BRIDGE WP05 Application Guidelines and Implementation Roadmap

Building Radio frequency IDentification for the Global Environment

Application Guidelines and Implementation Roadmap Authors: Mikko Lehtonen (ETH Zurich), Jasser AlKassab (SAP), Sebastian Lekies (SAP)

June 2009

This work has been partly funded by the European Commission contract No: IST-2005-033546

About the BRIDGE Project: BRIDGE (Building Radio frequency IDentification for the Global Environment) is a 13 million Euro RFID project running over 3 years and partly funded (€7,5 million) by the European Union. The objective of the BRIDGE project is to research, develop and implement tools to enable the deployment of EPCglobal applications in Europe. Thirty interdisciplinary partners from 12 countries (Europe and Asia) are working together on : Hardware development, Serial Look-up Service, Serial-Level Supply Chain Control, Security; Anti-counterfeiting, Drug Pedigree, Supply Chain Management, Manufacturing Process, Reusable Asset Management, Products in Service, Item Level Tagging for non-food items as well as Dissemination tools, Education material and Policy recommendations. For more information on the BRIDGE project: www.bridge-project.eu

This document results from work being done in the framework of the BRIDGE project. It does not represent an official deliverable formally approved by the European Commission.

This document: This document presents application guidelines and implementation roadmap for the technical anticounterfeiting measures developed in BRIDGE WP5. While various RFID implementation guidelines and checklists have been published, they do not cover the use of EPC/RFID in anti-counterfeiting. The purpose of this document is to help bridge this gap.

Disclaimer: Copyright 2009 by (ETH Zurich, SAP) All rights reserved. The information in this document is proprietary to these BRIDGE consortium members This document contains preliminary information and is not subject to any license agreement or any other agreement as between with respect to the above referenced consortium members. This document contains only intended strategies, developments, and/or functionalities and is not intended to be binding on any of the above referenced consortium members (either jointly or severally) with respect to any particular course of business, product strategy, and/or development of the above referenced consortium members. To the maximum extent allowed under applicable law, the above referenced consortium members assume no responsibility for errors or omissions in this document. The above referenced consortium members do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, or non-infringement. No licence to any underlying IPR is granted or to be implied from any use or reliance on the information contained within or accessed through this document. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intentional or gross negligence. Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. The statutory liability for personal injury and defective products is not affected. The above referenced consortium members have no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

BRIDGE – Building Radio frequency IDentification solutions for the Global Environment

Executive Summary This document presents application guidelines and implementation roadmap for the technical anti-counterfeiting

measures

developed

in

BRIDGE

WP5.

While

various

RFID

implementation guidelines and checklists have been published, they do not cover the use of EPC/RFID in anti-counterfeiting. The purpose of this document is to help bridge this gap. The practical level of protection that a technical anti-counterfeiting system provides to a supply chain depends on two aspects: on detecting counterfeit products when they are checked (“intrinsic security”) and on checking the counterfeit products (“check rate”). The implementation roadmap presents how a high level of intrinsic security can be achieved with security measures available, now and in the future, for EPC-tagged products. Achieving a high check rate is addressed by applying the checks in the right supply chain locations and by integrating authenticity checks to processes where the products are anyhow identified. The implementation roadmap presents the available security measures for EPC-tagged products and provides guidance for selecting and updating security measures for an affected product. The roadmap starts from the basic measure which is reading the EPC number and verifying from a white list that such a product exists. The role of the security measures is to secure this scheme from adversaries. Three dimensions of security are considered: 1) prevention of tag cloning, 2) detection cloned tags, and 3) tag-product integrity. In general, there are eight possible supply chain locations (“usage scenarios”) for authenticity checks. These are analyzed in the report and they include: 1) distribution, 2) customs, 3) incoming goods at retail, 4) goods on retail shelves, 5) point of sales, 6) consumer / enduser, 7) after sales services and 8) reverse logistics. These cases are collected from existing usage scenarios and they address different dimensions of the problem. In particular, only checks in customs and checks of goods on retail shelves target the illicit supply chain. It is also shown which security measures are conceptually feasible in these locations. In addition to providing guidelines for the selection of security measures and check locations, an anti-counterfeiting project life-cycle model is presented. It serves companies affected by counterfeiting as a manual for deploying RFID and track-and-trace based anti-counterfeiting solutions and includes detailed description of four project phases: 1) initiation, 2) planning, 3) closing, and 4) operation and maintenance. Last, this life-cycle model is applied to an anonymized real-world company Akron to illustrate its application with tangible examples.


Table of Contents Executive Summary .............................................................................................................3 Table of Contents .................................................................................................................4 Table of Figures....................................................................................................................6 Table of Tables .....................................................................................................................7 1

2

3

4

Introduction ....................................................................................................................8 1.1

How Security Works ............................................................................................... 8

1.2

Organization of this Report ...................................................................................10

Implementation Roadmap ............................................................................................12 2.1

Basic Measure........................................................................................................13

2.2

Towards Strong Prevention of Tag Cloning.........................................................15

2.3

Towards Reliable Detection of Cloned Tags ........................................................17

2.4

Towards Strong Tag-Product Integrity .................................................................20

Supply Chain Locations for Product Authentication ................................................. 23 3.1

Different supply chain locations for product authentication ..............................23

3.2

Feasibility of different security measures............................................................29

Anti-Counterfeiting Project Life Cycle ........................................................................ 31 4.1

Selection of a Project Life Cycle Model................................................................31

4.2

Initiation phase ......................................................................................................32

4.2.1

Purpose of the Initiation phase ........................................................................32

4.2.2

Problem Analysis .............................................................................................32

4.2.3

Project Team ...................................................................................................34

4.2.4

Definition of Project Scope ..............................................................................36

4.2.5

Feasibility Study ..............................................................................................36

4.2.6

Cost-benefit analysis .......................................................................................38

4.3

Planning phase ......................................................................................................41

4.3.1

Purpose of the Planning Phase .......................................................................41

4.3.2

Organizational and Process Changes .............................................................41

4.3.3

Site Survey ......................................................................................................42

4.3.4

Selection of Hardware and Software ...............................................................43

4.3.5

Stakeholder Analysis .......................................................................................43

4.4

Implementation phase ...........................................................................................45

4.4.1

Purpose of the Implementation Phase .............................................................45

4.4.2

Pilot Study .......................................................................................................46

4.4.3

Administrative and Organizational Requirements and Changes ......................46

4.4.4

Technical Requirements and Changes ............................................................47

4.5

Closing phase ........................................................................................................47

4.6

Operation and Maintenance ..................................................................................47


5

Example Application ....................................................................................................50 5.1

Introduction............................................................................................................50

5.2

Akron Company Profile .........................................................................................50

5.3

Application .............................................................................................................51

5.3.1

Initiation phase ................................................................................................51

5.3.2

Planning phase................................................................................................53

5.3.3

Implementation phase .....................................................................................55

5.3.4

Closing phase..................................................................................................56

5.3.5

Operation and Maintenance ............................................................................56

References ..........................................................................................................................57 Appendix A: Hardware calculations..................................................................................60 Appendix B: Akron’s Stakeholder map.............................................................................61


Table of Figures Figure 1. The overall process of securing a supply chain from counterfeit products .............. 9 Figure 2. Direct effect of security ........................................................................................... 9 Figure 3. Indirect effect of security ........................................................................................10 Figure 4. Organization of this deliverable..............................................................................11 Figure 5. Roadmap towards secure authentication of EPC-tagged products ........................12 Figure 6. Protocol of the basic measure (white list) ..............................................................14 Figure 7. Authentication based on ACCESS passwords .......................................................15 Figure 8. Authentication based on unique TID numbers .......................................................16 Figure 9. Authentication based on cryptographic tags / PUF ................................................17 Figure 10. Authentication based on track and trace checks ..................................................19 Figure 11. Authentication based on synchronized secrets protocol ......................................19 Figure 12. Example of a commercial security seal (www.tesa.com)......................................20 Figure 13. Physical tag integration provides different possibilities depending on the product [34] .......................................................................................................................................21 Figure 14. Authentication based on object-specific features .................................................22 Figure 15. Possible supply chain locations for product authentication ..................................23 Figure 16: Project Life Cycle.................................................................................................31 Figure 17: Example for an RFID project team [6] ..................................................................34 Figure 18: Cost benefit model of investment in security ........................................................40 Figure 19: Exemplary RFID enabled Business Applications .................................................41 Figure 20: Site Survey Process [17] .....................................................................................42 Figure 21: Stakeholder groups [2] ........................................................................................44 Figure 22: Exemplary Stakeholder Matrix .............................................................................45 Figure 23: Akron's Supply Chain Network ............................................................................50 Figure 24: Akron's project team ............................................................................................52 Figure 25: Process manger and rule designer ......................................................................53 Figure 26: Factory layout ......................................................................................................54 Figure 27: Supplier matrix ....................................................................................................55


Table of Tables Table 1. Threat levels and needed countermeasures ...........................................................12 Table 2. Prerequisite for product authentication: the basic measure .....................................15 Table 3. Summary of preventive security measures on EPC tags ........................................17 Table 4. Summary of detective security measures ...............................................................20 Table 5. Summary of security measures for tag-product integrity .........................................22 Table 6. Conceptual feasibility of RFID-based product authentication measures in different supply chain locations (see Section 2 and BRIDGE D5.4 for technical details). ....................30 Table 7: Decision making tool for evaluating the overall risk of counterfeiting .......................33 Table 8: Required hardware and software ............................................................................43 Table 9: Exemplary Table of Stakeholders ...........................................................................44 Table 10: Calculation of hardware expenses ........................................................................60 Table 11: Akron's stakeholder map ......................................................................................61


1 Introduction Brand owners of various kinds of physical goods have an increasing need to protect their supply chains against product counterfeiting. To support brand owners across industries, BRIDGE WP5 has investigated and developed EPC/RFID-based countermeasures to counter counterfeit trade. Based on this work, this document presents application guidelines and an implementation roadmap for EPC/RFID based anti-counterfeiting measures. These application guidelines cover deployment and usage of an anti-counterfeiting system based on EPC technology. More precisely, the guidelines cover steering an anticounterfeiting system deployment project and selecting an effective and efficient way to use the authenticity checks to counter counterfeit trade. While various general RFID implementation guidelines and checklists are published by practitioners 1,2, these do not cover the use of RFID in anti-counterfeiting. Therefore the major contribution of this document is to provide the anti-counterfeiting-specific knowledge to the general guidelines. Different products need different amounts of protection. While simple verification of EPC numbers might be secure enough for some inexpensive consumer goods, for instance, authentication of luxury goods that are brought to after-sales service might require much more security. To answer the varying needs of different products, EPC technology provides a rich platform for different security measures. To assist brand owners in choosing right security measures, the implementation roadmap presents the way from identification to highly secure authentication of EPC-tagged products. This roadmap presents the possible security measures and their requirements to guarantee secure authentication of EPC-tagged products in a long term. The material benefits of a technical anti-counterfeiting system are hard to evaluate and present in one dimension, with only one criterion, but overall they can be characterized by security. Therefore the provided application guidelines are structured around concepts of security.

1.1 How Security Works This subsection presents the conceptual framework of security in anti-counterfeiting that structures the provided application guidelines. In general terms, security refers to protecting assets against certain threats and it is provided by a process of prevention, detection and response [36]. The overall process of securing a supply chain against counterfeit products presents the different preventive, detective and responsive countermeasures that companies can implement. Figure 1 illustrates this process by showing what the counterfeiter attempts to do and what the affected company or 1 2

http://www.rfid-in-action.eu/public/results/guidelines/rfid-implementation-checklist http://epsfiles.intermec.com/eps_files/eps_brochure/RFIDChecklist_brochure_web.pdf


companies can do to counter the counterfeiting. In particular, the illustration shows that product authentication is only one element in this overall process of securing the supply chain against counterfeits – but it is a particularly important one.

Counterfeiter (illicit actors)

Prevent § Do not disclose blueprints § Audit manufacturers

Detect § Private investigations

3. Sell counterfeit products to the licit supply chain

2. Obtain RFID tags with valid, copied serial numbers

1. Obtain counterfeit products

Respond § Confiscate illicit products § Prosecute infringers § End business relationships

Prevent § Use random IDs § Upkeep list of valid IDs § Secure data base of IDs § Waste mngt.

Detect § Monitor clandestine scanning § Detect use of copied IDs

Respond § Discard copied IDs

Prevent § Secure legitimate inputs

Detect § Authenticate products

Respond § Confiscate illicit products § Prosecute infringers § End business relationships § Strict liabilities

Brand owner (licit actors)

Figure 1. The overall process of securing a supply chain from counterfeit products

The security provided by a technical product authentication system has two major effects on the protected supply chain. First, the direct effect of security is that counterfeit products in the secured channel are detected. This is illustrated in Figure 2. Detection of counterfeit products depends on two factors: on verification of counterfeit products (check rate) and on detecting counterfeit products that are verified (intrinsic level of security of the security measure). The former is provided by the way the technology is used and the latter by the technology itself. In other words, the achieved level of security in practice depends on the security measure and how it is used. This is a simple finding but it is very helpful in organizing the application guidelines: On the one hand the goal is to maximize the probability that a counterfeit is verified, and on the other hand the goal is to maximize the probability that a counterfeit is detected when checked.

