Towards a New Supply Chain Cybersecurity Risk Analysis Technique
Supply chain cyber-attacks, such as the SolarWinds Orion attack, are occurring with greater frequency. These attacks compromise a digital device before it is sent to customers, bypassing traditional security controls to remain persistent and undetected in operational environments. While supply chain attacks are prevalent, methods for analyzing the risk of these attacks are currently unavailable. This paper proposes new supply chain cyber-attack difficulty and risk metrics to evaluate the relative risk of an attack throughout the supply chain lifecycle. Difficulty metrics for each stakeholder in a digital device’s supply chain (e.g., hardware manufacturing, firmware development, software development, storage, and distribution entities) are calculated using scores from cybersecurity maturity questionnaires in a Bayesian Network leaky Noisy-MAX model. These difficulty metrics are then used to calculate an overall supply chain cyber-attack risk. Vulnerability and recoverability metrics are also proposed to evaluate the relative stakeholder influence in the attack risk. These proposed relative risk metrics enable continuous supply chain monitoring, provide decision-makers with information necessary for improved supplier selection, and help drive improvements in the cybersecurity posture of the stakeholders in their supply chain.
- Research Organization:
- Idaho National Laboratory (INL), Idaho Falls, ID (United States)
- Sponsoring Organization:
- USDOE Office of Nuclear Energy (NE)
- DOE Contract Number:
- AC07-05ID14517
- OSTI ID:
- 1877401
- Report Number(s):
- INL/EXT-21-64089-Rev000; TRN: US2308576
- Country of Publication:
- United States
- Language:
- English
Similar Records
Prioritizing ICS Beachhead Systems for Cyber Vulnerability Testing
Deconstructing the Nuclear Supply Chain Cyber-Attack Surface