Motunrayo Oluremi Ibiyemi,David Olanrewaju Olutimehin

DOI: https://doi.org/10.51594/ijmer.v6i6.1241

2024-06-24

International Journal of Management & Entrepreneurship Research

Abstract:This review paper explores the evolving landscape of cybersecurity threats within supply chains, highlighting strategic measures necessary to mitigate these risks. As supply chains integrate more deeply with digital technologies and global networks, they become more vulnerable to sophisticated cyber attacks that can severely disrupt operational integrity and security. This paper synthesizes existing literature to outline the major cybersecurity challenges faced by supply chains, examining case studies and best practices from various industries. Our findings underscore the prevalent threats such as ransomware, phishing, and insider attacks, which exploit the complex interdependencies and digital interfaces in supply chains. The review identifies effective strategic responses, including the integration of comprehensive cybersecurity frameworks, enhanced inter-organizational cooperation, and the implementation of real-time threat detection systems. Conclusively, the paper advocates for a holistic and proactive approach to cybersecurity, emphasizing continuous improvement and adaptive strategies to protect against the dynamic nature of cyber threats in supply chain contexts. Keywords: Cybersecurity, Supply Chain Management, Risk Assessment, Continuous Monitoring, Incident Response, Blockchain Technology, Artificial Intelligence (AI), Collaboration and Information Sharing, Cyber Threats, Emerging Technologies.

Vikas Hassija,Vinay Chamola,Vatsal Gupta,Sarthak Jain,Nadra Guizani

DOI: https://doi.org/10.1109/jiot.2020.3025775

IF: 10.6

2021-04-15

IEEE Internet of Things Journal

Abstract:The rapid improvement in the global connectivity standards has escalated the level of trade taking place among different parties. Advanced communication standards are allowing the trade of all types of commodities and services. Furthermore, the goods and services developed in a particular region are transcending boundaries to enter into foreign markets. Supply chains play an essential role in the trade of these goods. To be able to realize a connected world with no boundary restrictions in terms of goods and services, it is imperative to keep the associated supply chains transparent, secure, and trustworthy. Therefore, some fundamental changes in the current supply chain architecture are essential to achieve a secure trade environment. This article discusses the supply chain's security-critical application areas and presents a detailed survey of the security issues in the existing supply chain architecture. Various emerging technologies, such as blockchain, machine learning (ML), and physically unclonable functions (PUFs) as solutions to the vulnerabilities in the existing infrastructure of the supply chain have also been discussed. Recent studies reviewed in this work reveal a growing sentiment in the industry toward new and emerging technologies, such as Internet of Things (IoT), blockchain, and ML. While many organizations have already adopted IoT applications and artificial intelligence systems in their businesses, widespread adoption of blockchain remains distant. It has also been found that over the past decade, PUF-based authentication systems have gained much ground. However, a proper reference model for their implementation in complex supply chains is still missing.

computer science, information systems,telecommunications,engineering, electrical & electronic

Olubunmi Adeolu Adenekan,Chinedu Ezeigweneme,Excel Great Chukwurah

DOI: https://doi.org/10.51594/ijmer.v6i5.1125

2024-05-12

International Journal of Management & Entrepreneurship Research

Abstract:This review paper explores the multifaceted realm of cybersecurity within IT supply chains, addressing the intricate challenges posed by digital vulnerabilities, high-profile cyber incidents, and emerging threats. It highlights the criticality of continuous risk assessment, the implementation of international security standards, and the necessity for enhanced management of third-party vendors. The paper also delves into advanced technological solutions like blockchain, AI, and machine learning for bolstering security, advocating for best practices including the zero-trust model, regular employee training, and secure software development. Emphasizing a proactive over a reactive approach, the paper underscores the evolving nature of cyber threats and the imperative for adaptive strategies. It calls for concerted efforts from businesses, policymakers, and IT professionals to prioritize and continuously refine cybersecurity measures in safeguarding IT supply chains against future threats. Keywords: IT Supply Chain, Cybersecurity, Risk Management, Blockchain, Zero-Trust Model, Artificial Intelligence.

Marcela S. Melara,Mic Bowman

DOI: https://doi.org/10.48550/arXiv.2209.04006

2022-09-08

Cryptography and Security

Abstract:The software supply chain involves a multitude of tools and processes that enable software developers to write, build, and ship applications. Recently, security compromises of tools or processes has led to a surge in proposals to address these issues. However, these proposals commonly overemphasize specific solutions or conflate goals, resulting in unexpected consequences, or unclear positioning and usage. In this paper, we make the case that developing practical solutions is not possible until the community has a holistic view of the security problem; this view must include both the technical and procedural aspects. To this end, we examine three use cases to identify common security goals, and present a goal-oriented taxonomy of existing solutions demonstrating a holistic overview of software supply chain security.

