform, it is written to the blocks in the BaaS network. These customers then bring on partners from within their supply chains to share and transmit data. As this is occurring, these transactions are written to blocks across the distributed nodes as well.
UPS has been working with blockchain technologies for years. A November 2017 press release announced, “UPS joined the Blockchain in Trucking Alliance (BiTA) forum for the development of blockchain technology standards and education for the freight industry.”[xxi] As part of the BiTA, UPS and other members look to create standards around data and formatting to enable easier integration into blockchain networks. The early move to join the BiTA can be seen as strategic for UPS. As companies begin to see value in the technology and find ways to adopt blockchain in their automated systems and operations, UPS and other early adopters will have created momentum in these data standards that are most important to their own operations. New entrants to these distributed blockchain networks will be required to adopt the industry standards agreed to by the earliest adopters.
Exploring the Risks
Risks always accompany emerging technologies and the examples discussed here are no different. Vulnerabilities lurk around the corners, in the hardware, firmware, data, and software. Most prominently, risks and vulnerabilities exist in the people working with any technology, regardless of how secure its manufacturer may proclaim it to be. If the supply chain is not monitored at key points known to be at risk, a system vulnerability may be injected in data or code upstream in the manufacturing processes that is carried through to production deployment of an end item. This is also true for hardware that may be powered by vulnerable firmware if security processes and standards are not followed.
In the world of data analysis, “garbage in, garbage out” is a commonly heard phrase. A variation of that phrase is “garbage in, garbage stays.” If data standards are not used, and extra steps not taken to normalize data, a risk to the business may materialize with significant effects downstream in production, supply chain, and data analysis products. The effects can result in inventories not reflecting appropriate levels of stock, incorrect items being shipped due to mismatches in manifests, customers not receiving correct orders, or measures on leadership dashboards reflecting inaccurate company performance. In addition to the use of standards with data, protection of the data that is stored and accessed must also be considered; companies must understand the risks to mitigate, accept, and/or avoid them. In cases where systems store Personally Identifiable Information (PII)—like in healthcare systems such as AT&T’s IoMT suite of connected tools that access, transmit, and update patient information in EHRs—providers must ensure that there are additional security measures implemented to protect from data loss and guard against unauthorized access.
Proactive measures must be implemented to identify vulnerabilities and risks in the supply chain. Businesses, whether they are forward-leaning early adopters or cautious observers who prefer to wait for the technology to mature, should take a risk-based approach to new technologies. Companies should start their approach by defining their risk appetites, using a risk register as a way for business leaders to communicate with developers and implementation teams. This will allow for clear communication about areas of operations where they are more or less comfortable with employing these technologies. Once the risk tolerance is defined, manufacturing process reviews must be employed to identify points in the process that are most vulnerable and where cyclical and periodic checks make sense.
Insider threats are the biggest vulnerability to operations. Companies must take a similar approach to the personnel they employ and addressing technological risk. Significant resources—and the right resources—are necessary to design, implement, protect, and actively monitor system security, education, and awareness programs to reduce the risk of insider threats. Security controls must ensure separations of duties are forced through programs and good cyber hygiene practices are implemented, supported, and practiced by leadership, and enforced at all levels of operations.
Wireless communication security comes with significant risks for cybersecurity attacks. As developers focus more on developing and delivering capabilities, they tend to focus less on securing the infrastructure that supports the operating environment. When IoT solutions are introduced, they pose a risk for an attack using their wireless communications including WiFi, Bluetooth, and cellular. As these technologies are introduced into an operating environment such as MIT’s ML and remote-controlled container cranes, significant attention must be given to securing the communications protocols to avoid signal hijacking or man-in-the-middle attacks common to wireless communications. This requires the use of best practices to secure equipment that transmits and receives wireless signals at the software-level with encryption and strong authentication, as well as at the hardware-level with physical access measures such as cable conduits, redundant power supplies, and locking cabinets.
Identification of risks and vulnerabilities in manufacturing and development processes and supply chains are merely a starting point. Companies that produce and/or use emerging technologies and IoT enabled devices must approach these new capabilities with caution rather than blind adoption. This requires critical thought to understand how the emerging technologies being employed not only to increase efficiency in production and supply chains, but also how they can bring increased risk that could lead to business losses. The recognition of risks will help in developing better resiliency, redundancy, and disaster recovery plans for their operations, systems, and supply chains.
What is being done and what is on the menu of policy options?
From a Defense and US national security perspective, protecting supply chains is critical to maintaining prosperity for the American people. For the US to maintain its position as the regional hegemon and the world’s superpower in a time of great power competition, policies must be enacted to enable and protect critical supply chains and logistics infrastructure while remaining adaptive to emerging technologies and the security concerns around the IoT.
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) has published a new requirement, known as the Cybersecurity Maturity Model Certification (CMMC) 1.0, for Department of Defense (DOD) contractors to phase into their operations. According to the CMMC Model v1.0 release in January of 2020, “The CMMC framework adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the DOD that a defense industrial base contractor can adequately protect controlled unclassified information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”[xxii]
Injecting proper security practices into solutions development has become more prominent in the private sector in recent years, due to increases in attacks from many different vulnerable points of system access. The prominence of security in development has spawned a framework of Development-Security-Operations or DevSecOps, where minimally viable products are introduced into an operating environment using agile development techniques. The differentiation factor for DevSecOps is that security standards and validation procedures are baked into the development and release process rather than considered after the fact, ensuring security considerations are addressed early on in the development process.
