 Hello and welcome to this webinar and this is hosted by the Center for Transportation and Logistics at the Massachusetts Institute of Technology and I'm here with Professor Jim Rice who has been collaborating with us from the University of Denmark in the development of this work which we still consider to be very, very relevant for companies. So I hope you derive some useful tips from what we're going to present now. Anything else? No, I'm excited that you're here working with us Daniel and I hope that our partners are able to understand and engage in the work that you're proposing. Actually it's work that you're doing now and you're looking for partners to join in and I'm excited that you're sharing this opportunity with us. Okay, thank you. So first of all I will share with you some administrative information. You are looking at this through YouTube and there is a chat feature that you can use throughout the presentation. Please post your questions in the chat and we will have 15 minutes at the end of the presentation. At the end of the presentation where we will go through the questions and answer your questions. So I'll get now to the presentation and we should have the presentation on screen. As I was telling you, this is a research that we've been doing at the Thames University of Denmark for the past two years and we have been in collaboration with the Center for Transportation and Exportational Logistics here at MIT in the topic of cyber risk for the supply chain. And this research has led us to a way of understanding these cyber risks which we look into the structure existing in supply chains as a trigger for better response to cyber risks. So we will start developing the idea with you here. So the agenda for this presentation, I will talk just a little bit about me and my background where I came from and why I drifted into this topic. Then we will talk about the problem description, how this problem can be described and the two main areas where we think the problem lies for supply chains. Then we will talk a little bit about the analysis of the approach that we want to suggest for understanding these risks and we will end with some steps that we have been developing for approaching the solution to cyber risks for the supply chain. So my background is I am a mechanical engineer by trainee and I worked for over 12 years in industry in different positions in supply chain management as a regional buyer to supply chain manager for multinational companies and I worked all over the place mainly Latin America, North America and Europe. And my academic background is a mechanical engineer as I was telling you and I have a master's in engineering and a master's of science in the last one from MIT and I am currently then doing my PhD degree at the Tinker University of Denmark to be ended by the end of this year beginning of next year. That's how I came about. So what seems to be the problem here? How are cyber risks a problem for supply chains? When we look at definitions for cyber risks or cyber attacks we have come across different types of definitions most of them hold some or all of these concepts in them. First of all it's an offensive maneuver that will target the computing information systems to either steal, alter or destroy. That is the general definition that is out there and this could easily lead us to believe that cyber attacks fall in the management of information technology of IT in that company. And this was largely the case until 2010 when something came in the scene worldwide which was not expected is what we call here the Dawn of Stuxnet. Stuxnet is a computer worm, a standalone program that was discovered in 2010. It was discovered in 2010 but there are some evidence that has been gathered after its discovery to believe that it had been around for at least a couple of years before its discovery. It was a very high technology piece of code. It did not need, it started to be connected to internet and it targeted very specialized hardware in nuclear plants all over the world. It was very effective. The plants that were affected by Stuxnet almost a fifth, 20% of the centrifuges that they used for the production of enriched uranium were affected and damaged. They had to be replaced. Some of the interesting things that we have not yet understood about this worm is that it had a turn off date. The code in the Stuxnet worm explicitly said it would turn off and not infect any other computer after the 24th of June 2012. We still don't know what that means but it was in the code. That's something that we find very odd. But this discovery led to some important realizations. Computer programs could have a direct and very powerful effect on the physical operations of supply chains and that there is a group of hackers working silently beyond the public attention developing these tools for disruption. This was a change in the way we think about the problems of cyber risk. They are not only from IT only. They affect the whole organization. We understand the problem. It has two parts. The first part has to do with the effects the cyber attacks are having on physical operations and the second part is how we are reacting to these attacks. Let's first look at how these cyber attacks actually affect our physical operations. I will give you some examples of this. There are some interventions which go beyond what we usually hear which is data, the effects of data or the change of data in a company. It has to do with how they affect physical things in the world around us. Here are a couple of examples which are very easy to hack these signs but it's a way of affecting and physically changing the way how we interact with the world through a cyber attack. These changes in the construction signs, for instance, is something that we see almost every day and we've shown here some of the lighter messages. Hackers have been able to convey all types of messages. These interventions go beyond these anecdotal examples to some financial effects. For instance, here we have three examples of hackers hacking different companies in the world, one from Germany, another one from Australia and the third one from the US where they were able to misdirect payments. In these cases, hackers accessed the processes that these companies had and they were able to get paid instead of the supplier. This is a direct effect from a company and it has to do with some structures which we will analyze later but this is an effect which is also very common. This happens all the time. In this allocation of payments, it even has its own term now. It's called cyber heist. But these operational effects don't end there. We have effects that can be either direct or indirect in operations itself. For instance, a direct effect, an example we have here is the hacking of the control system in a German steel manufacturer. Hackers, through this intervention, they