Abstract
Supply chain security is becoming an important factor in security risk analysis for modern information and communication technology (ICT) systems. As Internet of Things (IoT) devices proliferate and get adopted into critical infrastructure, the role of suppliers in risk assessment becomes all the more significant. IoT security risks are affected by supplier trust since suppliers possess the capacity to modify black box systems without detection. The risks posed by potentially malicious or compromised suppliers are compounded by interdependence among suppliers. In this paper, we propose I-SCRAM, a framework to analyze supply chain risks in IoT systems and to support risk mitigating decisions. After defining an expanded system model that consists of interconnected components and a hierarchy of component vendors, we develop and propose metrics to quantify systemic risks. Finally, we present a decision framework that helps in selection of vendors to mitigate supply chain risk. Through a case study and simulation, we show that I-SCRAM successfully minimizes system risk as higher budget and more reliable component sources become available, while allowing flexibility in prioritizing sources of risk.
Highlights
Securing the supply chain and mitigating associated risk is critical to nearly every industry and enterprise
In this paper we propose a framework for Internet of Things (IoT) supply chain risk analysis and mitigation, referred to as I-SCRAM, that is centered around system components and VOLUME 9, 2021
WORK In this paper we have presented I-SCRAM, a model for understanding the role of suppliers in IoT system security risk assessments and argued for the need to take a component centered approach to risk assessment when considering supply chain threats
Summary
Securing the supply chain and mitigating associated risk is critical to nearly every industry and enterprise. Kieras et al.: I-SCRAM: A Framework for I-SCRAM Decisions their suppliers This involves a shift from the perspective of traditional security risk analysis, where security events associated with particular component functions are primary. Risk analysis can take this into account only by widening the class of components under question and including their suppliers This broader approach requires supply chain risk analysis to leverage tools from system reliability theory. Existing literature related to SCRM falls broadly under three main categories: (1) supply chain risk, (2) graph based security modeling, and (3) reliability analysis. Our approach differs by providing a holistic modeling framework that supports systemic risk analysis as well as mitigation decisions. We propose a system model, based on components and suppliers, for a unified analysis of traditional security risks and those arising from a supply chain.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