Piergiorgio Ladisa,Henrik Plate,Matias Martinez,Olivier Barais

DOI: https://doi.org/10.1109/SP46215.2023.00010

2022-04-20

Abstract:The widespread dependency on open-source software makes it a fruitful target for malicious actors, as demonstrated by recurring attacks. The complexity of today's open-source supply chains results in a significant attack surface, giving attackers numerous opportunities to reach the goal of injecting malicious code into open-source artifacts that is then downloaded and executed by victims. This work proposes a general taxonomy for attacks on open-source supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution. Taking the form of an attack tree, it covers 107 unique vectors, linked to 94 real-world incidents, and mapped to 33 mitigating safeguards. User surveys conducted with 17 domain experts and 134 software developers positively validated the correctness, comprehensiveness and comprehensibility of the taxonomy, as well as its suitability for various use-cases. Survey participants also assessed the utility and costs of the identified safeguards, and whether they are used.

Cryptography and Security,Software Engineering

Badis Hammi,Sherali Zeadally

DOI: https://doi.org/10.1109/mc.2023.3273491

2023-07-01

Computer

Abstract:Software application development involves various actors and organizations in what is called the software supply chain. We discuss how we can achieve strong resilience of the software supply chain to cyberthreats and then propose a holistic end-to-end security approach for the software supply chain.

computer science, software engineering, hardware & architecture

Theresa Sobb,Benjamin Turnbull,Nour Moustafa

DOI: https://doi.org/10.3390/electronics9111864

IF: 2.9

2020-11-06

Electronics

Abstract:Supply chain 4.0 denotes the fourth revolution of supply chain management systems, integrating manufacturing operations with telecommunication and Information Technology processes. Although the overarching aim of supply chain 4.0 is the enhancement of production systems within supply chains, making use of global reach, increasing agility and emerging technology, with the ultimate goal of increasing efficiency, timeliness and profitability, Supply chain 4.0 suffers from unique and emerging operational and cyber risks. Supply chain 4.0 has a lack of semantic standards, poor interoperability, and a dearth of security in the operation of its manufacturing and Information Technology processes. The technologies that underpin supply chain 4.0 include blockchain, smart contracts, applications of Artificial Intelligence, cyber-physical systems, Internet of Things and Industrial Internet of Things. Each of these technologies, individually and combined, create cyber security issues that should be addressed. This paper explains the nature of the military supply chains 4.0 and how it uniquely differs from the commercial supply chain, revealing their strengths, weaknesses, dependencies and the fundamental technologies upon which they are built. This encompasses an assessment of the cyber risks and opportunities for research in the field, including consideration of connectivity, sensing and convergence of systems. Current and emerging semantic models related to the standardization, development and safety assurance considerations for implementing new technologies into military supply chains 4.0 are also discussed. This is examined from a holistic standpoint and through technology-specific lenses to determine current states and implications for future research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Muhammad Junaid Farooq,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1908.07828

2019-07-21

Cryptography and Security

Abstract:Supply chain is emerging as the next frontier of threats in the rapidly evolving IoT ecosystem. It is fundamentally more complex compared to traditional ICT systems. We analyze supply chain risks in IoT systems and their unique aspects, discuss research challenges in supply chain security, and identify future research directions.

Alberto Redondo,Alberto Torres-Barrán,David Ríos Insua,Jordi Domingo

DOI: https://doi.org/10.48550/arXiv.1911.11652

IF: 5.414

2019-11-26

Machine Learning

Abstract:Risk assessment is a major challenge for supply chain managers, as it potentially affects business factors such as service costs, supplier competition and customer expectations. The increasing interconnectivity between organisations has put into focus methods for supply chain cyber risk management. We introduce a general approach to support such activity taking into account various techniques of attacking an organisation and its suppliers, as well as the impacts of such attacks. Since data is lacking in many respects, we use structured expert judgment methods to facilitate its implementation. We couple a family of forecasting models to enrich risk monitoring. The approach may be used to set up risk alarms, negotiate service level agreements, rank suppliers and identify insurance needs, among other management possibilities.