were able to shut down some of the furnaces in an uncontrolled manner. If anybody is familiar with this, the furnaces need a very controlled cool-down process. Otherwise, the components could be damaged. The interior ceramics and other components if it's not shut down in a controlled manner. Then the effect of these hackers was reputable damage. They had to replace some of the components of these furnaces because of this uncontrolled shutdown. So this is a direct effect of cyber attacks on an operation, in this case, as in the lecture. But there is also indirect effects. So this has to do with the conditions in which the production takes place. What I'm pointing out here is two examples. One of them, the one on top, has to do with hacking of a water treatment plant. Cyber attackers were able to access the control systems in these water treatment plants and change the ratio of the chemicals that were being added to the water to make it drinkable for instance. These were very, very scary prospects. And the one on the bottom has to do with cyber attacks that have happened to the power transmission lines and power generation companies. They have happened all over the world. This one is an example in Ukraine, but there are examples in Brazil, there are examples all over. So this is a type of indirect effect of cyber attacks. So this brings us to the second part of the problem, which is not only how these cyber attacks are affecting our supply chains, but how are we reacting to these attacks? And so this I want to bring to the table an analogy which some of you may be familiar with, which is the iceberg model. This is something that is being used for some time in management to understand the different processes in a company and differentiate those that are visible, which in this picture could be seen as the events that are above the water, in terms that we can see the events, and it differentiates these from the ones that lay below the water, which is the patterns of behavior that actually cause these events, and even deeper below the patterns of behavior, we have a system structure which actually causes these patterns of behaviors which results in the events, and even deeper we have the mental models that drive the whole process. So if we look at this in terms of we have an initial symptom, which is the hacking of the organization, we have an organization that has been hacked, we could have different approaches to understand this. So our first approach could be hacking is the domain of IT. So management of hacking is the IT department, so let us call IT departments to make a system safe when this fail and fix them so that they are not unsafe anymore. This is a silo approach, and this is very common, but it's not enough for systems that are growing in complexity. So when systems are growing in complexity we have another approach which has been, which is also very common, which is again starting from the mental model that hacking is the domain of IT, but now we will protect against whatever lays outside our organization. So we have reactive firewalls and anti-viruses. I say reactive because they are normally generated and developed after the event. And the pattern that we obtain through this is protecting against the entry of anybody who's not authorized within the organization. And this could be understood as a defense model. And the third one that we want to advocate for, which is a bit different approach, has to do with hacking. It's not something that happens to a company, but something that our company is allowing itself to happen. So our organization is allowing the problem. And in that case, our structures, our information control structures, which is something I'll go a bit deeper in the next slide, our information control structures are the ones that are actually causing this problem. Not something outside is our own structure that is causing the problem. So what would be a control pattern of behavior? If we have the control structures and information control structures to understand and to recover from the cyber attacks, it would be a control time to recover. Here we have, for the first time, the work time in all of this, which is very relevant. And this we have named a structure approach to understanding the hacking of systems. And this is what we want to talk about a bit deeper in the rest of the presentation. So let's do a little bit of supply chain structure analysis. Supply chains are mostly seen, so the events that we see in supply chain is the physical movement of groups and services. We have physical operations. But underneath the physical operations in a supply chain lays a whole network of information flows, both within the organization and with our partners. And that is a continuous feedback. This information flows cause a physical operation of some kind, and these physical operations then feedback into the information flow. So this is an ongoing process which is adapting and adjusting all the time. So this is one first thing to realize about supply chains. And we have been aware of this up to a certain point because systems for improving supply chains, such as value stream mapping, which is the one I'm showing here, has considered information flows as part of their representations that they do. So they have this lower part which considers the material flows and the different processes that happen through the material flows. And we have also some time breakdown. So the material flows has a very important part of this analysis. And there is an overlaying or some enabling information flows which although gives some information on what information is required for the different material flows, it doesn't have any information on how this is controlled or how this allows a company to react over time. And why is the time factor here so important? And if we look at the destruction curve that Professor Sheffi and Professor Rice developed some years ago on how to characterize how a company reacts when it has a disruption. We have the lower access time. We have some measure of performance that is behaving around a certain value until we have an impact of some type of a disruptive event which could be for instance a cyber attack. Then the performance starts to go down until we have the full impact of the disruption. At the time of full impact, we have a process of starting the recovery and then we start a recovery which will aim towards either returning to the performance level or if there is some organizational learning there might be even an improvement in performance. So this is a qualitative description of how the reaction in a company would happen in front of a disruption. What we can identify from this graph is that the economic impacts lay in all this throughout the time when we are operating before the expected performance level. So we can deduce from this that the quicker we react or the less that the