Counterfeits are verified (check rate) Counterfeits are detected (direct security) Counterfeits are detected when verified (intrinsic security)

Figure 2. Direct effect of security


When counterfeit products are detected in a supply chain with a sufficient success rate, the expected profit of selling counterfeit products to the protected supply chain decrease to zero and below. Thus the second, indirect effect of security is that injecting counterfeit products to the licit supply chain no longer pays off for the illicit actors. Since counterfeiters are primary financially motivated, we can assume that decreasing the expected profits has a deterrent effect on counterfeiters. The technical factors that provide the deterrent effect of security are illustrated in Figure 3. It is important to note in practice deterrence is not provided the absolute magnitudes of prevention, detection and response, but how counterfeiters perceive and value them. For instance, a convincing sticker of a surveillance system alone can deter a burglar from breaking into a house if the burglar perceives that the risk of alarm is too high, without the need of an actual surveillance system.

Cost to break (prevention)

Detection rate (detection)

Deterrence (indirect security)

Punishment (response)

Figure 3. Indirect effect of security

All of counterfeit products do not need to be detected in order to make injecting counterfeit products to a licit supply chain unprofitable. This is due to two factors. First, also counterfeiters have costs that need to be covered before they can break even, for instance from production and logistics [37]. Second, the risk of getting caught and being punished – though it may be small – needs to be offset by somewhat high returns; otherwise taking the risk does not pay off in the long term. However, it must be noted that deterrence only means that injecting counterfeits to the protected supply chain is not financially interesting in the long term under certain assumptions, but it does not guarantee or prevent that it will not happen.

1.2 Organization of this Report This report is organized as follows. First, section 2 presents an implementation roadmap towards strong authentication of EPC-tagged products. Then, section 3 describes and analyzes eight different supply chain locations for the authenticity checks and presents the technical feasibility of different security measures in these locations. And last, section 4 provides an anti-counterfeiting project-life cycle model that is a manual to help affected


companies during different phases of the implementation project, and this life-cycle model is illustrated with an example in section 5.

Section 1: Introduction Content:

Introduction to the deliverable, conceptual framework of security in anti-counterfeiting.

Findings:

Supply chain is protected through high check rate and intrinsic security of the check.

Section 2: Implementation Roadmap Content:

Implementation roadmap towards secure authentication of EPC-tagged products.

Findings:

EPC/RFID provides a platform of security features, suitable security features depend on the product.

Section 3: Supply Chain Locations for Product Authentication Content:

Analysis of possible supply locations for product authentication, feasibility of different techniques therein.

Findings:

There are eight usage scenarios for product authentication in licit supply chains.

Section 4: Anti-Counterfeiting Project Life Cycle Content:

Description and analysis of issues during different phases of an anti-counterfeiting project.

Findings:

Guidelines for initiation phase, planning phase, implementation phase, and closing phase.

Section 5: Example Application Content:

Example application of the rules-based approach to an anonymized real-world based company.

Findings:

Illustration of the project life cycle model.

Figure 4. Organization of this deliverable.


2 Implementation Roadmap This section describes an implantation roadmap towards secure authentication of EPCtagged products. The roadmap includes three different dimensions of security, namely tag cloning resistance, detection of cloned tags and tag-product integrity, and presents the different security measures that are needed to move towards higher level of security. The goal of choosing the security measures is to enable secure product authentication. Table 1. Threat levels and needed countermeasures Threat

Countermeasure

I

Counterfeit product without an RFID tag

Basic measure

II

Counterfeit product with an RFID tag with an invalid EPC

Basic measure

III

Counterfeit product with an RFID tag with a valid EPC

Tag cloning resistance / detection of cloned tags

IV

Counterfeit product with a genuine RFID tag

Tag-product integrity

The implementation roadmap addresses different threat levels of counterfeit products injected to the protected supply chain. We define these threat levels as follows: The first level threat is a counterfeit product without an RFID tag. The second level threat is a counterfeit product with an RFID tag with an invalid EPC number. The third level threat is a counterfeit product with an RFID tag with a copied, valid, EPC number, and the fourth level threat is a counterfeit product with a genuine RFID tag that is removed and reapplied from a genuine product. The threat levels and needed countermeasures are summarized in Table 1. Basic measure

Tag seals

weak

Low level of security

Unique TID numbers

Crypto tags

strong

Tag cloning resistance

Mark invalid EPC numbers T&T checks

Physical tag integration

Synchronized secrets

strong

Logical tag integration

ACCESS passwords

stro High level of security

Tag-product integrity

ng Detection of cloned tags

Figure 5. Roadmap towards secure authentication of EPC-tagged products

Reading a product’s EPC number and verifying that this number has been issued by the brand owner (“white list”) represents the first level of a technical countermeasure (cf.


subsection 2.1). When the need for security increases, additional security measures are needed against tag cloning attacks and tag-product integrity violations, i.e. removal and reapplication of valid tags. These security measures are illustrated in Figure 5. For products where the risk of counterfeiting is very low, such as some non-branded fast moving consumer goods, the basic measure provides a good starting point. For products where the risk of counterfeiting is higher, such as medicines and airplane spare parts, the need for security is higher and the first technical countermeasure should already include some more advanced security measures, such as track and trace checks or cryptographic tags. In general, the need for security increases over time; counterfeiters can learn about the countermeasures and implement ways to overcome or bypass them. When a need for an increased level of protection is recognized, for example by discovering that counterfeiters copy the EPC numbers of genuine products or that tags with fully programmable TID memory have become commercially available, the brand-owner needs to move towards stronger security measures. Since additional security measures have always costs involved, only the necessary security measures should be implemented. This paradigm is called “good enough security” [23] and it argues that practically and commercially successful security systems have a level of security that is modest in the academic sense, but good enough to work in practice.

2.1 Basic Measure This subsection formalizes the basic measure that is not yet secure authentication of products, but the foundation for the secure authentication. We define authentication as verification of the claimed identity and therefore identification is the prerequisite for authentication. A product claims to have a certain identity through the EPC number written on its RFID tag. The basic measure is to read the EPC number and verify that it is valid, i.e. one that can be found on a genuine product. This kind of check is analogous to having a doorman in front of a club to verify that only people who have their name on the list get in; thus only the people on the list are authorized to enter. Identification = A claim of identity Authentication = Identification + Verification of the claimed identity Valid EPC number = An EPC number that can be found on a genuine product

BRIDGE – Building Radio frequency IDentification solutions for the Global Environment Back-end

EPC Tag

Reader establish secure connection

Phase I: Initialization

(0)

inventory (1)

read EPC

Phase II: Identification

(2)

EPC (3)

(5)

if EPC is valid: result = y; else: result = n

EPC, , (4) (6)

result (y,n)

Phase III: Verification

Figure 6. Protocol of the basic measure (white list)

The basic measure has three phases: 1) Initialization phase, where the reader establishes a secure connection with the back-end system (mutual authentication), 2) Identification phase, where the reader reads the tag’s EPC, and 3) Verification phase where the reader asks the back-end whether the EPC is valid. The protocol of the basic measure is presented in Figure 6. This measure corresponds to the so called “white list” approach [24]. In stronger security measures the verification phase is replaced by a more sophisticated way to ensure that the product is not a counterfeit. The protocol is illustrated based on the following assumptions: •

The product authentication solution is an online solution and the credentials are stored only in the back-end,

•

Product authentication (including track & trace data analysis) is triggered by identification,

•

The protocol continues until the authenticity result is known by the reader (exception: synchronized secrets), and

•

Possible “early endings” of the protocols are not marked, i.e. cases where the product’s counterfeit origins are revealed before the final verification (e.g. back-end does have the TID stored for a certain EPC).

The basic measure identifies a product and checks if the identity is valid. The requirements of this basic measure are listed in Table 2. This measure does not provide any protection against cloning nor removal and reapplying of tags so, but it filters out untagged counterfeits and counterfeits tagged with invalid IDs. In order to pass this check, a counterfeit product simply needs to have a cloned RFID tag or an RFID tag removed from a genuine product. The following three subsections describe how to address these threats.


Table 2. Prerequisite for product authentication: the basic measure Security Measure

Tag Requirements

Basic Measure (white list)

EPC

Back-End Requirements

Other Requirements

Verification of EPC

Reader-to-back-end authentication

2.2 Towards Strong Prevention of Tag Cloning This subsection presents the existing and envisioned preventive security measures against tag cloning attacks. They should be used when the basic measure is not considered secure enough. Two existing PIN-based commands of Gen-2 tags, KILL and ACCESS, can be used for adhoc techniques for authenticating [25]. The KILL protocol bases on the fact that even though the EPC of a tag can be maliciously scanned, the KILL-password remains secret. Cloned tags can be found by testing, but without killing the tag due to low reader power, if a tag’s KILL password matches the one stored in a database. Implementation of this technique is feasible in deployed tags, but presents some delicate technical challenges [26]. We therefore focus on the ACCESS password that can be tested on a tag in a similar way but without the risk of killing the tag. This protocol is presented in Figure 7. In order to fool this check, the adversary needs to obtain the ACCESS password of the genuine tag for example by eavesdropping an authorized reader device that authenticates the targeted tag, or perform a brute force attack against the 32-bit password (i.e. go through the possible passwords and query the tag by repeating step 7 in the protocol). Overall, this security measure provides some protection against tag cloning but it is somewhat clumsy and is vulnerable against decisive attacks. Back-end (5)

Find ACCESS password for this EPC

EPC Tag

Reader EPC, , (4) (6)

ACCESS password test the ACCESS password


(7)

result (y,n) (8)

Figure 7. Authentication based on ACCESS passwords

In addition to the PIN commends, also the unique factory programmed read-only Transponder ID (TID) numbers can increase the cloning resistance of EPC Class-1 Gen-2. The reasoning behind the TID scheme is that a tag is authentic if it has a correct EPC & TID pair, illustrated in Figure 8. TID is not cryptographically secure and it only represents a practical hurdle against tag cloning. A detailed evaluation of the level of protection that the TID scheme provides in practice is presented in BRIDGE D5.5. Though it does not seem to be possible to buy Gen-2 tags with programmable TID numbers today, working prototypes of semi-passive tags (e.g. in BRIDGE WP4) demonstrate that a tag impersonation device can be built from less than ten euros worth of standard components to fool TID checks. As a


result, end-users should only make use of serialized TID numbers in applications where the tagged items can be physically inspected as a temporal and complementary solution. read TID (4)

TID (5)

Phase III: Verification if EPC and TID match: result = y; else: result = n

EPC, TID, ,

(7)

(6) (8)

result (y,n)

Figure 8. Authentication based on unique TID numbers

While cryptographic RFID tags are currently widely available in the HF band (e.g. Mifare Desfire 3), today there are no cryptographic tags commercially available in the UHF band. However, the need for security products in the UHF market is emerging and the first implementations exist [27, 28]. Tag-to-reader authentication can be based on cryptographic primitives like bitwise operations and pseudo-random numbers [29], hash-functions [30], symmetric-key encryption [27] or asymmetric encryption [31]. Asymmetric encryption is currently very challenging on RFID tags but due to advances in Elliptic Curve Cryptography (ECC) it is becoming feasible. These approaches cannot be employed without hardware support from the chips and since the cryptographic calculations require additional power they might decrease the tag performance in terms of reading time and range. Cryptographic UHF tags are expected to become commercially available in the near future, provided that there is a sufficient market pull for them. Another way to implement a secret key on the RFID transponder is to use a Physical Unclonable Function (PUF). The PUF is a one way function that allows for the calculation of unique responses using only some hundreds of logical gates without any costly cryptographic primitives [33]. In order to make the use of eavesdropped responses infeasible, several challenge-response pairs have to be stored in a database. PUF has been successfully implemented on HF (13.56 MHz) tags [32] and it is currently becoming commercially available. The tag- high-level to-reader authentication protocol is similar for cryptographic tags and for PUFs. This protocol is illustrated in Figure 9.