Nusrat Zahan

DOI: https://doi.org/10.1109/ICSE-Companion58688.2023.00068

2023-05-01

Abstract:Sonatype has recorded an average 700% jump in software supply chain attacks [1], measured by the number of newly-published malicious packages in open-source repositories. The 2022 Synopsys report [2] assessed the reliance of the software industry on open-source software (OSS), and estimated that 97% of applications use OSS and 78% of the code comes from OSS. Practitioners did not anticipate how the software supply chain would become a deliberate attack vector and how the risk of the software supply chain would keep growing. Practitioners are more aware of the supply chain risks and want to know how to detect the implementation of package security practices and the security risk so they can make informed decisions to select dependencies for their projects. The goal of this research is to aid practitioners in producing more secure software products that are resistant to supply chain attacks through the identification and evaluation of actionable security metrics to detect risky components in the dependency graph. To achieve this goal, the thesis presents research on software security metrics evaluation in different ecosystems by leveraging software security frameworks, malicious attack vectors, and the OpenSSF Scorecard project to detect the implementation of secure practices and their significance to security outcomes.

Computer Science,Business,Engineering

Piergiorgio Ladisa,Serena Elisa Ponta,Antonino Sabetta,Matias Martinez,Olivier Barais

DOI: https://doi.org/10.48550/arXiv.2304.05200

2023-04-11

Abstract:This work discusses open-source software supply chain attacks and proposes a general taxonomy describing how attackers conduct them. We then provide a list of safeguards to mitigate such attacks. We present our tool "Risk Explorer for Software Supply Chains" to explore such information and we discuss its industrial use-cases.

Cryptography and Security,Software Engineering

Betul Gokkaya,Leonardo Aniello,Basel Halak

DOI: https://doi.org/10.48550/arXiv.2305.14157

2023-05-23

Cryptography and Security

Abstract:The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector. As the reliance of software projects on open-source or proprietary modules is increasing drastically, SSC is becoming more and more critical and, therefore, has attracted the interest of cyber attackers. While existing studies primarily focus on software supply chain attacks' prevention and detection methods, there is a need for a broad overview of attacks and comprehensive risk assessment for software supply chain security. This study conducts a systematic literature review to fill this gap. We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks, and we identify the security risks for open-source and third-party software supply chains. Furthermore, this study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.

Amer Jazairy,Mazen Brho,Ila Manuj,Thomas J. Goldsby

DOI: https://doi.org/10.1108/ijpdlm-12-2023-0445

2024-09-06

International Journal of Physical Distribution & Logistics Management

Abstract:Purpose Despite the proliferation of cyberthreats upon the supply chain (SC) at large, knowledge on SC cybersecurity is scarce and predominantly conceptual or descriptive. Addressing this gap, this research examines the effect of SC cyber risk management strategies on integration decisions for cybersecurity (with suppliers, customers, and internally) to enhance the SC's cyber resilience and robustness. Design/methodology/approach A research model grounded in the supply chain risk management (SCRM) literature, with roots in the Dynamic Capabilities View and the Relational View, was developed. Survey responses of 388 SC managers at US manufacturers were obtained to test the model. Findings An impact of SC cyber risk management strategies on internal cyber integration was detected, which in turn impacted external cyber integration with both suppliers and customers. Further, a positive effect of internal and customer cyber integration on both cyber resilience and robustness was found, while cyber integration with suppliers impacted neither. Practical implications Industry practitioners may adapt certain risk management and integration strategies to enhance the cybersecurity posture of their SCs. Originality/value This research bridges between the established domain of SCRM and the emergent field of SC cybersecurity by forming and testing novel relationships between SCRM-rooted constructs tailored to an SC cyber risks context.

management

Timothy Kieras,Muhammad Junaid Farooq,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.2003.12363

2020-03-21

Abstract:Supply chain security threats pose new challenges to security risk modeling techniques for complex ICT systems such as the IoT. With established techniques drawn from attack trees and reliability analysis providing needed points of reference, graph-based analysis can provide a framework for considering the role of suppliers in such systems. We present such a framework here while highlighting the need for a component-centered model. Given resource limitations when applying this model to existing systems, we study various classes of uncertainties in model development, including structural uncertainties and uncertainties in the magnitude of estimated event probabilities. Using case studies, we find that structural uncertainties constitute a greater challenge to model utility and as such should receive particular attention. Best practices in the face of these uncertainties are proposed.

