This primary focus of study was to investigate how cyber risks in ICT infrastructures of supply chains are managed. As its theoretical base, the study used the Adaptive Security Architecture framework that has been employed by most IT security specialists. Five experienced IT experts participated in a semi-structured interview to provide practical insights on the state of cybersecurity in supply chains operations from various industries. Their responses were analyzed based on the four stages of prediction, prevention, detection and response.
This study offers a new framework that suggests cybersecurity requires anticipatory vigilance, profiling malevolence, instantaneous response and uncompromised recovery to dealing with the cyber threats posing disruptions to supply chains.
On Starlink, presented by Geoff Huston at NZNOG 2024
Cyber risks in supply chains
1.
2.
3. • Rise in cyber-attacks such as information theft, online frauds and IT
sabotage of the ICT infrastructure of organisations due to increased
technological access and integration across firms.
Source : PwC (2016)
• PwC report (2016) also claimed 22% of the most cited source of
compromise happened to be ‘people’ such as employees or managers of the
organisations .
Protection of information
against security breaches is not
only a technological matter .
4. ICT Infrastructure
• Technology used for gathering, storing, transmitting, retrieving and
processing information
• People who interact with the technology and the processes employed
that enable the interaction
Prevention of cyber risks begin with
mitigating the risks associated with the
people who interact with the
technology first, as they are noted to
be most vulnerable
• Cyber security = holistic risk management integrating People, Process
and Technology.
5. Risk Management of ICT infrastructure
People Process Technology
Prioritised Cyber Risk Management
• People layer – trainings in recognising phishing, virus, spams etc.
Background checks by HR (authenticated Resumes), implementing of
prevention and recovery stage.
• Process layer- Policies about “ Incident Response Process”,
management of passwords and commands of escalations in case of
data loss.
• Technology layer- Monitoring confidential information , network
security, protecting external data transference and encryption.
6. Pillars of Information Security
Source : EY
Confidentiality of information as encrypted documents that were electronically
transferred and protected against unwanted exposure.
Integrity was maintained when the encryption could not be broken into and its
coding changed.
Availability of information ensured that the data is visible throughout the relevant
systems in supply chains, in e-commerce organisations.
Non-repudiation, Accountability,
Authenticity, and
Reliability of information and Protection of
the actual data in the information system
7. “Cyber” includes computers, computer networks, Internet of things, ICS
(Information Communication Systems) and SCADA (Supervisory Control and
Data Acquisition) systems.
Essential concerns of cyber security in supply chain industry.
I. Hardware Supply
chains
II. Software supply
chains
III. Third Part Risks
IV. Current Management
of Cyber Risk
8. Sethumadhavan,Waksman ,
Suozzo,,Yipeng , Eum ( 2015)
Forte, Perez , Kim (2016),
Williams (2014),
Skorobogatov and Woods (2012) ,
Wired (2014),
• Design related flaws are a consequence of
malicious intrusions.
• Rule of 10 for cost of flaw detection in life
cycle of hardware equipment.
• IP of hardware components = circuit design or
subsystem that is abstracted on chips for
reusability
• knowledge gap between integrated circuit (IC)
designers and their understanding of security
is a major concern
• trade-off between adding new circuitries may
improve the overall manufacturable yield and
testability but at a cost of overall security
• secret access key was extracted from Actel’s ProASIC3
Field Programmable Gate Array (FPGA) chip, activated
the ‘back door’ control
• access to the backdoor are able to extract the
configuration data from the chip, alter the silicon
features, access unencrypted configuration
information and damage the device
9. Lysne ,Hole, Otterstad, Ytrehus ,Aarseth,
and Tellnes ( 2016) ,
Dark Reading (2015) ,
Curly (2011),
BBC News (2013) ,
Brasington and Park (2016)
• outsourced development ,failure to test and patch
codes , open source libraries , compromised third party
software may render systems susceptible to data
leakage and loss.