3

http://mifare.net/products/mifare_desfire.asp


EPC Tag


challenge challenge (6)


response (7)

if response is correct: result = y; else: result = n

response

(9)

(8) (10)

result (y,n)

Figure 9. Authentication based on cryptographic tags / PUF

Different preventive security measures and their requirements are illustrated in Table 3. Table 3. Summary of preventive security measures on EPC tags Security Measure

Tag Requirements


Other Requirements

Access password

ACCESS password

Password verification

(none)

Unique TID number

Unique TID number

TID verification

(none)

Cryptographic tags

Cryptographic processor

Challenge-response protocol

(none)

Physical unclonable function

PUF

Challenge-response protocol

(none)

2.3 Towards Reliable Detection of Cloned Tags Tag cloning attacks can also be addressed by reliable detection of cloned tags. Different detection-based security measures exist and they vary on their complexity and on the cases when they can detect the cloned tags. They should be used when the basic measure is not considered secure enough. A theoretically optimal detection-based measure would trigger an alarm for 100% of cloned tags as soon as they enter the secured channel (detection rate) and to 0% of genuine tags (false-alarm rate). In practice, however, some uncertainty is always present in the system and there is a trade off between the detection rate and the false-alarm rate. This means that the detection-based security measure triggers alarms for suspected cloned tags and a manual verification is needed to ascertain the origins of the product (based on other security features or the product’s natural features). The aforementioned basic measure represents a white list of valid EPC numbers (“blacklist”). The first detection-based measure is to mark those EPC numbers on this white list that are known to be invalid, for example because the product has been sold, consumed, or delivered to the end-user. One variant of this measure is allowing N first basic verifications to pass the check, e.g. because it can be expected that the product is verified N times in the licit supply chain, and after that marking the corresponding EPC as invalid. This variant is suitable for static supply chains (N is constant) where the risk of counterfeiting is high. Overall, marking invalid EPC numbers is a simple but effective measure since it limits the time span when counterfeiters can use a copied EPC number to the time point when the EPC number becomes invalid. The high-level protocol of this measure is same to that of the basic


measure (Figure 6). This measure can be used with a very small marginal cost if the trace data already tells which EPC numbers are invalid. The track and trace data can also be used to detect if a genuine tag and a cloned tag travel simultaneously inside the supply chain. In other words, track and trace checks address detection of cloned tags before the genuine product is known to have left the RFID system and the EPC can be marked as invalid. These approaches should be used when the risk of counterfeiting is high (cloned tags can enter the chain before the genuine tags are marked invalid) or when marking invalid EPC numbers is not feasible due to lacking data (e.g. it is not known when all tagged products are sold) or when there are dynamic changes in the supply chain (the N-approach is not feasible). BRIDGE WP5 has developed two different approaches for track and trace based checks, so called statistical approaches based on machine-learning techniques and so called rules-based approach based on configurable rules (see BRIDGE D5.4 for prototype description and D5.5 for thorough evaluation of these approaches). Guidelines for choosing the right approach are provided below. Overall, cloned tags can be detected in a reliable way from track and trace data that contains a chain of shipped and received events, but some false alarms or missed events might be possible in special cases such as missing reads. The advantage of track and trace checks is that no additional interaction is needed between the reader and the tag. •

Statistical approach: Statistical track and trace analysis automates most of the tasks needed to detect cloned tags from the track and trace data. The user’s main task in statistical approaches is selecting a representative test data set (normal traces) that captures the mechanisms of the underlying supply chain. The more complex the supply chain and the more read errors there are, the more test data is needed. In particular, the training data must not contain events generated by cloned tags, which currently must be manually assured. In case there are changes in the underlying supply chain, the system needs to be trained with a new set of training data. Since statistical approaches can automatically detect majority of missing read events (approximately 80% in a simulator study, cf. BRIDGE D5.5), they are also suitable in cases where read errors can be a problem.

•

Rules-based approach: The main advantage of the rule-based anti-counterfeiting approach is the possibility of leveraging existing industry- and company-specific anticounterfeiting knowledge by defining anti-counterfeiting rules. It is suitable in cases where the company wants to protect its specific supply chain by defining conditions that, once broken, give indication of counterfeiting activities. The included decision support system supports the user in limiting false positive cases, since read errors or missing reads might make specific rules trigger an alert (see also BRIDGE D5.5). The rule-based anti-counterfeiting framework empowers the user with the ability to define


and try out different rules and thus it resembles a data mining tool for track and trace data. Moreover, the alert information can be statistically analyzed in order to detect supply-chain specific patterns of counterfeiting injections, for example. Back-end (5)

if product passes the trace check: result = y; else: result = n

EPC Tag



result (y,n)

Figure 10. Authentication based on track and trace checks

If the tags have a small amount of rewritable user memory (e.g. 32-bits), it is also possible to detect when two tags with the same EPC enter the RFID system. This can be done with so called synchronized secrets method described in BRIDGE D5.4 and D5.5. This method requires a centralized back-end server that knows which synchronized secret (denoted s in Figure 11) is written on the tag. If a tag is cloned and the cloned tag is injected to the RFID system, the back-end will notice an outdated synchronized secret on a tag as soon as both the genuine tag and the cloned tag are scanned once again. As a result, a manual verification is needed to ascertain the origins of the two pinpointed products with the same EPC number. This approach is most suitable in cases where it is known when the products leave the RFID system (similar to marking invalid EPC numbers), otherwise a cloned tag can “hijack” the trace of a genuine tag that leaves the system and the system does not detect this. A high scan rate provides a high level of security (reliable and early detection of tag cloning attacks). If the scan rate is low, for example due to a high dwell time in a warehouse, there might be a long delay until the alarm is triggered. Therefore the synchronized secrets approach is not well suitable in cases where this delay is probable and not acceptable, such as for life-saving drugs that are stored for long times in warehouses where the tags can be copied. Back-end

EPC Tag

Reader read si (4)

si (5) (7)

EPC, si

i

if s is correct: result = y; else: result = f i+1 s = RND32

(6)

result, si+1 (8)


si+1 (9)

(10) replace

acknowledgement (11)

si with si+1

acknowledgement (12) (13)

acknowledgement

Figure 11. Authentication based on synchronized secrets protocol

The requirements of the different detective security measures are summarized in Table 4.


Table 4. Summary of detective security measures Security Measure

Tag Requirements


Other Requirements

Mark invalid EPC numbers (blacklist)

(none)

Verification of EPC

POS data (or similar)

T&T data analysis

(none)

SSCM / Rules

T&T data

Synchronized secrets

32-bit user memory

Synchronized secrets protocol

POS data (or similar)

2.4 Towards Strong Tag-Product Integrity Tag-product integrity counters tag removal and reapplying attacks. Guaranteeing tag-product integrity means guaranteeing that a tag is attached to the right product, and not to a counterfeit one. The respective attack is removal of a genuine tag from a genuine product or its packaging and reapplication of this tag onto a counterfeit product. This attack can be easy to execute if a tagged genuine product is available and tag-product integrity has not been addressed. From the point of view of the adversary, however, this attack is somewhat burdensome since it requires manual work, access to genuine tags, and needs to be repeated for each counterfeit article. Therefore it does not seem viable for large numbers of products and in the industrial scale that characterizes today’s problem of product counterfeiting. Rather, tag removal and reapplying is likely to a problem with higher-price products where already small quantities can be profitable for a counterfeiter. In particular, if tag copying attack is addressed with very strong preventive measures that the counterfeiters are aware of, such as cryptographic tags, attack against tag-product integrity can be the cheapest and most attractive way for a counterfeiter to fool an authenticity check. Sealing an RFID tag to a product’s packaging, or event to the product itself, is a straightforward way to improve tag-product integrity. The idea is to place the seal over the RFID label to reveal all attempts to remove or reapply a tag. A commercial security seal is illustrated in Figure 12. When allowed by the product’s form factor and esthetic requirements, an unbroken physical seal thus acts as a proof that the RFID label has been attached by the brand owner. In addition, tag removal inside a secured channel is revealed by a broken seal, which makes it possible to mark stolen tag ID numbers in a database. Tag sealing is especially well suited for case and palled level tags in channels where the risk of tampering is elevated.

Figure 12. Example of a commercial security seal (www.tesa.com).


In the case of item level tagging, physical integration of tags to products provides various possibilities for guaranteeing tag-product integrity depending on the characteristics of the product itself. Figure 13 illustrates tag integration to a leather good and to a metal watch. In this example, the leather good tag is not securely integrated since it can be easily detected and removed, where as the watch tag is secure integrated (i.e. it is hard for the adversary to perform a removal and reapplying attack owing to the specific engineering challenges of tag integration in this case). Regarding security, the goals of physical tag integration are to make the tag 1) hard to find by the counterfeiter, 2) hard to remove without breaking the tag and/or the product, and 3) hard to reapply to a counterfeit product in a seamless way. More information about secure tag integration can be found from EU-SToP D4.3 [33].

Figure 13. Physical tag integration provides different possibilities depending on the product [34]

To address tag removal and reapplying attack (as well as tag cloning) with low-cost tags, there exists a logical way to bind an RFID transponder to a particular product [35]. This security measure is based on writing on the tag memory a digital signature that combines the tag identifier and some product specific features of the genuine product. These features can be physical or chemical properties that identify the product and that can be verified, such as very precise weight. Figure 14 illustrates this approach. The chosen feature is measured as a part of the check and if the feature used in the tag’s signature does not match the measured feature, the transponder-product pair is not original. The proposed authentication needs a public key stored on an online database. Also an offline authentication is proposed by storing the public key on the tag, though this decreases the level of security. In practice, finding a suitable feature might be very challenging – and if the tag has one that can be reliably measured, then the product authentication can be done directly based on this feature without using RFID. Another disadvantage of this approach is that each unit has to be physically verified as a part of authentication.


(5)

if featureValue is correct: result = y; else: result = n

EPC Tag

Reader

EPC, featureValue, ,

measure the featureValue of the tagged object (outside the RFID system)


(4) (6)

result (y,n)

Figure 14. Authentication based on object-specific features

The requirements of tag-product integrity measures are summarized in Table 5. Table 5. Summary of security measures for tag-product integrity Security Measure

Tag Requirements


Other Requirements

Seal the tag

(none)

(none)

(none)

Physical tag integration

(none)

(none)

(none)

Logical tag integration

(none)

Verification of feature value

Measurement of feature value


3 Supply Chain Locations for Product Authentication This section presents guidelines for selecting right supply chain locations for product authentication. The goal in choosing these locations is to maximize the chances of counterfeit products that enter the supply chain being verified. Selecting right supply chain locations is crucial since it contributes directly to the achieved level of protection in practice (cf. Figure 2, page 9). A list of possible supply chain locations for product authentication is presented below. These locations are illustrated on a generic supply chain map in Figure 15. (According to the object event vocabulary of the EPCIS 1.0.1 specification they represent discrete business locations within the supply chain, but throughout this document we will refer to them simply as supply chain locations). The resulting list is achieved by gathering and clustering different usage scenarios of technical anti-counterfeiting measures and it is meant for decision makers for clarifying as well as identifying the need of a technical solution. When implementing an RFIDbased anti-counterfeiting system, the supply chain locations where products are to be authenticated need to be identified before the technical can be specified. This is due to the fact that all security measures cannot be deployed in all usage scenarios, mostly owing to the limited coverage of the assumed EPC infrastructure.

8

Licit Supply Chain

Illicit Supply Chain

Manufacturer

Manufacturer

Distribution

Distribution

1

Customs

Customs

2’

2

Legend

1

Inside distribution

2

Customs

3

Incoming goods

4

Goods on shelf

5

Point of sales

6

Consumer / End-user

7

After-sales services

8

Reverse logistics

3 7

Retailer

Retailer

4

4’

Use case Flow of goods

5 Potential entry of counterfeits Consumer / End-User

6

Consumer / End-User

Actors with lawful intent Actors with illicit intent

Figure 15. Possible supply chain locations for product authentication

3.1 Different supply chain locations for product authentication This subsection lists the different supply chain locations where products can be used for product authentication and discusses the pros and cons of the different usage scenarios.


1. Inside distribution: Counterfeit products can enter the licit supply chain in the distribution level between manufacturing and retail. Counterfeits can appear either as complete batches of faked goods or co-mingled with genuine goods. Authenticity checks in the distribution level, e.g. in distribution centres, can help detecting these counterfeits. Since logistic units (pallets, boxes, single goods) are identified using Auto-ID inside the distribution level, the existing business processes provide an opportunity to integrate authentication to processes where the products are currently identified. In addition, since the products are handled usually in known lot sizes or even one by one (e.g. luxury goods), the verified products do not need to be separately counted to detect counterfeits that are not tagged. This is a major advantage since this additional effort is thus not necessary. Another important efficiency factor is the relatively small number of distributors, compared to the number of retailers for instance; when all genuine products flow through a relatively small amount of supply chain locations, screening the whole population can be done with a much smaller number of check locations. Furthermore, authenticity checks inside distribution can detect the counterfeit products as soon as they enter the licit supply chain, close to the illicit actors. This increases the chances of detecting and successfully prosecuting the infringers. Regarding effectiveness, however, the distribution level is not the optimal location for authenticity checks since counterfeit products can enter the supply chain also after this level. Also, when the brand owner or manufacturer does not have its own distributors but it is done by other companies (i.e. external supply chain), active collaboration with the distributors is required. Getting the required contribution from external distributors can be very challenging since the distributor does not get any clear business benefits from the authenticity checks. This can be especially problematic for small brand owners. As a partial solution, past management research proposes that manufacturers can engender cooperativeness of distributors by nurturing satisfaction and dependence in manufacturer-dealer

relationships

[20].