Cryptography and Security,Systems and Control

Zachary A. Collier,Joseph Sarkis

DOI: https://doi.org/10.1080/00207543.2021.1884311

IF: 9.018

2021-02-17

International Journal of Production Research

Abstract:The modern supply chain is characterised by an ill-defined and porous perimeter, allowing entry points for potential adversaries to intercept sensitive information and disrupt operations. Such supply chain attacks are increasing in frequency and their impacts can be costly to an organisation. Trust between supply chain partners is commonly thought to be a risk management tool, where increasing trust results in reduced risk. However, increased trust may actually expose the supply chain to more risk, not less. In this paper, we propose the concept of the zero trust supply chain. Originating in the field of information technology and cybersecurity, a zero trust philosophy assumes that all actors and activity are untrusted. In contrast to perimeter-based security, which attempts to keep adversarial actors out, a zero trust-based security posture assumes that adversaries are already inside the system, and therefore imposes strict access and authentication requirements. In this paper, we map zero trust concepts to the supply chain, and discuss the steps an organisation might take to transition to zero trust. We set forth a research agenda by examining zero trust through the lens of several organisational theories and propose a number of research propositions.

engineering, manufacturing, industrial,operations research & management science

Robert Ireland

DOI: https://doi.org/10.54648/gtcj2009044

2009-11-01

Global Trade and Customs Journal

Abstract:Prior to the terrorist attacks of 11 September 2001, customs controls related to national security threats did not feature highly on the policy priorities of the World Customs Organization’s (WCO). After 9/11 and implementation of several US Customs programs such as the Container Security Initiative (CSI) and the Customs-Trade Partnership Against Terrorism (C-TPAT), and regulations such as the 24-Hour Rule, the WCO began to focus much more of its work on supply chain security. This transition culminated in 2005 with the adoption of the WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (SAFE Framework), a non-binding instrument comprised of technical customs standards aimed at securing without impeding international trade. This article will discuss the intricacies of the SAFE Framework including its history, political context, and technical elements (especially risk management and the Authorized Economic Operator (AEO) concept) and antecedents. This article will also consider the 2007 US legislation mandating 100% scanning of US-bound cargo containers at foreign ports that clouds and constrains the SAFE Framework’s future. The article concludes that policymakers should seek to avoid excess in formulating supply chain security policies.

William Enck,Laurie Williams,Samuel King,Angelos Stavrou

DOI: https://doi.org/10.1109/msec.2022.3142338

2022-03-01

Abstract:Software is complex, not only due to the code within a given project, but also due to the vast ecosystem of dependencies and transitive dependencies upon which each project relies. Recent years have observed a sharp uptick of attacks on the software supply chain spurring invigorated interest by industry and government alike. We held three summits with a diverse set of organizations and report on the top five challenges in software supply chain security.

computer science, information systems, software engineering

Anastasia Dimakopoulou,Konstantinos Rantos

DOI: https://doi.org/10.3390/jmse12060919

IF: 2.744

2024-05-31

Journal of Marine Science and Engineering

Abstract:As technology advances and digitalization becomes more prevalent in the industry, the cyber threats to maritime systems and operations have significantly increased. The maritime sector relies heavily on interconnected networks, communication systems, and sophisticated technologies for its operations, making it an attractive target for cybercriminals, nation-states, and other threat actors. Safeguarding the maritime sector against cyber threats is crucial to ensuring the safety, integrity, and efficiency of maritime operations as well as for protecting sensitive information and global trade. The International Maritime Organization (IMO) has played a significant role in addressing cybersecurity issues, leading to the implementation of regulations aimed at risk reduction. This paper delves into the realm of cybersecurity within the maritime industry, offering an in-depth analysis of its various aspects through an extensive literature review based on the latest Version 2.0 of the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) functional areas. The primary objective is to establish a connection between research and NIST's functions and categories, thereby presenting a nascent perspective and identifying existing security research gaps. Through the adoption of this strategic approach, the present paper aims to cultivate a forward-looking and proactive state of maturity in anticipation of future developments within the maritime industry. The outcomes of this research can provide valuable reference points in academic discourse, potentially leading to new hypotheses, and fuel innovation in developing advanced cybersecurity measures within the maritime industry.

engineering, ocean,oceanography, marine

Robert E. Hiromoto,Michael Haney,Aleksandar Vakanski

DOI: https://doi.org/10.1109/idaacs.2017.8095118

2017-09-01

Abstract:We proposes the development of a cyber-secure, Internet of Things (IoT), supply chain risk management architecture. The proposed architecture is designed to reduce vulnerabilities of malicious supply chain risks by applying machine learning (ML), cryptographic hardware monitoring (CHM), and distributed system coordination (DSC) techniques to mitigate the consequences of unforeseen (including general component failure) threats. In combination, these crosscutting technologies will be integrated into Instrumentation-and-ControI/Operator-in-the-Loop (ICOL) architecture to learn normal and abnormal system behaviors. The detection of absolute or perceived abnormal system-component behaviors will trigger an ICOL alert that will require an operator's manual verification-response action (i.e., that the detected alert is, or is not a viable control system threat). The operator's verification-response will be fed back into the ML systems to recalibrate the perceived normal or abnormal state of the system's behavior.