• rogue employees engaged in software
development =. insert a malware or Trojan to
initiate “time bombs”
• ‘zero-day vulnerability’
• distribution model shifted from a physical model
-> internet- based digital model =>hackers ample
opportunities to manipulate codes
• supply chains hoisted on the cyber-infrastructure
INCREASES execution of malicious intent from hostile
actors such as drug traffickers and underground
criminals (Port of Antwerp)
• unaware users at the users’ end compromise their
systems through installing updates and patches for
software maintenance which are essentially entry
points of attackers to install malware ( Stuxnet)
10. III. Third Party
Risks
TrustWave (2012),
Hale (2016) ,
Servidio and Taylor (2015),
McGuinn , Seckman , Sheppard (2016),
Fischer (2016)
• 76% of all data breaches were a result of third-
party security deficiencies
• 44% of banks surveyed do not require to be
notified by third parties if breached.
• Weak link in integrated supply chains are the
quality of security controls and compliance of
third parties.
• “Supply chain managers and end users are NOT
completely aware of the potential problems the
integration may cause” chief executive of SCADA
fence.
• cross validation and constant vigilance of third party and
internal employee is key to ensure that basic security
measures are not manipulated.
• secure private virtual connect , not good enough to
exercise network security against external parties.
• importance of monitoring is encased with having a bird’s
eye view of the potential threats
11. IV. Current Management of
Cyber Risks
PwC (2016),
•
Dell (2014),
O'Rourke ( 2015),
Burnson (2013)
Inside Counsel (2015)
• Frequently review and update threat
intelligence and incident response plan ( not
being done currently)
• Of the 1440 organisations interviewed
globally, 75% admitted to experiencing a
security breach in the last 12 months.
‘organisation did not have a cyber breach plan and
of those that did, 57% did not review or update it.’
45% of the respondents ‘organisation’s risk
management plan that included cyber security still
required “substantial work”. ‘
proactive risk management strategy that goes
beyond the information security and ideally should
be incorporated within corporate strategy.
12. This research aims to investigate how businesses manage risks
involving the Information and Communications Technology (ICT)
infrastructure against cyber-attacks in their supply chains?
• Process -Recognise
threats , isolate and contain
• Technology- React to
breaches, mitigate damage ,
analyse and learn
• People -
• minimise attack surface
and prevent intrusion from
the first layer
• People,Process,Technolog
y
• Awareness of Risks on all
levels and uncovering weak
spots
Predict Prevent
DetectRespond
Adaptive Security Architecture framework, originally proposed by Gartner
(2014)
Source : Adapted from Business Security Insider (available online at: https://business.f-
secure.com/cyber-security-is-not-a-solution-but-a-process/ <accessed on 27 August 2016>)
13. Predict
Prevent
Detect
Respond
RQ 1. How do businesses predict that their
systems or operations may be vulnerable to cyber-
attacks?
RQ 2. What kind of prevention strategies are in
place to safeguard against cyber- attacks?
RQ 3. What kind of detection strategies are in
place to isolate and contain threats?
RQ 4. What kind of response strategies are in
place to react to the breach and mitigate the
damage?
14. Traditional quantitative studies that use statistical
analysis are not suited to examine a dynamic and
evolving phenomenon. This is because they are
static.
Qualitative studies, on the other hand, are suited
to analyse interactive and dynamic processes.
Exploratory qualitative study was selected for this research
Source :Marshall and Roseman ,2014,p. 33
The main purpose of an exploratory study is an exploration of the topic beyond
the domain of quantitative correlations.
15. Informants
Five IT professionals who have had experience in working with integrated
information systems or ICT infrastructure security were selected for the
study, after they had consented to participate.
Credentials IT Specialisation and
Industry Experience
Specific Roles
CISM, CRISC,CISA, ISO 27001, COBIT
Security Specialist
Financial organisations, fast moving
consumer goods (FMCG), mining and
resources, education sector and
professional services.
Asia Pacific Wintel Operations & Security Lead,
Head of Information Security & Compliance Head of
Information Security & Risk
AWS Certified Solutions
Architect - Associate
Network security, Firewalls, Solution
Architecture, Linux, IT Security operations.
government agencies and big corporates,
including banks and insurance companies.
Network & Systems Engineer .Security Consultant
,Managing Director & Principal Consultant.
N/A IT security manager in Regenerative Medicine
R&D organisation. Conducts employee
trainings and awareness programs to scientists
to recognise threats.