disruption affects our performance, the better the economic impact. The idea here is to reduce the area underneath this curve so the performance can stay on the expected levels permanently as much as possible. So reaction time is a relevant factor for a company performance. So this changes then a little bit the approach that we saw in the value stream mapping for instance where we had information as communication to what we understand as information as regulation of a process. So this is a very important change because when we consider communication as regulation we are not merely informing the different stages of the process on how to proceed but also we are confirming action. So for this is an example the correct supplier received all the information it needs to match our requirements. This is a regulation process it's not merely informing the supplier what we want but confirming that he has all that he needs to proceed and that is more than just one communication. We need some type of feedback to obtain this. So this is one example of regulation and another example of regulation in the supply chain is the reaction to changes. So what if a supply needs to adjust our requirements? We should have the information flows that allow us to adjust this and the linear or representation of information flows without the feedbacks involved in a regulation process or that do not allow us to identify those opportunities. So what is control as regulation? Let's look at an example which we may be familiar to you. Let's look at a system where there is a boy filling up a glass with water. This is the process. So this process has different parts of it which we can identify. For instance, there is sensors involved in the process, the eyes of the boy. Those sensors are continually looking at how the process is advancing. There is actuators in the system. So the boy has a hand on the handle on the pipe, on the regulation of how much water is flowing out and this actuator is not static. It's moving continually and adapting to what the boy is seeing in the glass and another important aspect we have inertial effects what we call inertial effects which are actually accumulations. So this is not only the effects of change from time to time but how these effects are accumulating as the complete process because the process we want is filling up the glass in this case. And this is not a linear process. This is within a loop of continually adapting processes. For instance, the boy is looking at the glass and he's adjusting how much water is he letting out and then he's looking at how that affects the amount of water in the glass and he again adjusts. So this is a feedback loop that repeats itself throughout the process. And it's not immediate. It could have delays. In this case it's very immediate because whenever the boy opens a little bit more, the tap it will flow very quickly in a higher quantity, it will flow more but this might not be the case. He might, for instance, apply a change in this handle and the flow of water may adjust with some delay which will change the dynamics of this system yet again. And this can be represented in a technical way in the following way. We have a controller which is the boy and the controller has the power of actuators and the sensors feed information into the controller and these actuators affect the control process and this is a continuous process that goes on and on and adjusts to changing conditions throughout the process. So why is self-regulation crucial? Well, it's crucial in certain conditions. Maybe not in others but it is crucial for instance when we have a variable environment when we have different ways of cyber attackers attacking a suppression that we need to adjust to the different attacks that are happening or the different types of failures that we could have in a suppression. We need to have these regulation processes to be able to adapt. Another aspect is when we have a quick reaction requirement when every minute that passes or the quicker we react the better it will be for the company. Well, you could say you could argue that is almost always true but there are some instances where we have some crucial processes that have been affected and then time becomes of the essence. We need to react more quickly. That's when self-regulation is crucial. Also, self-regulation is crucial when we have complex systems. Why is that? It's because the other another option to self-regulation would be centralized control and when systems grow very complex the centralized control becomes unfeasible or very cumbersome and not very effective. When we have self-regulation of different areas of a company then we get a system that is self-regulated in total. So if the supply chain for instance the purchasing department and the suppliers have a regulation process then we won't need any assistance or coordination through management for instance because the processes and the feedbacks and the communication paths have been designed for the supply department and the supplier to solve their problems with the system they have. And also self-regulation is important when failures are complex. So in a complex system, a complex supply chain many times when we have some type of failure this will not affect only one area of the company and it will not affect only the company but the suppliers as well. So as failures grow increasingly complex it's increasingly beneficial to have self-regulation as part of the design of the supply chain. So our proposal is derived from what I've been speaking all along which is a two-step solution. The first is looking for better ways of representing the information flows in supply chains using this representation of information flows to do what's been called a systemic risk analysis. So let's go one by one. The representation of supply chains of the flows in a supply chain we can give an example here of a seller and a buyer that have a transport agent that carries the goods from the seller to the buyer this is the physical movement so this is the event layer of the system. And this can be represented in the following way. We have a buyer, a seller and a transport that have different positions in the control structure this means that the buyer has more of a controlling position than the seller and than the transport because the buyer starts the process because the buyer is the one that has to be in control of the process throughout throughout the time it's being carried out and so on. The seller is below the buyer because the seller controls the transport agent as well. So the first thing that we get from this control structure representation is the hierarchical positions of the different actors in the system. Then this system will also represent the different flows of information that happen between the different agents in what we are considering to be the system. So between the buyer and