Posts

Presentation and Podcast: The Underestimated Risk of Cyber Supply Chain Attacks

Presentation:

The Brandenburg Institute for Society and Security in Potsdam, Germany regularly organises so-called PizzaSeminars, which offer participants the opportunity to discuss an interesting presentation on a current issue while enjoying a slice of pizza. Esther Kern and Alexander Szanto used the first in-person seminar of the year to present their research from the Cyberfactory#1 project: Cyberattacks on supply chains and their financial impact. The PizzaSeminar took place on the 19th of August 2021 in Berlin.

Click here to access the slides (in German).

Podcast:

The discussion from the presentation has been turned into a podcast moderated by Dr. Tim Stuchtey to be made available to those who were unable to attend the PizzaSeminar. The episode is part of the series “Sicher das? – Der BIGS-Podcast zur Sicherheitsforschung” published by the Brandenburg Institute for Society and Security.

Click here to access the podcast (in German).

Topic:

Despite the fact that there are still some serious security gaps, many companies perceive IT and cyber security now as part of their risk management. However, the quality of the technical and organizational measures and the available budget vary considerably. This is partly due to a lack of awareness of certain security issues at the decision-making levels and an assessment of the cost-benefit calculation. IT and cyber security is often not recognized in everyday work, and if it is, then only as an additional workload. What companies do perceive, however, is the damage that occurs when their own company is affected.

Dealing with supply chain attacks is not a new issue, but one that is still often underestimated. Supply chain attacks are often not taken into account in risk assessments and thus the opportunity to identify dependencies, build up suitable redundancies and better protect both interfaces and vulnerabilities of suppliers is missed.

In cyber supply chain attacks, attackers target vulnerabilities in supply chains for their malicious purposes. On December 13, 2020, FireEye reported the discovery of a widespread supply chain attack in which SolarWind’s Orion business software updates were trojanized to spread malware. ORION is an IT monitoring and management software used by the vast majority of Fortune 500 companies, as well as many government agencies. Affected entities include government agencies as well as organizations in the consulting, technology, telecommunications, healthcare and oil and gas industries on four continents. According to SolarWinds, the vulnerability is likely the result of a sophisticated, targeted and manual supply chain attack by an unknown nation-state.

Symantec reported a 78% increase in supply chain attacks in 2018 in its 2019 Internet Security Threat Report, with the top 20 observed groups being particularly active. Well-known groups such as Dragonfly have been using targeted suppliers to gain access to specific companies since 2011, with the targets in this case primarily located in the energy sector.

Against this background, BIGS, in cooperation with VTT Finland, has taken a closer look at the ecosystem of supply chains and considered the financial impact of attacks on them.

Management of Cyber Security Threats in the Factories of the Future Supply Chains

Abstract

Today there are numerous Factories of the Future initiatives delivering different Industry 4.0 applications to manufacturing industry supply chains. However, in the future, Factory of the Future is not going to be a simple manufacturing asset, nor a sum of isolated assets. Instead, it will comprise a network of factories, which is considered in a System of Systems approach. The current challenge is to propose novel architectures, technologies and methodologies to optimize the level of efficiency and security of this System of Systems in a context where every step towards digitization exposes the manufacturing process to a widening array of cyber threats. This paper discusses about the management of cyber threats in System of Systems operations and supply chains. The next generation System of Systems are using different technologies with the combination of human aspects from workers, managers, entrepreneurs and decision makers. In addition, economically there are limitations on how much to invest on different technologies and human aspects. In addition, monetary and financial flows are under the burden of cyber risks. This study will therefore embrace the technical, economic and human dimensions at once. This study is based on a European-wide multi-national research project, the aim of which is to define – through different use-cases – the preventive and reactive capabilities to address cyber and physical threats and safety concerns in System of Systems. The study indicates different cyber challenges related to the future manufacturing business and operational models, with a special attention on “as-a-service” business model. The paper also indicates initial managerial and practical views on the management of cyber threats in future business models.

Access to Document

OSCM_2019_paper_29

Authors

Jukka Hemilä (VTT), Markku Mikkola (VTT), Jarno Salonen (VTT)

Conference

9th International Conference on Operations and Supply Chain Management, OSCM 2019 – RMIT University, Ho Chi Minh City, Vietnam
Duration: 15 Dec 2019 → 18 Dec 2019
Conference number: 9

ISBN (Electronic)

978-602-7060-47-0

Cite this

Hemilä, J., Mikkola, M., & Salonen, J. (2019).
Management of Cyber Security Threats in the Factories of the Future Supply Chains. In Proceedings of the 9th International Conference on Operations and Supply Chain Management, Vietnam, 2019 Vietnam.