Supply chain and procurement specialist , IT
security specialist and manager, Security analyst
and adviser to upper management
PhD (Computer Systems Engineer), Global
MBA, Software product development chief
architect
development of Mobile devices, Ecommerce,
Software engineering, Andriod. R&D team that
develops the technical infrastructures of software
products. Communications software are used by
financial brokers.
Software Systems Engineer , Software Engineer ,
Principal Software Engineer ,.Director of Software
Engineering
Cyber-crime forensics analyst (CBI )
Cyber-Security Entrepreneur
Lead in regional IS0 37001 implementation
Lead the Review process of Anti-bribery
management system. Main roles include national
governance and forensic investigation of cyber-
crime. Development and deployment of security
products and Business intelligence to France and
USA.
1. Senior Consultant ,2. Senior Engineering
Manager,3. Director of the Board and CTO
4. Co-Founder and CTO
Committee Member of Cyber Crime Group (National)
16. Semi-Structured Interviews
Semi-structured interviews were conducted to collect the data from
Informants who have had experience in dealing with ICT security.
Dworkin (2012) suggested that a minimum number of five informants were
required in semi structured interviews before saturation (a point at which data
collection offer no new insights) was reached.
Format of the semi-structured interview were a set of open ended questions,
sequenced in four major sections which would complement the four sub
research questions (RQ 1, RQ 2 , RQ 3 and RQ 4).
17. RQ 1. How do businesses predict that their systems or operations may be vulnerable to cyber-
attacks?
• “Businesses cannot predict a potential cyber attack. It is not a matter of “if”, it is a question of “when”.
• “End to end processes are all vulnerable to an intrusion (no matter what business) as business continuity will
depend on communication online (e.g.. Email), which increases the risks . Supply chain managers should focus on
all aspects of their end- to end process.”
• “Real time protection from both internal and external data transfers should be monitored .”
• “There is no single point in supply chain that poses maximum risk, it could be insider or distribution node. The
moment there is an integration where data is exchanged with external stakeholders (healthcare of logistics
company) the tunnel of communication needs extreme security ”
• “ Every information exchange node becomes vulnerable to attack and has to be taken care of”
• “Security cannot be an afterthought. Both services and products should be secured by design.”
18. RQ 2. What kind of prevention strategies are in place to safeguard against cyber-
attacks?
• “Security is NOT only about technology, but people and process. “
• “Maturity of the organisation in the way it understands security is crucial to providing training and awareness. Not
only technical part but also, understanding pitfalls …such as someone unknowingly does something then how
would it impact at all levels of organisations”
• “People” are the weakest link in securing the three layers of controls. Ensuring proper employees are hired in the
organisation would minimise the risk of cyber threats.”
• “Big data analytics can be employed to have an oversight of the employee behaviour and online inclinations.”
• “Not direct analysis, but indirect analysis based on customer /employee online behaviour tracking using human
counter intelligence techniques like random spam circulation to organisation employees…inject known contacts
into test spam mails”
• “ How easily are they sharing information online, may be careless and this becomes an influential factor. Maybe
they have subscribed to different groups that maybe harmful to the organisation such as hackers..”
19. RQ 3. What kind of detection strategies are in place to isolate and contain threats?
• “Most of the time, detection takes places after attack has been launched (e.g. Crypto locker , ransomware ),
extremely common malware that targets wider range of consumers and businesses.”
• “Real time tracking processes are essential to detect threats . (Crypto-Forensics) . “
• “Embed “Easter eggs” there may be a hidden code which is not part of the functionality of the code, but it
senses where it has been installed or exported, so if the source code is deployed somewhere else, the moment
it is connect to the internet, you’ll see that the request does not come from your server but somebody else's
server. So you would know the source IP”
• “Containing the threat involves communicating the situation to the upper management and ensuring systems
are not utilised at that point. Isolating the threat would ensure that back up and other critical devices are not
adversely impacted. Compromised systems are completely shut down in order to avoid back door entry.”
• “There is big threat in the end user aspect with respect to detection”
20. RQ 4. What kind of response strategies are in place to react to the breach and mitigate
the damage?
• “ So this relates to after the incident, how do you escalate this incident….the first thing is to follow the disaster
recovery plan, because you want to more minimum data. The second is to prevent any more loss so there has to
be a strong technical response.”
