Abstract
Cyber security in a supply chain (SC) provides an organization the secure network facilities to meet its overall business objectives. The integration of technologies has improved business processes, increased production speed, and reduced distribution costs. However, the increased interdependencies among various supply chain stakeholders have brought many challenges including lack of third party audit mechanisms and cascading cyber threats. This has led to attacks such as the manipulation of the design specifications, alterations, and manipulation during distribution. The aim of this paper is to investigate and understand supply chain threats. In particular, the paper contributes towards modeling and analyzing CSC attacks and cyber threat reporting among supply chain stakeholders. We consider concepts such as goal, actor, attack, TTP, and threat actor relevant to the supply chain, threat model, and requirements domain, and modeled the attack using the widely known STIX threat model. The proposed model was analyzed using a running example of a smart grid case study and an algorithm to model the attack. A discrete probability method for calculating the conditional probabilities was used to determine the attack propagation and cascading effects, and the results showed that our approach effectively analyzed the threats. We have recommended a list of CSC controls to improve the overall security of the studied organization.
Highlights
A supply chain (SC) is a collection of different organizations that align their business processes, goals, objectives, and some components of their systems to third party organizations, suppliers, consumers and partners [1,2]
We modeled and analyzed the cyber threat from the supply chain perspective, and used running examples to evaluate the model and proposed controls required to demonstrate the applicability of the work
The results show that we have identified probable CSC threats, risks, and attacks, such as penetration and manipulation, that could impact the organizational goal
Summary
A supply chain (SC) is a collection of different organizations that align their business processes, goals, objectives, and some components of their systems to third party organizations, suppliers, consumers and partners [1,2]. Examples include the Saudi Aramco electric-grid cyber attack in 2017, and the Ukraine power grid attack in 2015 [5] These indicate that supply chain attacks are on the rise and require an attack model and threat analysis to gather threat intelligence [6]. Attack trees [7] provide a formal and methodical way of describing the security of systems based on varying attacks They use multilevel children within the attack tree, with a single root node that uses different ways to achieve its goal using leaf nodes and Building Security in Maturity Model (BSIMM) [8]. These works are important and contribute to the cyber threat modeling knowledge domain. There is a limited focus on supply chain perspective, and on threats relating to inbound and outbound chain contexts that need adequate analyses to ensure CSC security
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