the seller we have flows such as the purchase order and the payment and those are communications that happen between the buyer and the seller. There are some communications that happen between the seller and the buyer for instance the order confirmation documentation that have to be sent to the buyer and so on. So we have different flows between each of these agents in the system. But not only that we also have feedback loops that means that there are flows in this structure that's happening between the seller and the buyer that are linked or that somehow allow the company to change the action it's doing according to how these flows evolve. For instance when we have a purchase order we could have an order confirmation and this would be a feedback loop regarding purchase order. If one of those is missing or if one of those changes then we would have an action in the system. And in that sense we can identify many different feedback loops even in this simple model. So this representation we could extend to the case of seller that for instance. In this case we have the three members of the system which is the buyer the seller and the transport but in the case of a hacker intervention we would have the same three agents that we had before but we would have a fourth agent which is the hacker and this hacker would have a flow towards and from the different agents in the system which these flows would be undesirable flows but potential flows. So an analysis of cyber attacks for supply chains would consider adding an additional agent which is the hacker and considering the different flows that this hacker might have with the buyer. And then when we have this representation start to do some analysis of which I'll show some examples but this representation includes loops so we can have a first representation of the regulation processes happening in a supply chain it requires a common mental model this is not something that we will generate on our own or one person will generate in his office it has to be a process to be shared with organizations so that the different ways in which the agents or the persons in the different agents understand systems are being run we can generate one representation of that system and it's an explicit representation it's a graphical explicit way of sharing how the company communicates and how the company shares and flows its information this is an example which is more of an extreme example where we had the representation of the information flows for a pharmaceutical industry but far beyond the pharmaceutical industry so we have the pharma industry in this place but there was a representation of how this pharma industry interacts with the payers interacts with the Food and Drug Administration and academic researchers and so on so this is an expanded representation of a system how expanded the representation needs to be as in the case of any model depends on the question that you are trying to answer so in this case the question was more of a policy level more than an operational level but it's possible to do that at any level that you want so there some of the illustrations of what we can get out of this representation so I just want to tell everybody that if you have any questions please use the chat to post those questions as I will answer them at the end of the presentation we will have some 15 minutes to go through the questions that have been sent and we will get into our discussion so going on with this slide the illustrations of some of the results that we can get from this simple representation but explicit representation could be several, for instance we could identify some missing information flows an example here would be that finance did not confirm the payment of data before paying a supplier and the result of this was that the payment was made to a hacker after the supplier data was compromised and we saw some examples at the beginning of the presentation where this is really fairly common so there are some fairly common information flows that are missing so we could also have busy control structures so for example purchase orders could be processed without confirmation and we have seen in some organizations that hacker purchase orders were not detected and they were processed and then the real supplier was charged and the supplier did not recognize the purchase order and the goods were lost so missing control structures are a fertile ground for hackers we could have redundant information flows so this is also important for an organization so why for instance purchase and quality departments both contact suppliers this is the case in many companies where we have parallel contact of suppliers by quality and by purchasing and in some cases this allowed the supplier not to identify a hacker contact which resulted in a loss we could also have redundant control structures these control structures could be for example that the supply manager can instruct suppliers in parallel or without a coordination between them and this has led to conflicting instructions during emergency reactions for instance and all those can be can be used by hackers to gain some some other effects could be the identification of non-digital flows that we would want to have for instance suppliers that confirm orders by phone or by fax this seems far away but many companies are still operating in this way especially in the Far East so in these cases phone conversations were intercepted and delivery was changed and the goods were delivered to hackers so all this can be from a simple representation like the one we are proposing and the second step so once we have this information flow representation we could go to what is called a systemic risk analysis which is the stamp method which is a method developed by the MIT Aeronautics and Astronautics department with Nancy Levison it's been used for over 10 years particularly in production processes and very complex production processes and it's been used only in a limited way to supply chains and we are venturing into the analysis of cyber risks in supply chains so this process results in the requirements for a desired response which is the structure and the IT systems and the information flows that a company would need to have a better reaction through the analysis of the risks to which the company is exposed so we will a brief outlook of the process the stamp process starts with identifying the system which is the end result of the previous step we were talking about the information flow representation so in this case as an example we have a buyer-seller relationship that's the system we are considering for this simple example then we have to identify what are the unacceptable losses or accidents that the system would have so we would have to get a scope on what we don't want to happen in this system and in this case we have later no deliveries or a wrong delivery