• “Detect and respond to information in rest and information in transit”
• “ Intelligence should be based on real time data . Real time detection is more important that prevention and
obviously response. “
• “Aim should be detect and protect immediately “.
21. Interpretation of Findings
. RQ1. Focus cannot be on Prediction based on a reactive approach to mitigate cyber attacks in
Supply chains. Continuous real time tracking of all nodes and operational activities of all parties
are required to secure the ICT infrastructure of supply chains.
RQ2. Integrating big data analytics to evaluate threat signals from people and process layer is
crucial to deflect potential insider threat.
RQ3. Real time tracking of network communication and transactions are paramount in order to
reduce dwell time for detecting threats and ensuring that, isolation of uncompromised systems
and therefore immediate shutdown can take post malicious intrusion.
RQ4. Essentially, this factor related to Supply chain cyber resilience , where the main aim is to
secure uncompromised data to ensure business continuity.
22. Implications for Theory and practice (Final Analysis)
Predict Anticipatory Vigilance
Prevent Profiling Malevolence
Detect Instantaneous Response
Respond Uncompromised Recovery
Refinement of Adaptive Security Architecture Framework
Existing Categories Proposed Nomenclature
23. Cyber security should be a continuous improvement capability to ensure business
continuity of supply chains.
As Omni channels and IoT add new dimensions to integration in supply chains,
safeguarding the ICT infrastructure should include all touch points of consumers
and nodes within the integrated networks.
Managing
Cyber Risks in
ICT
infrastructures
of Supply
Chains
Anticipatory
Vigilance
Profiling
Malevolence
Instantaneous
Response
Uncompromise
d Recovery
24. Limitations and Future Studies
As the study does not include a longitudinal analysis over time, the
findings could not explore the subject matter into more depth as the
study was restricted to the informants having been interviewed once,
within a certain time frame.
Only five informants were ultimately chosen out of the six
participants who had initially committed to the interview.
This restricted the scope of uncovering more experiential
knowledge.
Could be extended to a greater sample of
participants in future studies to garner a
comprehensive understanding of the research
topic.
25.
26. • Shackleford, D., 2015. Combatting Cyber Risks in the Supply Chain. SANS Institute InfoSec Reading Room, [Online]. 1, 1-17. Available
at: https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252 [Accessed 21 August 2016].
•
• Urciuoli, L. 2015. Cyber-Resilience: A Strategic Approach for Supply Chain Management.Technology Innovation Management Review,
5(4): 13-18. http://timreview.ca/article/886
•
• Khan, O., & Estay, D. A. Sepúlv. 2015. Supply Chain Cyber-Resilience: Creating an Agenda for Future Research. Technology Innovation
Management Review, 5(4): 6-12. http://timreview.ca/article/885
•
•
• PwC . 2016. The Global State of Information Security® Survey 2016. [ONLINE] Available at:http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html. [Accessed 24 August 2016].
•
• Lane, D., 2011. The Chief Information Officer's Body of Knowledge: People, Process, and Technology. 1st ed. New Jersey: John Wiley &
Sons.
•
•
• Business Security Insider. 2016. THE 360 DEGREE APPROACH TO CYBER SECURITY. [ONLINE] Available at: https://business.f-
secure.com/cyber-security-is-not-a-solution-but-a-process/. [Accessed 25 August 2016].
•
• Juneja , N., Tuli, K., 2016. CYBER SECURITY CHALLENGES & ONLINE FRAUDS ON INTERNET.International Journal of Advanced
Research in IT and Engineering , [Online]. 5, 1-12. Available at:http://garph.co.uk/IJARIE/Feb2016/1.pdf [Accessed 21 August 2016].
•
•
• Booz Allen Hamilton, Booz Allen Hamilton, 2012. Managing Risks in Global ICT Supply Chains. Booz Allen Hamilton Report, 1-12.(
https://www.boozallen.com/content/dam/boozallen/media/file/managing-risk-in-global-ict-supply-chains-vp.pdf)
•
• Chacko, A., (2015). Cybersecurity - Integrating People, Process and Technology. In IASA 87TH ANNUAL EDUCATIONAL
CONFERENCE & BUSINESS SHOW. Las Vegas, June 7-10. Las Vegas: IASA. 1-37.
