Presentation “Protecting the Energy Supply Chain – From Cyber Attacks to Drones”
The presentation is about cyber and physical protection of sustainable supply chain management and the need for advanced risk analytics.
The presentation was given by Thomas Zakrzewski in Dubai at GITEX in 2020. Issues of supply chain management still make headlines in 2022 and are expected to stay top of the minds of the C-suite for foreseeable future.
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Protecting the Energy Supply Chain - Dubai
1. Protecting the Energy Supply Chain –
From Cyber Attacks to Drones
EgisData solutions
presented by Tom Z.,
2. Thomas Zakrzewski: Founder and Managing Partner at EgisData, a company
providing an Attribute Based Access Control engine and data privacy. Thomas is
a Former Distinguished Engineer and Head of Blockchain at S&P Global Ratings.
He developed products to protect private and confidential information using
advanced cryptography and blockchain.
He co-authored a patent for a solution addressing issues with data privacy, data localization, and
preparedness for post-quantum ciphers using advanced cryptography and blockchain.
Tom has over 25 years of IT experience in the Financials, Software Engineering, Telecom, e-
Commerce, Distribution & Logistics, and Healthcare industries. He holds a Bachelor’s Degree in
Computer Science and Mathematics from Montclair State University, and a Master’s Degree in
Predictive Analytics from Northwestern University.
Throughout his career, he held numerous positions ranging from developer, to architect, to CIO.
Currently he serves on the Advisory Boards for the Montclair State University, and New Jersey
Institute of Technology (NJIT).
Tom is also a Visiting Technologist Fellow at the National Security Institute (NSI) and is a frequent
speaker at conferences discussing blockchain security, cryptoassets, and quantitative models.
3. Supply Chain Management
● Definition
o A supply chain is a system of organizations, people, activities, information, and resources involved in
supplying a product or service to a consumer
● Evolution of supply chain management in the age of automation
o Many tasks are automated by AI and the transfer of goods between tasks of the process are often controlled
by IoT devices
● Monitoring the process flow
○ Each party participating in the process of supply chain bears a responsibility to complete their steps
○ Disruptions for most part are only visible to consumers at the end of the supply chain
○ Disruptions by suppliers and resultant spillover effects are often unnoticeable until is too late
● Disruption predictions
o Modeling of risk in supply chain management is complex and challenging
o Modeling needs to take interconnectedness of suppliers and supplies into account
o There is notable resemblance of modeling risk in supply chain management to modeling risk in interconnected
banking systems
4. Simplified Threat Model
● Countermeasures
o Digital
Authentication and authorization
Encryption at rest and in transport
o Physical
AI weaponry
● Threats
o Digital – cyber attacks
o Physical – Unmanned Aerial Vehicles (UAV) - drones
o Disruptions to Counterparties - consequences of
disruptions
5. Physical Threats – Drones
● Notable incidents
o September 14, 2019: attack on Saudi Aramco oil facilities near the
cities of Abqaiq and Khurais in Saudi Arabia
● Commercial and military use of drones
○ In 2020 there are 3.55 M small drones in the US alone
○ Over 36 countries produce and possess armed drones
● Protection by autonomous weaponry powered by AI
o UAV (Unmanned Autonomous Vehicle) platform that autonomously detects, hunts,
and takes down other small UAVs in GPS-denied environments (Wyder et al. 2019)
o Combat-proven counter drone technology by Citadel Defense (Staff Writers 2020)
Staff Writers. "Citadel Defense Launches New AI and Machine Learning Software to Detect and Defeat Air, Land, and Sea Drones". Space Daily. April 24, 2020 Friday.
Wyder, Philippe Martin, Yan-Song Chen, Adrian J. Lasrado, Rafael J. Pelles, Robert Kwiatkowski, Edith O. A. Comas, Richard Kennedy, et al. "Autonomous drone hunter operating
by deep learning and all-onboard computations in GPS-denied environments." PLoS ONE 14, no. 11 (2019): e0225092. Gale Academic OneFile (accessed December 1, 2020)
https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0225092
6. Digital Threats – Cyber Attacks
● Automated Supply Chain Management uses IoT devices:
o GPS devices report location of the transport
o Drones function as inspection devices
o Industrial Control Systems (ICS) devices: control processes of supply management, i.e.
temperature control, flow of oil or gas
● Exploiting ICS vulnerabilities (see appendix pages 8 - 10)
o Firmware and software vulnerabilities
o Misconfiguration: open ports, enabled protocols, elevated-privilege
o Weak authentication schemas
o Failure to protect data at transport and at rest
● Protection methods
o Frequent scanning and updates for firmware and software, code signing implementation
o Multifactor Authentication (MFA) implementation and use of Attribute Based Access Control
o Protection of private keys, ideally using advanced cryptographic schemas such as Multiparty
Computation (MPC), use of strong encryption for data protection at rest and in transport
7. Counterparties Disruption - Threats
● Dependencies in Supply Chain Management
o Suppliers in one chain can play roles in another chain
o Disruption in one chain supply may cause a spillover
effect on another chain
o Disruption one supplier may cause a spillover effect
on another supplier
● Complexity in modeling dependencies
o Similar models have been used in financial risk
management and measurement (Diebold et al. 2016)
o We can use variance decomposition models and use
vectors of connectedness between suppliers and
supplies (see Appendix page 11)
Diebold, Francis X., Demirer, Mert, Liu, Laura, Yilmaz, Kamil Yilmaz “Estimating global bank network connectedness”.
https://www.sas.upenn.edu/~fdiebold/papers2/DDLYpaper.pdf
8. Appendix – scanning net for active IoT devices
● Shodan.io is an example of
website listing scanned IoT
devices.
● Cyber adversaries may use
tools like ZenMap
9. Appendix – scanning IoT devices for open ports and services
● Scanner shows 3 ICS
devices: wind turbines
● Scanner lists IP addresses
for the devices along the
with their physical location
10. Appendix – scanning IoT device for OS and services vulnerabilities
● Devices accessed by IP
address show open ports
and communication
protocols
● Information about OS and
protocols can lead cyber
adversaries to discover
vulnerabilities
11. Appendix – Modeling Dependencies in Supply Chain Management
● Vectors of connectedness
between suppliers are
represented by edges in the
graph (Yilmaz and Diebold
2014)
● Dependencies represented
as directed and weighted
edges between suppliers
(example: black - 0.7, red – 0.5,
yellow - 0.3)
● Example of graphical
representation after variance
decomposition is calculated
Diebold, Francis X.,Kamil Yilmaz “Financial and Macroeconomic Connectedness”. http://financialconnectedness.org