In

particular,

senior

management’s

commitment to supply chain security is needed in order to gain distributors’ assistance in fighting counterfeit trade [20]. 2. Customs: Customs is responsible of most counterfeit seizures in the world and it is a key stakeholder in any anti-counterfeiting strategy. Anti-counterfeiting and verification of products is one of the key tasks of national customs organizations, though it is usually not as important as collection of taxes and duties, national security, and enforcement of free trade. Furthermore, customs is considered the best locations to interfere also the illicit supply chain (Figure 15). This means that supporting customs in anti-counterfeiting not only protects the licit supply chain from counterfeit products, but it also affects the illicit supply chain having a broader effect on counterfeiters’


business. Due to the complexity and size of the task, however, supporting customs with a technical anti-counterfeiting solution is not straight forward. It is not feasible for customs to adopt multiple devices to authenticate different kinds of products. Rather, a standard solution that can handle different kinds of products is strongly preferred. Such a standard, platform solution does not exist today and currently hundreds of different product authentication solutions are being used, but integration of authentication to Auto-ID technologies such as EPC/RFID has the potential to change this. Since authentication of goods in customs is not coupled with processes where the goods are identified but they are sporadic and done in an ad hoc mode to suspicious samples, a system that is able to authenticate one good at a time is sufficient. In addition, customs need mobile or handheld RFID readers since inspections are conducted not only in customs warehouses, but also on highways, in company’s warehouses etc. Sporadic checks of single samples helps customs identify counterfeit consignments faster and easier, but they are not the most effective way to detect small quantities of counterfeits that are co-mingled among genuine products. Last, a hundred percent confidence level to the result of the check is not mandatory since customs can hold back the suspicious goods and ask the brand owner do additional checks since the brand owner has the final responsibility of showing that seized goods are counterfeits. 3. Incoming goods: Authentication of incoming goods in the retail level is potentially a very effective way to secure the licit supply chain. In general, retailers are in a critical position to engage in countermeasures against product counterfeiting [19]. In our generic supply chain model, the retail level comprises typical consumer good retailers and other end-points such as pharmacies, hospitals, and small boutiques and garages. These authenticity checks can be integrated to the process where incoming goods are scanned in to the inventory before placing them to the back room or shopfloor. If the incoming goods are subject to verifications in the existing process already, such as expiry data verifications and order completeness verifications, the overhead of integrating an authenticity check to the existing process can potentially be done with a minimum overhead. A minimum overhead is also a requirement since the process of scanning in incoming goods can be time-critical. Furthermore, since the lot sizes of incoming goods are generally known, also detection of untagged counterfeit products can be automated. In theory, the best and most secure final check point in a supply chain is just before the goods reach the end-user or consumer (making injection of fakes impossible after the last check point), but in practice incoming goods in the retail level can be the last location where all goods can be easily authenticated. If the integrity of inventory in the retail level can be guaranteed, however, product authentication at incoming goods also guarantees the authenticity


of goods also at the point of sale or point of consumption. A critical factor regarding the integrity of inventory is addressing internal threats by employees, for example the possibility of replacing a genuine product by a counterfeit one. A downside with authenticity checks in the retail level is that the counterfeit products are detected in a relative late point in the supply chain, which makes tracing the source of counterfeit goods harder. Another downside is that more check points are needed than in the upstream locations; supply chains branch as they go downstream and the number of retailers is typically order of magnitude higher than the number of distribution centers, for instance. According to management research, the perceived seriousness of the problem and internal acceptance of responsibility are the most important factors that influence how willingly channel members assist manufacturers in anti-counterfeiting [19]. Furthermore, management practices that induce higher satisfaction and dependence, but lower conflict and control, will enhance a manufacturer’s ability to gain the help of retailers [20]. 4. Goods on shelf: Authenticity checks can secure the retail level also through verification of goods on shelves, i.e. on the shop-floor. This can be done either with the consent of the retailer, as an audit by the brand owner, or without the consent of the retailer, as a mystery shopper. In theory, also normal consumers could perform these checks if they were empowered with the needed technology and had the incentive to use it. A prerequisite for these checks is that the verified products are openly displayed, which restricts application of this scenario mostly to consumer goods (one way to overcome this restriction, as well as the need of mystery shoppers, is to do test purchases and authenticate the samples afterwards). Checks of goods on shelves are sporadic and can be targeted to suspicious or high-risk targets to increase their effectiveness. It is not likely that these checks can be done as a part of other processes where the goods are verified or identified, and therefore they represent additional effort and overhead. But this effort needs to be seriously considered since, together with checks in customs, verification of goods on shelves is the only way to interfere with the illicit supply chain (perhaps excluding infiltration of private investigators among the illicit upstream actors). An RFID-based solution with a large read range and a bulk reading mode suits this usage scenario especially well since it enables quick and imperceptible verifications. In order to detect untagged counterfeit items, however, the number of verified items needs to be counted manually. In addition, since this check is conducted at a late state of the supply chain, tracking down the sources of detected counterfeit goods can be hard.

The last

downside of this usage scenario is the big number of retail stores that need to be covered.


5. Point of sales: Authenticating products at the point of sales or at the point of consumption (e.g. a drug that is consumed in a hospital) secures the last link of the licit supply chain. At this step products are already handled one by one and identified with Auto-ID (e.g. to find out the price, or to verify the expiration date for pharmaceuticals). These conditions can make the introduction of an additional authenticity check very lean and minimize the overhead and additional effort of product authentication. In the same time, introducing systematic authenticity checks in the point of sales level is very challenging. Foremost, authenticating products in front of the consumer, patient or end-user interferes with the customer relationship. For example in the pharmaceutical industry this can cause trust problems between the doctor or pharmacist and the patient, and in the luxury goods industry it can mean breaking the romance of the buying experience. Therefore retailers in general do not want to deal with product counterfeiting issues in front of their customers since it can generate negative associations for customers who usually have not considered previously that counterfeit products could appear in the retail level. The dilemma is that these associations are perceived negative, even though the authenticity checks are conducted for the customers’s own good. There are also other factors that make authenticity checks challenging in the point of sales level. They take place in a timecritical process where additional delays are not welcome and they take place far from the sources of counterfeits. Last, the vast number of possible point of sales locations makes diffusion of the technology and process changes burdensome and probably possible only with standards, mandates and/or regulations. 6. Consumer / End-user: In the long term technology vision also normal consumers can interact with RFID-tagged smart products. As a result, they can also have the possibility to authenticate tagged products. Technically this could by possible for example by solving the interoperability problems between NFC and EPC technologies [22] but also by using mobile phone cameras to read bar codes on the products to give an access to the RFID trace data. This would also require a gateway though which anonymous or authorized consumers could access the product authentication back-end application. Overcoming these challenges would potentially empower masses of consumers with the ability to authenticate products in locations where brand owner cannot access otherwise, including secondary markets (e.g. flea markets,

C2C sales)

and new geographic

areas.

Such

community-based

authentication applications have already been proposed for mobile applications [21]. While consumers can refuse buying the counterfeits they detect and inform their communities about the fakes, they lack the law enforcement lever to launch responses against the infringers and thus should be supported by the brand owner. In addition, in some cases consumers buy counterfeits intentionally, which limits this


scenario to those product categories where consumers have real incentives not to buy a fake. The second part of this usage scenario is authentication of products that are being used by the end-users. A prominent example of this scenario is authentication of spare parts in the aerospace industry where counterfeiting does not really affect the licit supply chain through which the genuine spare parts are delivered, but the network of repair, maintenance and overhaul depots where the spare parts are used. In this case the authenticity checks can be integrated to existing processes where the spare parts are already identified with Auto-ID. In general, missing tracing infrastructure or lack of data sharing limits the use of detection-based authentication in this usage scenario, so prevention-based measures might be preferred. 7. After-sales services: In some cases counterfeit goods can enter the licit supply chain in after sales services when customers return goods that are already bought. This can be a relevant scenario for example in the luxury goods industry where products are used during long periods of times and sometimes they need to be returned for repair, polishing or refurbishment. Even though authentication of products in after-sales services does not prevent the harm from happening in the first place – i.e. the consumer from getting a counterfeit product – it enables easy detection of counterfeits in an early phase of the service. From the process point of view authentication of these products is relatively easy since these products are handled one by one and in small quantities, in the premises of the retailer or brand owner (e.g. a luxury goods boutique). Owing to the interference with customer relationship discussed in the point of sales scenario above, it might be preferable not to authenticate these products in front of the customer but in the back room or service level. This is also a preferable practice in those cases where the customers knowingly bring counterfeit goods to after-sales services with the hope of getting them replaced by genuine goods, since a face-to-face conflict with these fraudulent customers is avoided. From the technical point of view, this usage scenario is made challenging by the lack of complete trace data and by the fact that the process needs to handle also non-tagged products, including those product categories that are not tagged as well as older products that were not yet tagged. In addition, tracing the source of the counterfeit products detected in this usage scenario can be very hard. 8. Reverse logistics: Similar to the after-sales services scenario, counterfeit products can enter the licit supply chain also through reverse logistics of products that are returned to the manufacturer under warranty. This can be a relevant scenario for example in the This is particularly an issue with electronics, batteries, computer chips and mechanical components or accessories, where manufacturers are seeing an increase in counterfeit parts being returned to manufacturers under warranty and


claiming replacement. Many manufacturers are therefore having a problem authenticating these items and, without appropriate technology and processes, have found that they are forced to replace a fake item with a genuine item. In this case an authenticity check can be integrated in the service process on the manufacturer’s side. Compared to checks in the lowest levels of the supply chains, only a very small number checking locations is needed to secure this link. The downside of this usage scenario is that it is very far from the source of counterfeits and the benefits are limited to elimination of losses due to replaced or fixed counterfeit products.

3.2 Feasibility of different security measures Since all RFID-based product authentication methods cannot be applied in a secure way in all supply chain locations, selection of the wanted usage scenarios has an effect on the possible security measures. Table 2 presents the conceptual limitations of the considered product authentication approaches in the listed usage scenarios. Foremost, the detectionbased approaches have limitations or cannot be securely applied after the genuine products leave the supply chain and are no longer traced.


Table 6. Conceptual feasibility of RFID-based product authentication measures in different supply chain locations (see Section 2 and BRIDGE D5.4 for technical details).

Basic

Blacklist

T&T

Sync. Sec.

Password, TID, Crypto, PUF

1 Inside distribution

OK

OK

OK

OK

OK

2 Customs

OK

OK

OK

OK

OK

3 Incoming goods

OK

OK

OK

OK

OK

4 Goods on shelf

OK

OK

OK

OK

OK

5 Point of sales

OK

OK

OK

OK

OK

6 Consumer / End-user

OK

7 After-sales services

OK

8 Reverse logistics

OK

Supply Chain Location

OK**** Limited*

Limited**

No***

OK OK

* Limited: in addition to copied tags, also the genuine tag will raise an alarm after the ID number is in the blacklist ** Limited: cloned tags cannot be reliably detected once the product is no longer traced *** No: products that have left the distribution channel must be marked in order to avoid identity hijacking **** Password approach can be made available only to trustworthy parties since the verifier learns the secret


4 Anti-Counterfeiting Project Life Cycle This section focuses on the development of a generic project life cycle model for the adoption of RFID-based anti-counterfeiting solutions. It shall serve companies, which are affected by counterfeiting, as a manual for deploying deploy RFID and track-and-trace based anti-counterfeiting solutions. This section will not focus on all aspects of project management, but on RFID- and anti-counterfeiting-specific aspects. Thereby, this deliverable assumes that the company has not yet implemented RFID, but that it has made first experiences with the technology by conducting laboratory trials and trainings.

4.1 Selection of a Project Life Cycle Model Numerous approaches towards the project life cycle can be found in literature. For projects of different sizes and purposes, there exist multiple models to fit to the very different requirements. In order to create comprehensive application guidelines, this deliverable focuses on a generic approach rather than on a specific phase model. This generic model is developed based on de facto project management standards like the Project Management Body of Knowledge (PMBOK), the IPMA Competences Baseline (ICB) [7], and Projects in Controlled Environments (PRINCE2) [5]. In concordance with these standards, the following four generic phases are used for the project life cycle.