•
•
• Humphreys, E., 2008. Information security management standards: Compliance, governance and risk management. Information Security
Technical Report, 13, 247-255.
•
27. • ISO/IEC. ISO/IEC TR 13335-1:2004 information technology security techniques management of information and communications
technology security part 1: concepts and models forinformation and communications technology security management. ISO/IEC, JTC 1,
SC27, WG 1 2004.
•
• Yan, Y., Qian, Y., Sharif, H. and Tipper, D., 2012. A survey on cyber security for smart grid communications. IEEE Communications
Surveys & Tutorials,14(4), pp.998-1010.
•
•
• Ponemon Institute , 2015. The Cost of Phishing & Value of Employee Training. Ponemon Insitute Research Report, 1, 1-15.
•
• Janes, P., 2012. INFORMATION ASSURANCE AND SECURITY INTEGRATIVE PROJECT PEOPLE, PROCESS, AND
TECHNOLOGIES IMPACT ON INFORMATION DATA LOSS. SANS Institute InfoSec Reading Room, 1, 1-44.
•
•
• ProtectWise, ProtectWise, 2016. 5 Blind Spots that Kill Cybersecurity. Dark Reading, 1, 1-10.
•
• Luthra, S., 2016. Botnet and Malwares Analysis and Detection (Minor Thesis). Deakin University , 1, 2-22.
•
•
• Iyengar, S. 2016, "Enterprise IT Security - Need of the Hour", Communications Today.
•
• Bolhari, A., 2009, December. Electronic-Supply Chain Information Security: A Framework for Information. In Australian Information
Security Management Conference (p. 10).
•
•
• Dhillon G. Principles of information systems security. John Wiley & Sons; 2007.
•
• Boyes, H., 2015. Cybersecurity and Cyber-Resilient Supply Chains. Technology Innovation Management Review, 1, 1-8.
•
•
• Jensen, L., 2015. Challenges in Maritime Cyber-Resilience. Technology Innovation Management Review, 5(4), p.35.
•
• Pettit, T. J., Fiksel, J., & Croxton, K. L. 2010. Ensuring Supply Chain Resilience: Development of a Conceptual Framework. Journal of
Business Logistics, 31(1): 1–21. http://dx.doi.org/10.1002/j.2158-1592.2010.tb00125.x
•
•
• Wilding, R. and Wheatley, M., 2015. Q&A. How Can I Secure My Digital Supply Chain?. Technology Innovation Management
28. • Masvosvere, D.J.E. and Venter, H.S., 2015, August. A model for the design of next generation e-supply chain digital forensic readiness
tools. InInformation Security for South Africa (ISSA), 2015 (pp. 1-9). IEEE.
•
•
• Gartner. 2014. Designing an Adaptive Security Architecture for Protection From Advanced Attacks. [ONLINE] Available
at: https://www.gartner.com/doc/2665515/designing-adaptive-security-architecture-protection. [Accessed 24 August 2016].
•
• Elsbach, K.D. and Kramer, R.M., 2003. Assessing creativity in Hollywood pitch meetings: Evidence for a dual-process model of creativity
judgments.Academy of Management journal, 46(3), pp.283-301.
•
•
• Meredith, J., 1998. Building operations management theory through case and field research. Journal of operations management, 16(4),
pp.441-454.
•
• Marshall, M.N., 1996. Sampling for qualitative research. Family practice,13(6), pp.522-526.
•
•
• Marshall, C. and Rossman, G.B., 2014. Designing qualitative research.Sage publications.
•
• Narasimhan, R., 2014. Theory development in operations management: Extending the frontiers of a mature discipline via qualitative
research.Decision Sciences, 45(2), pp.209-227.
•
•
• Guercini, S., 2014.New qualitative research methodologies in management.Management Decision, 52(4), pp.662-674.
•
• Forza, C., 2002. Survey research in operations management: a process-based perspective. International journal of operations &
production management, 22(2), pp.152-194.
•
• Bowen, G.A., 2009. Document analysis as a qualitative research method.Qualitative research journal, 9(2), pp.27-40.
•