those are accidents we would want to avoid then we identify the hazards so what are the actions that are happening within the system within the information flows a problem that would lead to an acceptable loss for instance unverified purchase orders from the buyer or unverified your confirmations from the seller those are things that could happen, flows that could be absent or present and would lead to hazards and then we identify what are the control actions within the system what are people actually doing in the system that changes something and in this case we have some control actions which could be executing a purchase order or confirming a purchase order those change the system in some way executing a purchase order generates a whole set of information flows which are derived from this action and the same with the second one so these control actions are the ones that will create the dangerous conditions and then we identify when these control actions would be risky and there are four conditions in which this can happen and anyone who is interested in this methodology please write an email I can send much more information on how this has been applied to processes so far but in this case we have an example of an unsafe control action would be the seller provides execution of the purchase order when the purchase orders has not been confirmed with the buyer because this creates a cyber risk and then as a result of these control actions we create requirements so a requirement from this would be always require a purchase order purchase order verification from the buyer and if that is complied by any IT system whatsoever we would be avoiding this cyber risk and this is an analysis that is made with the different agents in the system it converges very quickly to a set of requirements which is much less than the number of control actions and which is much less than the identifiable hazards all the processes have seen so far so a summary of the talk so far first of all you have to remember that behavior is caused by structure, this is not something that is particular to supply chains this in general all behavior is caused by some structure that analyzes it and in our case we are saying that information flow the information flow structure in a supply chain leads to the physical flow behavior so if we want to maintain the physical behavior that we want we should look into the information flows that cause them so the third point is that if we understand this information flows we can design them and what we are proposing here are steps for analyzing and designing this information flows in a supply chain for better response but the first one is dynamic information flow mapping and the second one is a systemic risk analysis so what is a project meeting at this moment? we are looking for a collaboration with companies that would be willing to engage on a two-month project and consider five to eight interviews for at most two hours with some people in the organization to gather data both from the process and from the information flows that exist in the supply chain with the result of an information flow map stamp analysis and some recommendations derived from this analysis and the idea of the project is to help companies design their supply chains for improved response by applying a structure behavior approach which is the one that we have described here so with this I have completed the presentation and we can go into any questions that might be of why it was presented yeah, Daniel could you go back to one slide and I would like to leave that one up if that's all right so Daniel before we jump into some of the other questions I wanted to ask could you talk a little bit more about what these interviews are like when we were talking you said it's going to be one or one and a half hour I know you hear you say two but just to be on the safe side with whom are you intending to interview and what kind of questions will you be asking me okay, we would be wanting to talk to persons in a supply chain so in the organization everybody wants to participate and at least one of their suppliers and with key positions within that supply chain that have a central role in the control actions that happen in the supply chain so normally it would be buyers it would be warehouse managers or warehouse people that are in charge of the warehouse supply chain managers also where we would gather data of two types managers the first one would be process data so how much information they share not necessarily what information we are not interested in necessarily what information, what type of information they share with their suppliers in what format what is the regularity of the information and the information flows that they have so who are they connecting with both in the normal operation and within emergency operation so we want to see if there are changes between the normal operations and the emergency operations in terms of those things that I was mentioned and we would then with that information extract both the formal aspect of the information flow happening in the company and the mental model aspect of what's happening in the company and we expect to find some insights there to find that there is maybe a need for alignment maybe not but the data will tell us what the next processes are and we want to do this through the deliverables which is the information flow map and the stamp analysis and thank you Christine so I want you to read the question so the question is if we will receive a soft copy of the presentation I think we will be sending a soft copy of the presentation to the people that requested so let's be clear we don't know who is on this right now so if you want a copy that you're going to need to reach out and contact us and so you can do that by contacting Daniel directly at that email but another thing is what will be available is this a recorded presentation so this presentation will be available in the MIT center for conversation and logistics YouTube site so once we're done with the webinar today you can always come back and view it again and share with any colleagues who may be interested just by coming to our YouTube channel and seeing the videos that we have and you can see them and you can see them and you can see them and you can see them and you can see the videos that we have and finding the one that Daniel and just sharing the link with anyone that you know or re-watching it in case you'd like to get a better idea of what he was saying today thank you so with this we thank you very much for taking part in this presentation as I was telling you and my particulars are here at the end of the presentation anybody who's interested in getting more information about this work can contact me directly or access the MIT CTL site or my LinkedIn page there are many ways of finding it so thank you very much okay thank you very much