Initiation Phase  Purpose of the Initiation Phase  Problem Analysis  Project Team  Definition of Project Scope  Feasibility Study  Cost-benefit Analysis

Planning Phase

Implementation Phase

 Purpose of the Planning Phase  Organizational and Process Changes  Site Survey  Selection of Hardware and Software  Stakeholder Analysis

 Purpose of the Implementation Phase  Pilot Study  Administrative and Organizational Requirements and Changes  Technical Requirements and Changes

Closing Phase  Closing of the Project

Figure 16: Project Life Cycle

Companies adopting the prototype can map the activities of these phases to their own model in order to adapt the application guidelines to their special needs. Furthermore, this deliverable will have a special focus on the ongoing activities, which include operation, maintenance, and countermeasures against new counterfeiting methods. These influence RFID within the four process steps, including the closing, operations and maintenance phase, which will be described in the following sub-sections.


4.2 Initiation phase 4.2.1 Purpose of the Initiation phase The initiation phase is the first step in the project life-cycle. The goal of this phase is the definition and authorization of the project. Thereby, a project team analyses the underlying problems, the goals, the feasibility, the requirements, and the costs and benefits of the project. This phase is concluded by a preliminary go or no-go decision.

4.2.2 Problem Analysis One of the first things to do when starting an anti-counterfeiting project is to analyze the underlying problem. Different aspects of the problem need to be regarded: besides monetary aspects, there are security and image aspects. While the direct monetary damage of counterfeiting is huge for one company, this monetary damage is rather minor for others. Though, these companies may want to start anti-counterfeiting, because a bad impact on their image caused by counterfeits can result in a major loss of potential customers. Also companies of branches with high requirements towards security may not want to fight counterfeiting because of monetary reasons only. An aviation company, for example, can significantly lose customers’ trust, if one of its airplanes crashes due to a counterfeit spare part used to repair the plane. Therefore, monetary analysis/reasons are good instruments, but not always suitable for deciding whether to engage in anti-counterfeiting or not. Furthermore, it is very difficult to calculate the monetary damage of counterfeits. On the one hand, gathering the correct information is almost impossible and on the other hand many, assumptions must be drawn. For example, would someone who buys a 20 € counterfeit also buy the genuine product for 500 € instead? In Addition, it is very difficult to calculate the share of counterfeits sold with genuine products [12]. Therefore, also other indicators for analyzing the problem of counterfeiting must be found. As described in the EU-SToP 4 D1.4, the following list provides an overview of important indicators [13]: •

Products with high sales volumes are more interesting for counterfeiters due to the fact that these products are widespread. This means that on the one hand counterfeiters know these products better than less known products, and that there are more potential customers for buying the counterfeits on the other hand.

•

Profitability for counterfeiters is an important prerequisite. Due to the fact that counterfeiters save the research, development, design, and marketing costs the counterfeiter’s margin can be calculated as the difference between a product’s gross profit margin (which does not include indirect expenditures like marketing and R&D), and the operating profit margin. The higher this margin is, the more attractive is the product to the counterfeiter.

4

Stop Tampering of Products


•

The easier it is to imitate a product’s visual quality, the cheaper it is for the counterfeiter to duplicate the product. Therefore, the ease of duplication characterizes the counterfeiters estimated investment in production facilities and represents an entry barrier for the illicit business. However, also complex products can be targeted by counterfeiters.

•

The demand for fakes is another important driver for counterfeiters. The higher the demand for fakes is, the easier it is to sell counterfeits, because there is no need to fool the buyers. The demand for counterfeits can exist when the genuine product is not available due to delivery problems, regulations, or higher prices.

•

If a product already has a counterfeiting history, it is very likely that it will also be counterfeited in the future. In order to estimate the extent, different illicit channels, such as the Internet or flea markets can be checked upon suspicious products. Cooperation with customs organization can also be very helpful to gain knowledge, such as about the number of seized goods.

Moreover, the problem analysis includes the following counterfeiting characteristics: •

Is there deceptive counterfeiting? If yes, a technical solution can be in case the authenticity of the product shall be checked. Deceptive counterfeits are sold at prices close to those of genuine products. Hence, the risk of deceptive counterfeiting is high and companies should address the problem of counterfeiting (see also BRIDGE D5.2 Requirements Analysis Report).

•

Are counterfeit products imported to the European Union? If yes, a technical solution can be valuable, for example, customs authorities can also check the authenticity of the products (see also BRIDGE D5.2 Requirements Analysis Report).

•

Are there counterfeit products in the licit supply chain, mixed with genuine products? If yes, a technical solution can be valuable in order to detect these shipments with mixed merchandise.

The following table can be used in order to quantify the problem. The different indicators described above are weighted and quantified for each product. Therewith, it is possible to estimate the extent of the problem and to compare the different products. Table 7: Decision making tool for evaluating the overall risk of counterfeiting Counterfeiting and grey market history Sales volume of the genuine product Risk to consumers due to counterfeiting Direct loss of future sales due to counterfeiting Demand for counterfeits Profitability for counterfeiters

Weight 15% 20% 15% 10% 10% 20%

Product X 5 6 9 4 3 6

Product Y …

Product Z …


Ease of duplication

10%

6

Overall risk of counterfeiting

100%

5.80

6.10

4.20

In order to protect the licit supply chain from counterfeit injections, Section 3 lists recommended locations where to check the products within the supply chain. Besides the counterfeiting aspects mentioned in the lists above, a company-internal analysis of the counterfeiting situation in the licit supply chain will support the brand owner to define where to check within the supply chain and to opt for an adequate anti-counterfeiting solution, e.g. an technical solution based on RFID and track-and-trace technology. With choosing the “right” locations, the brand owner can maximize the chances to check counterfeit products that enter the licit supply chain. As stated in Section 3, selecting the right supply chain locations is crucial since it contributes directly to the achieved level of protection in practice (cf. Figure 2 and Figure 15). As a start of the process and as one part of the problem analysis, the above introduced decision making tool (Table 7) can be applied. If the problem analysis indicates that there is a need for action, adequate methods need to be chosen to proceed against counterfeiting. Since BRIDGE WP5 focuses on the RFID technology, the following subsections will only deal with the adoption of EPC/RFID based approaches.

4.2.3 Project Team The project team is one important success factor for an RFID-project. Due to the high integration of many different fields, multidisciplinary expertise is needed. Therefore, the skill set of the project team should reflect a mixture of these different fields including manufacturing, logistics, operations, engineering, warehouse management, business process reengineering, and information technology [1]. If this knowledge is not available within the company, training sessions and/or external consultants are needed.

Figure 17: Example for an RFID project team [6]


Usually, the project team is divided into a core and an extended team. Figure 17 shows an exemplary core project team. While the core team consists of full time employees, the extended team includes personnel, which are interconnected to the RFID-project. It is also possible to integrate external experts, partners, and technology providers into the extended team. Their expertise, however, should only be consulted if necessary. Typically, the members of the extended team are experienced in the fields of quality management, IT, organization, sales, marketing, HR, law and R&D. In contrast to the core team, the extended team bears no responsibility for the success of the project. The following project roles should be considered within the core team: •

Project Leader: The project leader needs to unite technical expertise as well as process knowledge, in order to communicate in a competent manner with technical and business experts. Furthermore, experiences in management of large-scale projects are desirable.

•

Change manager: The change manager should have good communication skills and experience in process reengineering and optimization. His tasks are to anticipate, document, and monitor the upcoming organizational changes in order to avoid undesired side-effects.

•

RFID manager: An RFID manager needs to have knowledge about the RFID hardware. Furthermore, he should know which hardware to choose and how to implement this hardware. He is responsible for the site survey and the implementation of the hardware.

•

Application lead: The application lead needs to have a broad IT knowledge. Furthermore, he needs experience with the required software application and underlying data. He will lead the integration of the RFID solution into the current IT infrastructure.

•

Process manager: The process manager is an expert in supply chain management. He should know and understand the processes within the company well. He is responsible for the adoption of the business processes. Furthermore, he is the central expert for anti-counterfeiting.

Anti-counterfeiting is only one of numerous business applications being enabled by an extended RFID and track-and-trace platform. According to industry interviews, companies would invest into an RFID and track-and-trace infrastructure (especially on item-level) for multiple beneficial applications, inter alia anti-counterfeiting. Hence, besides the process manager, who is the responsible expert for the anti-counterfeiting application, other experts or teams of experts, responsible for other business applications, are needed. This fact has an additional influence on the RFID project team.


4.2.4 Definition of Project Scope Defining the project scope is very important for RFID projects due to the fact that a clear scope can have various positive effects on the success of a project [38, p. 455]. On the one hand, clear goals can reduce unrealistic expectations towards the RFID-technology, and on the other hand they can increase the acceptance amongst stakeholders. By stressing the importance of the project within the project scope, users, employees, customers, and partners can easily understand the purpose and the meaning of the project. During the project, the focus must be kept on the scope in order to stick to clear budgets and timeframes [7]. Due to the fact that the RFID-technology offers innumerable application possibilities, an RFID-project bears the risk of losing focus by covering too many different topics. Therefore, it is very important to set and stick to SMART (specific, measurable, achievable, relevant and time bound) goals [10]. As a next step, a feasibility study needs to be conducted in order to check the achievability.

4.2.5 Feasibility Study The feasibility study needs to clarify if the project can be realized or not. Therefore, it has to answer major key questions which are inter-connected with the success of the project. With the answers at hand, the study has to analyze if the goals can still be met. If not, the project either needs to be stopped or the scope needs to be redefined. In the following, a list is provided with RFID-specific aspects which need to be regarded in the study. This list should not be seen as a complete list, but rather as a list of important points. For each project and each company, there can be additional question which are not regarded here: Product •

Which products need to be tagged? This is a strategic decision about the scope of the project, and it should be done based on the problem analysis (cf. subsection 4.2.2).

•

Can the chosen products be tagged with EPC tags and on item-level? All possible problems with metals, liquids, digital goods and raw materials like chemicals, or tagging possibilities have to be clarified.

•

Where and how can the tags be attached to the products? Can the requirements of a secure integration be fulfilled? Are the manufacturing and packaging process changes feasible?

•

If not all products can be tagged, is it feasible to run several systems parallel in order to handle untagged items? Are the company and its supply chain partners able to handle the increased complexity of multiple systems?

Suppliers and Partners


•

Which suppliers, distributors, retailers, and other supply chain partners need to be involved in the RFID roll-out?

•

Are the supply chain partners willing to adopt the RFID system? How can they be convinced?

•

Are the supply chain partners willing to share the needed data?

•

Are there any suppliers or partners who already use RFID? Can knowledge be transferred to the company or can the company benefit in other ways from it?

Technical •

What is the needed reader network?

•

What is the expected data volume and required infrastructure to handle it?

•

To what extent is the company able to equip its sites with the technical infrastructure or are there technical restrictions (e.g. no broadband Internet connection on site, machines which are affected by radio waves of the readers)?

•

Can the reader device provide reliable read rates or will external circumstances prevent the company from getting reliable reads?

•

Does the company have enough knowledge to realize the project and to maintain the infrastructure afterwards, or does the company need to pay external experts?

Anti-counterfeiting measures •

Which security measures are feasible?

•

What is the required level of protection? How much money and effort can be allocated to protect one product?

•

Which anti-counterfeiting solution suits best for the company? E.g., is trace data available? Are the traces complete? How good is the read accuracy? Is the trace data timely or does it come with delays? Table 5 provides a conceptual feasibility of RFIDbased product authentication measures in different supply chain locations (see Section 2 and BRIDGE D5.4 for technical details).

Legal •

Are there any legal restrictions towards hardware, software or private concerns in the operating countries?

Financial


•

Is there a budget for the planned expenditures (starting investment and operating costs)?

By giving answers to these questions, the feasibility study highlights positive and negative aspects, as well as alternative options and possibilities. Furthermore, it has to summarize possible risks and critical steps in order to increase the probability of success [9]. If the project is supposed to be feasible also the monetary aspect need to be reviewed.

4.2.6 Cost-benefit analysis A cost-benefit analysis is a good instrument for evaluating the project’s potential beforehand. As described in the BRIDGE D5.3 deliverable, costs need to be distinguished into one-time set-up, and variable costs [11]. While one-time set-up costs cover software, hardware, consulting, planning and other project related costs, the variable costs comprise all operation and maintenance cost, such as costs for inspections, RFID tags and costs for reaction measures towards findings of counterfeit goods. The latter must be regarded very carefully since the technical solution will increase the number of revealed counterfeits and therewith the costs for these reaction measures. In order to get a clear and correct picture, it is important to include all related costs and benefits in a correct manner. This subsection presents a list of cost and benefit factors which need to be regarded in a project. One-Time Costs •

Consulting and planning costs occur when third parties are engaged in the adoption project. Especially when the company lacks know-how, third party knowledge needs to be purchased.

•

Hardware expenses include all costs for RFID-readers, work stations, servers, RFID-printers and network infrastructure.

