Publications

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

This report summarizes a two-year LDRD project that investigated the problem of representing complex supply chains, identifying the worst risks and evaluating mitigation options. Our team developed a framework that includes a representation for business processes, risk assessment questions, risk indicators and methods for analyzing and summarizing the data. In our approach, the Process Matrix represents an overall supply chain for an end product in a high-level, tabular form. It connects the various touch-points of a business process including people, external vendors, tools, storage locations and transportation services while capturing the flow of both physical and intellectual artifacts. We believe these direct connections are exactly the things that a process owner can typically control. These material flows (both physical and intellectual) are also represented in a graph. This enables us to use graph-oriented analysis such as fault tree analysis and attack graph generation. Our approach is top-down, which helps users to get a more holistic understanding for a given amount of resources. Understanding the provenance of materials is difficult and it is easy to exhaust the analysts' resources. Rather than a tool to do vendor analysis or product comparison, our framework enables an enterprise-level analysis. The risk assessment questionnaires have a varying levels of detail and cover various aspects of the supply chain such as process steps, artifacts, suppliers, etc. and connections between these aspects such as artifact-storage, artifact-supplier, etc. Each question is further associated with one of seven risk indicators which can be used to summarize the risk. These risk indicators can also be weighted to reflect a user's concerns. We have successfully applied our framework to several use cases in various stages of its development and provided valuable insights to our partners, but it can also be applied to other complex systems outside of the supply chain security problem.

The microelectronics industry seeks screening tools that can be used to verify the origin of and track integrated circuits (ICs) throughout their lifecycle. Embedded circuits that measure process variation of an IC are well known. This paper adds to previous work using these circuits for studying manufacturer characteristics on final product ICs, particularly for the purpose of developing and verifying a signature for a microelectronics manufacturing facility (fab). We present the design, measurements and analysis of 159 silicon ICs which were built as a proof of concept for this purpose. 80 copies of our proof of concept IC were built at one fab, and 80 more copies were built across two lots at a second fab. Using these ICs, our prototype circuits allowed us to distinguish these two fabs with up to 98.7% accuracy and also distinguish the two lots from the second fab with up to 98.8% accuracy.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

On September 5th and 6th, 2012, the Dynamic Defense Workshop: From Research to Practice brought together researchers from academia, industry, and Sandia with the goals of increasing collaboration between Sandia National Laboratories and external organizations, de ning and un- derstanding dynamic, or moving target, defense concepts and directions, and gaining a greater understanding of the state of the art for dynamic defense. Through the workshop, we broadened and re ned our de nition and understanding, identi ed new approaches to inherent challenges, and de ned principles of dynamic defense. Half of the workshop was devoted to presentations of current state-of-the-art work. Presentation topics included areas such as the failure of current defenses, threats, techniques, goals of dynamic defense, theory, foundations of dynamic defense, future directions and open research questions related to dynamic defense. The remainder of the workshop was discussion, which was broken down into sessions on de ning challenges, applications to host or mobile environments, applications to enterprise network environments, exploring research and operational taxonomies, and determining how to apply scienti c rigor to and investigating the eld of dynamic defense.

Abstract not provided.

Abstract not provided.