In February 2020, the National Institute for Standards and Technology (NIST) released draft guidance on cyber supply chain management for industry comment. NISTIR8276 (Draft) is a complementary document to previous guidance related to implementing and improving cybersecurity for critical infrastructure, focusing specifically on cyber supply chain risk management (C-SCRM). NIST fully recognizes the increased risks to businesses that are…becoming digital, producing digital products and services, and moving their workloads to the cloud, the impact of a cybersecurity event today is greater than ever before and could include personal data loss, significant financial losses, compromise of safety, and even loss of life. Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful; threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link.[xxiii]
The race towards the deployment of 5G communications infrastructure will further enable or hinder these emerging technologies and IoT connected devices. While the increased bandwidth capacity will enable significantly faster transmissions of data, with far less lag than current 4G Long Term Evolution (LTE) standards allow, the US must continue to take the position that the use of equipment from companies such as Huawei in are not compatible with National Security Interests. The US policy must continue to communicate that US and allied service providers should not allow equipment to be deployed as part of any vendor’s infrastructure.
US policy focused on critical supply chains must be updated to include basic cybersecurity, redundancy, and resiliency guidelines. These guidelines should specifically address the risks highlighted herein regarding data standards where operations rely heavily on AI and ML, encryption and wireless security for IoT connected equipment and devices, and insider threats.
By Jeffrey Beaudoin, US Department of Defense
[i] Bo Li and Yulong Li, “INTERNET OF THINGS DRIVES SUPPLY CHAIN INNOVATION: A RESEARCH FRAMEWORK,” International Journal of Organizational Innovation, Vol 9 Num 3, January 2017, Section B, p71.
[iii] Bringsjord, Selmer and Govindarajulu, Naveen Sundar, “Artificial Intelligence”, The Stanford Encyclopedia of Philosophy (Winter 2019 Edition), Edward N. Zalta (ed.), URL = <https://plato.stanford.edu/archives/win2019/entries/artificial-intelligence/>.
[v] Dylan Jennings, and Dr. Miguel Figliozzi, Can Autonomous Delivery Robots Reduce Last Mile Energy Consumption and CO2 Emissions?, Transportation Research Board 2020 Annual Meeting, Paper: 20-05617, p3.
[vi] Ibid, 5-6.
[vii] Matt Burgess, “Mercedes vans filled with swarming delivery bots could be heading to your hometown,” Wired, September 7, 2016, www.wired.co.uk/article/mercedes-starship-drones-delivery-van, accessed March 5, 2020.
[viii] AES, “An instantly scalable clean-tech, as powerful as any before it,” AES, Blog, December 7, 2017, http://blog.aes.com/blog-details/2017/An-instantly-scalable-clean-tech-as-powerful-as-any-before-it/default.aspx, accessed March 9, 2020.
[ix] AES, “AES and Google Create Strategic Alliance to Accelerate the Future of Energy,” Investors, Press-Release-Details, November 6, 2019, www.aes.com/investors/press-releases/press-release-details/2019/AES-and-Google-Create-Strategic-Alliance-to-Accelerate-the-Future-of-Energy/default.aspx, accessed March 9, 2020.
[xi] Dan Matthews, “Future IoT Trends in Supply Chain Management and Healthcare,” The IoT Magazine, https://theiotmagazine.com/future-iot-trends-in-supply-chain-management-and-healthcare-d5ff658a93ab, accessed March 9, 2020.
[xii] Zebra, “Healthcare,” Mobile Computers, www.zebra.com/us/en/products/mobile-computers/healthcare.html, accessed March 11, 2020.
[xiii] Zebra, “Software,” Mobile Computers, www.zebra.com/us/en/products/software/mobile-computers.html, accessed March 11, 2020.
[xiv] UPS, “UPS Launches New Tech-Enabled Healthcare Solutions, Standardizes Quality Systems, Forms Healthcare Unit,” Pressroom, Atlanta, GA, October 21, 2019, https://pressroom.ups.com/pressroom/ContentDetailsViewer.page?ConceptType=PressReleases&id=1571667364399-490, accessed March 12, 2020.
[xv] AT&T, “JACS Solutions Secured Tablet with AT&T Control Center,” AT&T Internet of Medical Things, www.business.att.com/content/dam/attbusiness/briefs/iomt-jacs-solutions-secured-tablet-brief.pdf, accessed March 11, 2020, p2.
[xvi] AT&T, “Internet of Medical Things,” Internet of Things, www.business.att.com/categories/internet-of-medical-things.html, accessed March 10, 2020.
[xvii] Investopedia, “Bitcoin’s Price History,” Cryptocurrency > Bitcoin, www.investopedia.com/articles/forex/121815/bitcoins-price-history.asp, accessed March 12, 2020.
[xix] Ibid, and IBM Blockchain, “Technical Overview, September 2019,” IBM Blockchain Platform, p2.
[xx] UPS, “UPS Joins Top Alliance To Create Blockchain Standards For Logistics,” Pressroom, Atlanta, GA, November 7, 2017, https://pressroom.ups.com/pressroom/ContentDetailsViewer.page?ConceptType=PressReleases&id=1510065871593-824, accessed March 12, 2020.
[xxi] Office of the Under Secretary of Defense for Acquisition and Sustainment, “CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) Version 1.0,” January 30, 2020, p 2.
[xxii] Jon Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler,James Gimbi, “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry,” NISTIR 8276 (Draft), February 2020, https://csrc.nist.gov/publications/detail/nistir/8276/draft, accessed March 18, 2020.
The ideas expressed are those of the author and do not represent the official position or policy of the US Department of Defense or any other US government entity.