•

Software expenses include all licenses needed for work stations, servers and RFIDmiddleware.

•

System integration costs are costs for the installation and configuration of hardand software including reader installation, EPCIS and EPCDS server installation as well as the integration of the system into the current IT infrastructure.

•

Production line changes might be necessary to enable product tagging in the manufacturing site.

•

Costs for the internal project team cover all expenses for internal personnel within the adoption project.

•

The initial EPCglobal subscription fee needs to be paid at the beginning of the subscription. The amount depends on the company’s turnover and the operating country.


Variable Costs •

Costs for RFID-tags are a major cost driver, due to the fact that every item needs to be tagged. Depending on which kind of tag is used, these costs can vary from a few cents to multiple Euros. The average price of a low cost RFID inlay is less than 10 cents. Prices are expected to drop further.

•

Costs for tag integration comprise the costs for integration of tags into the product including variable material and labor costs.

•

Maintenance costs (reader, server, etc) refer to costs for maintaining the infrastructure including soft- and hardware. These maintenance costs are estimated about 10-15% of the initial investment [14].

•

EPCglobal annual fee has to be paid by EPCglobal subscribers each year. The amount depends on the company’s turnover and operating country.

•

The Inspection team consists of employees monitoring the supply chain. The maintenance of the prototype (including the creation of new rules) and the investigation of suspicious products are their major tasks.

•

Training is needed to teach on-site personnel how to handle suspicious products and how to interact with the reaction team. It is also needed to give an understanding of the new system to the employees.

•

Travel expenses occur when the inspection team has to travel to different locations in order to perform investigations.

•

Test purchases are needed to locate counterfeits and illegal distribution channels in the market.

•

Reaction costs are caused by counterfeits found in the supply chain. In order to prevent counterfeits from entering the supply chain in the future, law cases must be opened and possible entries for counterfeits must be closed.

Other categories •

The up-front investment costs contain setup costs for hardware, software and service expenditures. These costs must be depreciated over the complete investment’s live time.

•

In order to calculate the present value of the investment, the discount rate for future cash flows needs to be anticipated. Thereby, the discount rate represents the company’s costs of capital. For small and growing companies, this rate is most likely to be higher than for large and mature company’s.

A more detailed description can be found in the BRIDGE D5.3 Business Case deliverable.


Quantifying the financial benefits of an anti-counterfeiting solution is very difficult due to the fact that the outcomes of such a solution are characterized by a complex chain of effects (see Figure 18). Investing money into an ACF system will increase the level of security (1) towards the threat of counterfeiting (2). By increasing this level the counterfeiters will be faced with the threat of detection. Furthermore, their profit will decrease (3) forcing some of them to withdraw from the market. As a result, the number of counterfeit injections will be reduced (5), while the detection rate will increase (4). This leads, to a lowered number of successful injections which will then result in possible financial benefits subsisting of lesser losses of sales, an increased goodwill and brand value and an increased customer safety. Putting a price to these factors beforehand is very difficult. Therefore, estimating the benefit of different ACF solutions can optimally be done by comparing their level of security, because a higher level of security will lead to more financial benefits. A guide on how to estimate the level of security for a certain solution can be found in the BRIDGE D5.3. Cost

Technology ($)

Benefit

1

Level of security (S)

2

4

Non realized threats (B)

6

Financial benefits ($)

3 5

Adversary (A)

Figure 18: Cost benefit model of investment in security

Besides the business application of anti-counterfeiting, RFID enables a variety of additional business applications. Figure 19 illustrates the work package structure of the BRIDGE project and the business applications researched within BRIDGE (framed). Anticounterfeiting is only one of numerous business applications of an extended RFID and trackand-trace network. Hence, while the costs arise only once, the benefits are abundant.


Horizontal Activities

WP13: Dissemination & Adoption Tools WP12: Training Platform, Courseware & Certification

Business Development Clusters

WP4: Security WP3: Serial-Level Supply Chain Control WP2: Serial-Level Lookup Service

Technical Development Clusters

WP1: Hardware Development

Figure 19: Exemplary RFID enabled Business Applications

These application guidelines are written for the purpose of anti-counterfeiting, however, most of the non-anti-counterfeiting aspects hold true also for other business applications.

4.3 Planning phase 4.3.1 Purpose of the Planning Phase The planning phase is the second phase in the project life cycle. The goal of the planning phase is to create a plan for the execution phase and to analyze the company’s requirements towards the RFID-system. The main activities in this phase are the anticipation and documentation of upcoming changes, the stakeholder analysis, the selection of hardware and software and the development of an RFID system design by conduction a site survey.

4.3.2 Organizational and Process Changes In order to adopt RFID and an anti-counterfeiting solution, it is crucial to know the existing environment including organizational and technical infrastructure [3]. This knowledge saves time and prevents interruptions in the implementation phase. On the one hand this includes a site survey which is discussed in subsection 4.3.3 and on the other hand this includes the anticipation of organizational and process changes in order to enable a successful change management. An RFID-project comes along with a lot of side-effects which need to be investigated beforehand. If these changes are desirable, people have to be trained and informed accordingly in order to enable them to cope with the changed environment. If these changes are not desirable, countermeasures have to be implemented. Thereby, it is essential to understand that RFID is not only an IT issue, but an issue which has a strong impact on all divisions and therefore on the existing organizational structure and processes. Thus, it is important that managers understand the current environment before planning the required changes. An RFID-adoption which is not planned thoroughly can have a negative


impact on the business [8]. Therefore, the organizational structure and the processes as well as the changes and their impact on employees and the organizational structure have to be described carefully.

4.3.3 Site Survey The goal of the site survey is to develop an RFID-system design [17]. This includes the assessment of possible hardware and software, a plan how to integrate the system into the current infrastructure, and a plan where to set up the different readers and servers. In order to create this system design, an on-site investigation is indispensable. Thereby, the physical infrastructure and the radio frequency environment are the most important aspects. In order to successfully execute such a site survey a standardized procedure can be helpful (see Figure 20).

Plan Blueprints  Visualize the site infrastructure by creating a blueprint

Inspect the Site

 Inspect the site and make observations for the physical and electrical analysis

Determine Reader Location

 Perform analysis and determine the reader location

Document Results

 Document the results within the blueprints

Figure 20: Site Survey Process [17]

Before conducting a site survey, it is advisable to create a blueprint of the site. A blueprint is a plan which visualizes the architecture and the engineering design. On the basis of this blueprint, the site can be inspected in order to identify possible issues, such as metals or machines interfering with the radio waves. As a next step, physical and electrical analyses need to be performed in order to find appropriate locations for the readers and antennas. The importance of these locations should not be underestimated, because only a good system design can prevent counterfeiters from injecting counterfeits into the supply chain. In order to avoid these injections, a high granularity and a good read rate are needed. Granularity, hereby, means that there are not only readers at the entrance and exit of the site, but also between different production steps. As a result, products can be checked more often and in earlier stages of the supply chain. On the one hand this lead to a faster detection of counterfeits, and on the other hand injections can be retraced easier and more exact. In


addition to the granularity, a good read accuracy is needed to increase the quality of the data. The read accuracy can be assured by conducting an electrical analysis. The aim of this analysis is to find a reader location where no ambient electromagnetic noise is interfering with the reader and antennas [18]. The better the read accuracy, the less is the effort to manually scan items which were not recognized by the reader. Furthermore, a good read accuracy will result in a complete product trace, which will increase the efficiency of the different prototypes and decrease the false alarms due to incorrect data. Concluding the analyses, the identified locations are marked in the blueprint, and the results are documented for later use.

4.3.4 Selection of Hardware and Software Selecting proper hardware and software is an important task in the RFID adoption process. Before buying the equipment, basic knowledge about the different systems and vendors has to be obtained. A good way of doing so is to study available articles and papers including lists of major RFID-vendors. 5 Especially important is the use of standards, due to the fact that interoperability needs to be ensured along the whole supply chain. Without data interchange with other organizations, it will not be possible to gather a complete trace for the solution. Since this deliverable is created within the BRIDGE project, EPCglobal standards are used to ensure the required interoperability. Though, the use of standards should be discussed with all supply chain partners beforehand. Table 8 shows the required hardware and software for an RFID-implementation. Table 8: Required hardware and software Hardware

Software

Tags RFID-Reader RFID-Printer Servers and workstations Network: Servers Routers Cables

EPCglobal middleware EPCIS EPCDS Anti-counterfeiting software

4.3.5 Stakeholder Analysis Stakeholders are of special importance within an RFID-project, because they can have a critical influence on the success of the project. Therefore, all stakeholders have to be listed and described carefully in their expectations, conflict potential, function, information needs, and bargaining power/influence [15]. Stakeholders can be individuals or organizations who are either involved in the project or whose interest is positively or negatively inter-connected with the project’s execution [2].

5

A comprehensive and actual list of vendors can be found on www.rfidjournal.com


Table 9: Exemplary Table of Stakeholders Stakeholder Employee 1 Project Team End Users

Expectation To be kept informed about the project

Function CIO

Information need High

Conflict potential Low

Influence High

High

Low

High

To be kept informed about project activities that will affect them

Users

High

Medium

Low

Supplier A

Increase ROI

High

Low

Low

Supplier B

Reduction of Impact for Supplier B Publish which kind of customer data is gathered

Minor Supplier Main Supplier Consumer Protection Organization Customer

High

High

High

Low

High

Low

Medium

Low

Low

NGO 1

Consumer

Not to be affected negatively by the project. Reduction of counterfeits in the market

Table 9 shows an exemplary list of stakeholders with all the information mentioned above. According to the PMBOK, following stakeholder groups should be investigated in order to identify all possible stakeholders:

Figure 21: Stakeholder groups [2]

As Figure 21 illustrates, stakeholders can be divided into key and additional stakeholders. While the four key stakeholders exist in every project, additional stakeholders may vary from project to project. Therefore, the stakeholder analysis must be performed very carefully. In


contrast to the PMBOK’s classification, suppliers and other supply chain partners must be seen as key stakeholders in this special anti-counterfeiting project. In order to run the prototypes with maximum efficiency, the entire trace data must be available. This can only be achieved if the supply chain partners are willing to share this data. Thus, good relationships and good stakeholder management for these stakeholders are indispensable. Due to very different objectives of each stakeholder, managing the expectations is the most challenging part. In case of conflicts among stakeholders, a solution which is in favor of the customer should be chosen. A matrix can help to visualize and identify potential supporters and opponents. Figure 22 shows such an exemplary matrix with six different stakeholders (A to F).

Figure 22: Exemplary Stakeholder Matrix

While the two axes show the trading volume and the willingness to share data, the bubble size indicates the need of information. The bigger the bubble, the more information is required by the stakeholders. Different colors are used to distinguish between key and additional stakeholders. While the stakeholders in the lower left corner are mostly negligible, the stakeholders in the upper right corner are the most critical ones. Very close observation and reaction measures need to be conducted for them.

4.4 Implementation phase 4.4.1 Purpose of the Implementation Phase The Implementation phase is the third step in the project life cycle. The activities of this phase are the deployment of the system, and the implementation of the organizational changes planned in the phases before. In order to avoid confusion of the daily business it is recommended to run a Pilot system before conducting the full-scale implementation. The goal of the implementation phase is to create a properly tested and working system for which training material and documentations are available.


4.4.2 Pilot Study In many cases it is recommended to conduct a pilot study. The goal of this study is to get experience with the system in a real production environment and to verify the findings of the initiation and planning phase [4]. The first thing to do when conducting such a study is to choose a site where to implement the pilot. A smaller location should be chosen where the implementation or even a failure of the project would not lead to a major disturbance of the daily business. Depending on the size of the implementation project, a pilot study is carried out in about 2-6 months. The most important activities in the pilot phase are to attain the desired read accuracy and to verify the correct reader locations in combination with the corresponding business processes. Furthermore, it is important to check the system’s ability to work properly under full load operation. By testing different reader-configurations, the read rate and the scanning and tagging speed can be increased. While running the tests, the hardware infrastructure and especially the network should be carefully monitored in order to identify possible bottlenecks. In the course of time, the employees will become more familiar with the system, which will lead to a significant increase in efficiency. When the system is running suitably, the detection rate of the chosen anti-counterfeiting solution can be measured by injecting suspicious products into the supply chain. Afterwards, the planning documents can be adjusted according to the findings of the pilot study, concluded by a company-wide full scale implementation.

