"A risk assessment of the Piql Services" by FFI

The AutoStore® system has two direct external connections into the system: One is the electric power supply. The AutoStore® is fully automated, which means it is fully dependent on the supply of electricity to operate. In case of a power outage or loss of utilities, the AutoStore® system is equipped with one generator which supplies additional electricity for 24 hours. 2 This is to make sure the system has enough electricity to shut down properly and avoid related complications. The other external connection is the interface network between the internal closed network of the AutoStore® and the external network of the Piql partner. Through this interface network the AutoStore® receives data input from the Warehouse Management System (WMS) through the AutoStore® Controller, which in turn sends radio signals giving the robots instructions on the handling of the piqlBins holding the piqlFilms. First, it must be made clear that we will only look at the production process which entails the printing of data on the piqlFilms, and not the production process of raw materials for the components themselves, i.e. the empty piqlFilm and piqlBox, prior to the printing process. Each supplier of the Piql components will perform individual ―Failure mode and effects analyses‖ (FMEAs), outlining where in their production chain a failure may occur and the effects thereof. Similarly, problems which may occur while a Piql partner is writing the finished piqlFilms for a user, such as faulty equipment or human errors, which may have a negative effect on the piqlFilms, fall outside the scope of our assessment. This is part of Piql AS’ internal assessment of the production process, whereas we will mainly include external risks to the production process. Secondly, in the scenarios relating to storage, our assessment is limited to storage in piqlVaults, i.e. storage facilities owned and operated by Piql partners. Each data owner has the option of storing their piqlFilms in a private storage facility, but these will not be covered by this assessment. Nevertheless, the findings and recommendations in the report may serve as guidelines regarding the security measures put in place in such private storage facilities. Lastly, this report will not include the final step in the service journey: that of data retrieval. We have not placed much emphasis on the online-based processes of the Piql Preservation Services, as the vulnerabilities and challenges present here are common to all digital storage mediums which depend by their very nature on online access. Therefore, we will instead focus our attention on the production process and the offline storage of the medium, as these are unique to the Piql system. However, a risk assessment of the Piql Preservation Services cannot be complete without the inclusion of challenges related to data security. In order to fully evaluate security, one must understand the interaction between the physical and the digital properties of a system. 3 As a service for the preservation of digital data, the Piql Preservation Services is intrinsically linked to the online realm, and threats to data security thus cannot be excluded from the assessment, as we include therein more phases of the service journey that merely storage. One should, however, stress that the actual storage medium – the piqlFilm – is offline, referring to the fact

2 The assumption regarding the longevity of the generator’s power supply was made in collaboration with Piql AS. 3 This was a key conclusion in the FFI report ― ICT and CBR related threats against Oslo Water and Sewage Authority ‖ [freely translated] [10].

20

FFI-RAPPORT 16/00707