4.4.3 Administrative and Organizational Requirements and Changes While implementing the RFID-based anti-counterfeiting solution, different administrative and organizational changes will occur within the company. It is important to carefully monitor these alterations in the implementation phase in order to prevent undesired side-effects, such as a change in the power structure. Most of these changes should already be documented in the planning phase. However, some of them can still be unforeseen and therefore a pro-active change management is indispensable. The biggest change in the organizational structure is the establishment of an anticounterfeiting taskforce. This taskforce is a cross-functional team which continuously deals with anti-counterfeiting. Its tasks are to maintain and utilize the ACF solution and to initiate adequate measures against seized counterfeits. The team, therefore, needs to be integrated into the organizational structure. Its existence and its competences must be communicated clearly to the employees at the different sites and departments in order to avoid confusions. While the RFID implementation is in progress, the team members have to create a procedure strategy towards seized goods. Furthermore, communication channels to internal and external parties must be established. In order to get an overall picture of the counterfeiting situation within the company, it is important to talk to the different departments. Hereby, the cooperation with the legal department is of special importance, since this department will


take legal actions based on the investigation of the anti-counterfeiting team. A close cooperation with external parties, such as the government, customs and supply chain partners can also be very helpful. The goal in the implementation phase for the anti-counterfeiting team is to gain the required knowledge. The aim can be achieved by conducting training sessions on the one hand and by getting familiar with the systems and applications, and by discussing counterfeit issues with the different departments on the other hand. The skill set of the team should, therefore, comprise technical expertise as well as business knowledge.

4.4.4 Technical Requirements and Changes An RFID-project will have major implications on the technical infrastructure including the installation of RFID-readers, the setup of new servers and workstations, and the adaption of the network infrastructure. Usually, an upgrade of the network is coercively necessary due to a higher data volume. For instance, when Metro introduced its RFID system, they concluded that 25 gigabytes of data will be generated every minute by their RFID-readers, assuming 10 kilobyte per scanning event and 40000 events per second [16]. This huge amount of data needs to be transferred via the network to different servers and applications. Therefore, the network should be adapted and carefully monitored, in order to prevent a slowdown of other data transfers. Each plant or warehouse location needs to be equipped with RFID-reader and printer devices. This is necessary for exchanging broken tags and for tagging products from manufacturers and retailers delivering their goods without RFID-tags. Furthermore, each site hast to be either equipped or connected with an EPCIS to store the captured observation events. The chosen system then accesses the EPCISs via a central Discovery Service which also runs on a distinct server. In order to integrate the infrastructure into the current IT-environment, several interfaces need to be implemented.

4.5 Closing phase The closing phase is the last step in the project life cycle. The goal of this phase is to formally close the project [2]. The tasks in this phase are to complete the system documentation, transfer open tasks to other staff, and break up the project team. Furthermore, the lessons learned should be reviewed and analyzed carefully in order to learn for future projects. As a last step, the computer systems, the prototype, and the documentations will be handed over to the maintenance team, which will be responsible for further activities.

4.6 Operation and Maintenance The operation and maintenance phase is not part of the adoption project because it is an ongoing activity which does not have a defined end. In this phase, the anti-counterfeiting


team has the responsibility for the prototype and the reaction measures towards seized counterfeits. Mistakenly stopped genuine products (false positives) and counterfeit products that are not detected in a check (false negatives) raise the need to handle liability issues during the operation and maintenance phase. Regarding liability, it is crucial that the end users understand the difference between hard-to-copy prevention-based features (cf. subsection 2.2) and detection-based security measures (cf. subsection 2.3). Unlike a hard-tocopy feature, a check based on a detection-based measure needs to deal with uncertainty (in visibility) and it can thus generate both false positives and negatives. Therefore the detection-based systems should be regarded as an additional level of protection that is able to detect many of the materialized threats, very much like a surveillance camera. In particular, this difference is already explicit in the pharmaceutical industry jargon where checking is defined as “authentication” for prevention-based security measures and “verification” for detection-based security measures. This brings fort a possible issue regarding borderline cases, that is, weak alarms that are possible in some detection-based measures. These cases indicate a weak reason (i.e. a small probability) to be suspicious about the origins of a product but the evidence is not strong enough to raise a full alarm. Thus the affected companies are reluctant to manually control all the borderline cases since it would mean a considerable increase in the number of manual interventions needed. However, if such a weak alarm is triggered by a counterfeit product but no further actions are taken by the responsible company, a customer who buys the counterfeit product could potentially sue the company for not taking the necessary actions to protect him or her from counterfeits. This illustrates the rigid reliability requirements of detection-based security measures in real-world applications and a possible liability problem: if the risk of liability claims due to not reacting in borderline cases is too high for the affected company, it might be better for the affected company not to deploy the detectionbased security measure at all. In other words, it can be cheaper not to analyze the track and trace data for counterfeit products at all, than to do it and face the risk of increased liability due to borderline cases, or to do it and react in all borderline cases, which means stopping and manually verifying numerous shipments of genuine products every day. In order to quantify the success and the extent of the problem, the team needs to create statistics about all cases and the development over time. The operation phase will be characterized by the so called “war of escalation”. With the new system, counterfeiters will have difficulties to inject their goods into the supply chain. But as time evolves, smart counterfeiters might find ways to circumvent the system. Therefore, a technical solution should not be seen as a silver bullet against counterfeiting. The process of anti-counterfeiting will be an ongoing activity where the steps of counterfeiters need to be anticipated. In order to efficiently retaliate against the counterfeiters, anti-counterfeiters will have to anticipate the next moves (e.g., create new rules in case of the rule-based anti-counterfeiting prototype).


One very important activity, hereby, is the protection of the server infrastructure. If adversaries can manipulated the data within the EPCIS servers all the advantages of the different prototypes will turn into disadvantages, because unsuspicious goods will be handled with much less care than goods which can possibly be a counterfeit. Besides the protection of the licit supply chain, also illicit channels can be monitored by making test purchases at online market places or flea markets. Over the course of time, anticounterfeiting technology will evolve and become more sophisticated. Therefore, the anticounterfeiting team will have to watch the technological trends and adopt them if necessary.


5 Example Application 5.1 Introduction In this chapter, the SAP RFID rule-based anti-counterfeiting prototype will be implemented to a virtual company using the project life cycle model from Section 4. Since WP5 does not have a real-world industry partner to implement the anti-counterfeiting prototype, we decided to implement the prototype for the virtual SAP company “Akron”. Although Akron does not exist in reality, it has its model (including supply chain, suppliers, number of plants, products, employees, etc.) adapted from a real-world company.

5.2 Akron Company Profile Akron is a so-called model company which was originally set-up by SAP for the development and testing of Business By Design. Akron is only a virtual company. However, its model was adapted from an anonymized real-world company. The company’s profile was slightly adapted though, in order to fit to the requirements of this report. Since its foundation in 1965, Akron (headquartered in Berlin) is operating in the automotive industry producing spare parts. With its 900 employees (600 in production), the company runs 3 plants in Berlin (Germany), Toronto (Canada) and Paris (France), generating an annual revenue of 350 Million Euros. The company runs two distribution centers (DC) in Frankfurt (Germany) and Shanghai (China), and five subsidiaries in Budapest (Hungary), London (England), Osaka (Japan), and Peking (China). Figure 23 illustrates the supply chain network of Akron:

Supplier

Manufacturer Akron

Customer EMEA

Toronto

DC Frankfurt

Miller & Son

Berlin

Mobita

APJ DC Frankfurt

Others

Paris

DC Shanghai

ABC Contract Manufacturer China

Figure 23: Akron's Supply Chain Network

Mobita and Miller & Son are Akron’s main suppliers. While Mobita and various smaller suppliers deliver to the distribution center in Frankfurt, Miller & Son delivers to the plant in


Toronto. The parts produced in Toronto and Paris, and parts from third party vendors (delivered from Frankfurt) are assembled in Berlin. From Berlin the finished goods are sent to the DC in Frankfurt for the European market, and to the DC in Shanghai for the region Asia Pacific and Japan (APJ). Furthermore, the company has a contract manufacturer in China in order to balance demand fluctuations and bottleneck situations. Approximately 17% (154) of the employees refer to Sales, Service & Marketing. The other employees are linked to general administration including IT and HR, procurement and R&D. With a limited annual IT budget of approximately € 7 million, the company demands for effective IT-services focusing on key pain-points and addressing them in time-, resource- and cost-effective way. In recent years Akron observed a growing percentage of counterfeits within the market. Studies and appraisals calculated this percentage to be about 10% of all parts. This number is located at the upper end of the range of 5-10 percent which is common for the automotive industry [12]. Thus, Akron is concerned about the loss of its sales and the deterioration of its image. Furthermore, Akron fears the increased number of car accidents caused by low quality counterfeit parts bearing their trademark. Therefore, Catherine Kennedy-Wood (CEO) decided to take countermeasures against counterfeits. Akron already conducted some laboratory trials with RFID and assessed the findings as beneficial for the company. Therefore, Akron decided to go for an RFID solution. When analyzing the market for anti-counterfeiting solutions, Akron discovered the BRIDGE rulebased anti-counterfeiting prototype which fits perfectly to the needs of the company.

5.3 Application 5.3.1 Initiation phase Due to recently conducted studies and analyses, Akron is well informed about its counterfeiting situation. So far, Akron didn’t take any measures against counterfeiting. Compared to other competitors, the percentage of counterfeits is very high. Hence the company

suffers

competitive

disadvantages.

Therefore,

Akron

wants

to

combat

counterfeiting activities and secure its licit supply chain. Ideally, Akron can achieve a number less than 5% of counterfeit products, which in consequence will lead to a competitive advantage for the company, higher sales, and a better reputation and image. Therefore, the three plants and two warehouses are to be equipped with RFID hardware. 6 In order to create a scope document including a feasibility study and a cost-benefit analysis, Joerg Hamburger, the IT Services Director, was entrusted to setup a project team. Figure 24 illustrates the core project team according to Joerg Hamburger’s proposal and based on Section 4.2.3 and adapted for the rule-based track and trace prototype.

6

A detailed plan of the needed hardware can be found in the hardware cost calculation in Appendix A.


Figure 24: Akron's project team

In this special project the process manager Bernhard Benedict is of special importance. As illustrated in Figure 25, he is the link between the counterfeit experts within the different departments and the rule designer. He is, therefore, the business expert for counterfeiting, while the rule designer is the technical expert. The rule designer is capable of creating rules for the prototype based on requirements given to him by the process manager. The process manager is, thereby, the central expert for counterfeiting combining the experience of the experts from different departments, such as: •

Marketing expert’s view: In which distribution channels do counterfeit goods appear?

•

Production expert’s view: How to distinguish between the genuine product and counterfeit?

•

Logistic expert’s view: How are counterfeits injected into the supply chain?


Figure 25: Process manger and rule designer

As a first step, the project team conducted a detailed feasibility study which proved that the project can be beneficial. However, the study also pointed out some risks which have to be carefully monitored. Gathering the trace information for the prototype will be hard, because suppliers are difficult to convince to share data. Therefore, the stakeholder analysis and communication will be of special importance. Furthermore, the budget frame is very tight; hence a good financial planning is necessary. For more details please refer to BRIDGE D5.3 Business Case Report [11].

5.3.2 Planning phase In order to create an RFID-system design, the RFID-manager Connie Cook and the RFIDengineer Michael Davis conducted a site survey which was executed in cooperation with the Akron warehouse and plant administration. Three plants and two distribution centers were investigated. As a first step a factory layout was created. Based on this blueprint the physical and electrical analyses were conducted in order to find the locations for the readers. Figure 26 shows the blueprint for the factory in Toronto, where 8 reader and 3 printer locations were marked. With the blueprint at hand, the project team can now estimate the exact hardware requirements. In addition, the blueprint can be used as a plan for the implementation phase. The process manger can now analyze and document the needed changes in production processes and the rule designer can use the factory layout to create first anti-counterfeiting rules. Thereby, possible design flaws can be found and corrected before the actual implementation.


Figure 26: Factory layout

Based on the factory layout and laboratory trials Akron decided to introduce ultra high frequency passive tags. Furthermore, several price proposals were obtained in order to decide for reader and printer vendors. Thereby, the read accuracy and the price were the most important factors for the decision. The stakeholder map and the resulting communication plan are of special importance for Akron. The feasibility study revealed that some suppliers and partners are not very keen on exchanging supply chain related data. But for anti-counterfeiting and especially for the track and trace prototype, this data is inevitable to work reliable. Therefore, Akron entrusted Arthur Major to handle all external communications. Arthur created a stakeholder map which can be found in Appendix B. In order to visualize the relationships to the different suppliers and to figure out possible conflicts, he also created a matrix (see Figure 27). The matrix will help to identify critical suppliers and the resulting need for action.


Figure 27: Supplier matrix

The X-Axis symbolizes the willingness of supply chain partners to share EPC event data with Akron. The higher this value is, the better it is for Akron. The Y-Axis symbolizes the trading volume of the supply chain partner. The higher the trading volume is, the more influence has the supply chain partner and the more important it is for Akron to gather the EPCIS data. Generally, the suppliers can be divided in those who are willing to share data (supporters) and in those who are not willing to share data (opponents). The opponents need to be handled with special care. Therefore, negotiation meetings were conducted with Mobita and the Fisher Steel Group. In the end, Akron was able to convince the two opponents to cooperate by highlighting the benefits of the new solution for both sides in the combat against counterfeiting.

5.3.3 Implementation phase In order to avoid major confusions when implementing the system, Akron planned a pilot study at the site in Toronto for a period of three month. As a first step the servers were set up including the middleware server, a local EPCIS, the central EPC Discovery Service, and a server the prototype is running on. As a next step, the RFID-hardware was deployed according to the plan created in the site survey. Several interfaces were implemented in order to connect the hardware and the middleware with the ERP system. The pilot study validated the correctness of the factory layout and investigated the infrastructure. It also showed that there is no need of upgrading the network. With about 1.000.000 million products produced yearly and 50 RFID-reader, only 58 Mb of data will be generated every hour (1.000.000*50/365/24*10 kb/1000), assuming 10 kilobytes per event. While implementing the prototype, Akron started to set up the anti-counterfeiting team which takes reaction measures against counterfeits. In order to guarantee a good knowledge transfer, the rule designer from the project team was also transferred to it. Furthermore, two other persons were recruited. Within the three month of the pilot study the team started to


work with the system and established communication channels to customs, supply chain partners, and to the different departments within the company.

5.3.4 Closing phase The closing phase went very smoothly. By handing over the prototype and the documentation to the maintenance team, the project was closed. The team members were transferred to other projects and the anti-counterfeiting team took over the remaining tasks and started to take first measures against counterfeiters.

5.3.5 Operation and Maintenance By involving the anti-counterfeiting team in the pilot study, the team was able to work productively from the first day on. The first months showed that the rate of counterfeits was even higher than expected. By offering an authentication service to customers and customs organization, the team found out that most of the counterfeit parts bearing the Akron brand came into the market through illicit channels, for instance, through third party garages using these parts as spare parts. In only a few month Akron was able to see first results by slowly reducing the measured counterfeits. Legal step were already initiated against a supplier delivering considerable amounts of counterfeits.


References [1]

Deal, J. V. (2004): “The Role of the consultant Engineer in the Application of RFID and RF Item Tracking Technologies”, Alta Consulting, Palo Alto.

[2]

Duncan, William R. (2008): “A Guide to the Project Management Body of knowledge”, PMI, Newtown Square.

[3]

Frey, T.: “Organizational and IT-Changes necessitated by the integration of EPC/RFID-data into existing processes and It-Infrastructure”, Darmstadt, TU.

[4]

Gilmore, D. (2005): “Anatomy of an RFID pilot”, Supply Chain Digest, Springboro.

[5]

Great Britain Office of Government Commerce (2005): “Managing Successful Projects with PRINCE2”, The Stationery Office, Norwich, St Crispins.

[6]

Gross, S., Lo, J. S. (2003): “Change Readiness Guide: Project Management Edition”, Auto-ID Center, St.Gallen.

[7]

International Project Management Association Baseline”, IPMA, Njikerk.

[8]

Irrgang, Reinhard (2005): “Wege zum Einsatzreifen RFID-Konzept”, FM Das Logistikmagazin, Edition 10/2005.

[9]

Kramer, S., Hackmann, E. (2007): “Machbarkeitsstudien – fundiert Entscheidungen treffen”, Tipps & Trends, PriceWaterhouseCoopers.

[10]

Lahiri, S. (2009): “Chapter 9 - Designing and Implementing an RFID Solution”, RFID Sourcebook, IBM Press, Indianapolis.

[11]

Lehtonen, M., Al-Kassab, J. (2007): “EU-Bridge deliverable D5.3: Anti-counterfeiting Business Case Report”, ETH Zürich, Zürich.

[12]

Lehtonen, M., Al-Kassab, J. (2006): “EU-Bridge deliverable D5.1: Problem-Analysis Report on Counterfeiting and Illicit Trade”, ETH Zürich, Zürich.

[13]

Lehtonen, M., Staake, T., Kločič, Z. (2008): “SToP deliverable D1.4: Analysis of the weakest points within licit supply chains and the properties of products most susceptible to tampering and counterfeiting”, ETH Zürich, Zürich.

[14]

Leung, Y., Cheng, F., Lee, Y., Hennessy, J. (2006): “A Business Value Modeling Tool Set for Exploring the Value of RFID in a Supply Chain”, IBM Research Report.

[15]

Pigni, F., Astuti, S., Noè, C., Buonanno, G., Bandera, S., Ferrari, P., Mazzola, G., Da Bove, M. (2006): “A guideline to RFID application in supply chains”, Camera di Comercio di Varese, May 2006, Varese.

[16]

Plattner, H. (2008): “Trends and Concepts in the software industry”, Hasso-PlattnerInstitut, Potsdam.

[17]

Snaghery, P., et al. (2007): “Deploying and Securing RFID”, Syngress, St. Louis.

[18]

Sweeney II, P. J., Zeisel, E. (2007): “CompTIA RFID+ Study Guide (Exam RF0-101)”, Sybex, Köln.

(2006):

“IPMA Competences


[19]

Olsen, J., Granzin, K. (1992): “Gaining retailers’ assistance in fighting counterfeiting: Conceptualization and empirical test for a helping model”, Journal of Retailing, 68(1):90–109.

[20]

Olsen, J., Granzin, K. (1993): “Using channels constructs to explain dealers’ willingness to help manufacturers combat counterfeiting”, Journal of Business Research, 27(2):147–170.

[21]

von Reischach, F., Michahelles, F., Fleisch, E. (2007): “Anti-Counterfeiting 2.0 - A Consumer-Driven Approach towards Product Authentication”, Late Breaking Results at the 9th International Conference on Ubiquitous Computing (UbiComp 2007), Austria.

[22]

Wiechert, T., Thiesse, F., Michahelles, F., Schmitt, P., and Fleisch, E. (2007): “Connecting mobile phones to the internet of things: A discussion of compatibility issues between epc and nfc”, In Americas Conference on Information Systems, AMCIS.

[23]

Sandhu, R. (2003): “Good-enough security: Toward a pragmatic business-driven discipline”, IEEE Internet Computing, 7(1):66–68.

[24]

Koh, R., Schuster, E., Chackrabarti, I., and Bellman, A. (2003): “Securing the pharmaceutical supply chain”, Auto-ID Labs White Paper, Massachusetts Institute of Technology.

[25]

Juels, A. (2005): “Strengthening EPC Tags Against Cloning”, In M. Jakobsson and R. Poovendran, eds., ACM Workshop on Wireless Security (WiSe), 67–76.

[26]

Koscher, K., Juels, A., Kohno, T., Brajkovic, V. (2008): “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond”, Manuscript, RSA Laboratories.

[27]

Feldhofer, M., Aigner, M., Dominikus, S. (2005): “An Application of RFID Tags using Secure Symmetric Authentication”, In: 1st International Workshop on Privacy and Trust in Pervasive and Ubiquitous Computing, pp. 43-49.

[28]

Plos, T., Hutter, M., Feldhofer, M. (2008): “Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes”, In: Workshop on RFID Security 2008, Budapest.

[29]

Juels, A. (2004): “Minimalist cryptography for low-cost RFID tag”, In: Blundo, C., Cimato, S. (eds.) International Conference on Security in Communication Networks SCN 2004. LNCS, Vol. 3352, 149–164, Springer, Heidelberg.

[30]

Avoine, G., Oechslin, P. (2005): “A scalable and provably secure hash based RFID protocol”, In: IEEE International Workshop on Pervasive Computing and Communication Security, 110–114.

[31]

Hein, D., Wolkerstorfer, J., Felber, N. (2008): “ECC is Ready for RFID – A Proof in Silicon”, In Workshop on RFID Security (RFIDSec’08), Hungary, Budapest.


[32]

Devadas, S., Suh, E., Paral, S., Sowell, R., Ziola, T., Khandelwal, V. (2008): “Design and Implementation of PUF-Based ”Unclonable” RFID ICs for Anti-Counterfeiting and Security Applications”, In: IEEE International Conference on RFID 2008, 58–64.

[33]

Ranasinghe, D., Engels, D., and Cole, P. (2004): “Security and Privacy: Modest Proposals for Low-Cost RFID Systems”, In Auto-ID Labs Research Workshop, Zurich, Switzerland.

[34]

Cook, C., Vogt, H., Muller, J., Dada, A, Pfletschinger, M., Ortel, N., Molan, M., Naraks, A., Gourmanel, F. (2008): “Report on Integration of Smart/Intelligent Tags in Products”, Deliverable D4.3 of the SToP project.

[35]

Nochta, Z., Staake, T., and Fleisch, E. (2006): “Product Specific Security Features Based on RFID Technology”, In Saint-Workshop, International Symposium on Applications and the Internet Workshops (SAINTW'06), 72-75

[36]

Schneier, B. (2003): “Beyond Fear. Thinking Sensibly about Security in an Uncertain World“, Copernicus Books, Springer-Verlag New York Inc.

[37]

Staake, T. (2007): “Counterfeit Trade - Economics and Countermeasures”, PhD thesis, University of St. Gallen. Dissertation no. 3362.


Appendix A: Hardware calculations Table 10: Calculation of hardware expenses Cost of 1 reader Alien 9800 EPC Gen 2 RFID Reader Alien 915 MHz Linear Antenna Omron 10m Antenna Cable Mounting Brackets SUM (EUR)

7

1 4 4 1

Cost 1,247 € 117 € 90 € 16 € 2,093 €

Cost of 1 work station HP xw9400 Workstation

1

2,202 €

Cost of 1 RFID printer Zebra R110xi RFID Printer

1

3,253 €

Cost of 1 server HP ProLiant DL380 G5

1

2,424 €

1 1

300 € 50 € 350 €

50 45 10 3 10

104,650 € 99,090 € 32,532 € 7,273 € 3,500 € 247,046 €

Cost of 1 networking infrastructure Routers Cables Sum (EUR) Hardware Expenses Cost of reader equipment Cost of work station Cost of RFID printer Cost of server Cost networking infrastructure SUM(EUR)

7

Factor

Price sources: http://www.rfidsupplychain.com/; http://www.hp.com/; http://www.nextag.com/rfid-printer/


Appendix B: Akron’s Stakeholder map Table 11: Akron's stakeholder map Stakeholder Catherine Kennedy-Wood Joerg Hamburger Al Gillmore

Jonathan Frazier Project Team AntiCounterfeiting team Other Employees

Miller & Son Mobita Motor Construction Inc.

Other suppliers Customers

Expectation

Function

Reduction of counterfeits CEO bearing our trademark, Sponsor Successful Project. Support Project leader from the CEO Reduction of production SVP costs by increasing Manufacturing efficiency with RFID No cost overrun SVP Finance and HR Training sessions and introductions to the prototype To be kept informed about the project. Promise that no jobs will be reduced due to RFID-technology. Technical support when introducing RFID Not willing to introduce RFID Already introduced RFID. Reduced afford through replacement of Barcode systems To less market power to influence the project Reduction of counterfeits. Less afford to control products

Information need

Conflict potential

Influence

High

Low

High

High

Low

High

High

Low

Medium

Medium

Medium

Medium

High

Low

High

High

Low

Low

Medium

Medium

Low

High

Medium

High

High

High

High

High

Low

medium

Medium

Low

Low

Low

Low

Low

Users

Employees

Main Supplier Main Supplier Supplier

Minor Suppliers Customers

BRIDGE WP05 Application Guidelines and Implementation Roadmap

BRIDGE WP05 Application Guidelines and Implementation Roadmap

Suggest Documents

Roadmap towards the implementation and

Bridge Design Guidelines - Examples

PLM implementation guidelines â relevance and application in ...

Guidelines for Bridge Design.p65 - area

Roadmap: Computer Technology – Application Development ...

Application Modernization Roadmap - Software AG

application guidelines, selection criteria and application form

PLM implementation guidelines - CiteSeerX

Preschool Program Implementation Guidelines

Implementation Guidelines - MDG Fund

Implementation Guidelines - MDG Fund

Emerald Star Guidelines and Application

Shared Decision-Making Implementation Roadmap - Minnesota ...

Common Implementation Roadmap for Renewable ... - RHC-Platform

implementation roadmap for downscaling drought ...

An Evidence Roadmap for Implementation of

ROADMAP FOR THE IMPLEMENTATION OF THE COMPREHENSIVE ...

IMPLEMENTATION AND APPLICATION OF PRINCIPAL ...

development and implementation of application

Implementation of Roadmap Strategy - European Commission

Bulgaria-nZEB Implementation Roadmap in EN

Common Implementation Roadmap for Renewable ... - RHC-Platform

Airway-Clearance Therapy Guidelines and Implementation

Guidelines for the Formulation, Implementation, Monitoring and ...

BRIDGE WP05 Application Guidelines and Implementation Roadmap