Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Managing cyber-risk and security in the global supply chain:
A systems analysis approach to risk, structure and behavior
Daniel A. Sepúlveda EstayPhD Thesis
Main Supervisor: Prof. Jesper Larsen, PhDCo-Supervisor: Prof. Omera Khan, PhD
2018Kongens Lyngby, Denmark
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Daniel Sepulveda, PhD.• Researcher in Management Engineering Department at DTU.• Mechanical enginering undergraduate• MSc., in Industrial Engineering from Universidad Catolica de Chile• MSc., in Management Science esp. System Dynamics, Quantitative
Analysis and Real options, from MIT, USA.• PhD in Management Science, DTU
• Experience in Supply Chain Management for over 12 years• Industrial supply chain positions (both operational and strategic)• Experience in multinational companies in 5 continents (e.g.,
BHPBilliton, The Coca-Cola Company)• Managment of budgets of up to US$900 million• Negotiation of contracts of up to US$190 million• Lean Manufacturing Implementations, DWT,ISO, OHSAS, SCOR
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Slide 3
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Outline
Introduction
Thesis description
Methodology
Results
Implications to theory, academia and industry
Conclusions and future work
Slide 4
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Cyber-attack
Slide 5
•“…offensive maneuver that targets computer information systems to either steal, alter, or
destroy…”
= ITCrawford, G.A., 1991. Information warefare: new roles for information systems in military operations
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Slide 6
The dawn of the Stuxnet (2010)
Symptoms:
•Higher than usual equipment damage due to high rotation speeds
•Control systems showed nothing was wrong
•Damages result in equipment replacement
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Slide 7
What Went wrong
Velocity Control
Centrifuge Rotation Speed
Control System (SCADA)
Cyber attacker
Sensor
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Slide 8
Cyber-Physical Interaction
Hacker
Accident
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Slide 9
Increasing problem
Rozados, I.V. and Tjahjono, B., 2014. Big data analytics in supply chain management: Trends and related research. In 6th International Conference on Operations and Supply Chain Management.
Average Cybersecurity Insurance Gross PremiumCybersecurity Breaches (2004-2013)
Rozados, I.V. and Tjahjono, B., 2014. Big data analytics in supply chain management: Trends and related research. In 6th International Conference on Operations and Supply Chain Management.
Data Types in a supply chain Variety versus Velocity/Volume
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Research question
Slide 10
RQ: How can cybersecurity and cyber-resilience be managed in the global
supply chain?
Before Cyber-event
After Cyber-event
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Research Questions
Slide 11
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Research Questions
Slide 12
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Literature Review
Slide 13
Supply Chain
(SCM)
Information Technology (ITM)
Risk & Resilience
(R&RM)
Supply chaincyber Risk & Resilience
Proposed Methodology:
1. Use a StructuredLiterature Review
2. Combined search of three domains
3. Framework of Systems thinking
4. Identification of Gaps
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Literature ReviewDescriptive Analysis
Slide 14
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Answer to RSQ 1
Slide 15
RSQ1: What are the supply chain cyber resilience frameworks published in literature?
Focal Concentric
Macroeconomic Evaluation
Systems Description
Time to compromise
Resource exhaustion
Epidemiological System Dynamics
Resilient architecture
Robust and resilient control
Four domains of cyber resilience
Plan absorb recover adapt cycle
Autonomous reconstitution
Attack graphs
Multi-network
Information-centric approach
5-layer networked architecture
WAMPAC
Descriptive16%
Normative72%Quantitative
12%
Papers in Sample: SCM – Descriptive: 50% IT – Quantitative: 60%
Events
Patterns
Structure
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Gaps from SLR
Slide 16
Concept Gaps from SLRLong reporting cycle of incidents
Unreliable reporting of incidents
Underreporting of incidents
Mechanisms of action from cyber attack to operational disruption
Compartmentalization
Static frameworks
Historical frameworks
Suitability of methods
The people using the methods Knowledge Gap
The methods being used
The cyber-risks being managed
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Research Questions
Slide 17
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RSQ3: Sequence of Enquiry
Slide 18
1. Exploratory: What cyber-events with operational disruption have beenrecorded
2. Descriptive: How have these cyber-events resulted in Operational Disruption
3. Evaluative: How do these cyber-events differ from other SC risks?
RSQ3: How do cyber risks cause operational disruption in supply chains, and how does this differ from other supply chain risks?
Proposed Methodology:
1. Literature Review
2. Search beyondScientific Literature
3. Identify structuresthat lead to behavior
4. Compare to otherSC risks
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RSQ3: Results
Slide 19
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RSQ3.2: Analysis
Slide 20
Disruption from:
• Group 1: Active theft of assets
• Group 2: Passive theft of assets
• Group 3: Active product theft
• Group 4: Active interruption of operations
• Group 5: Passive interruption of operations
Operational disruption group Disruption type
Hacker protagonism Approach SC influence
Group 1 Theft of assets/resources Active Targeted DownstreamGroup 2 Theft of assets/resources Passive Non-targeted UpstreamGroup 3 Theft of Product Active Targeted DownstreamGroup 4 Interruption of operations Active Targeted DownstreamGroup 5 Interruption of operations Passive Non-targeted Upstream
Resources/Assets
Product
Operations
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Example 1:Active Theft of Resources
Slide 21
Customer
Tesco Bank
Supplier
Payment Instruction
Balance Information
Payment
Product or service delivery
Hacker
Product or service delivery
Payment Instruction
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Example 2:Passive Theft of Resources
Slide 22
Hacker
Payment
Payment Instruction
CFO
Bank
Supplier
Payment Order
Payment Confirmation
Product Delivery
CEO
WarehousePayment
Instruction
Leoni AG
Payment
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Cyber vs. Non cyber risks
Slide 23
DimensionsCyber-risks to operations
Non-cyber-related operational risks
LatencyHigh latency, sometimes years (e.g., Stuxnet)
Low (Industrial Fire) to medium (Supplier financial stress)
Physical Location
Can affect multiple locations (e.g., Wannacry)
Localized
ComplexityCan affect many systems simultaneously
Limited complexity
Replication Perfect replication No replication
PerpetuityPerpetual until counter-action; unless programmed to end
No replication. can be perpetual (e.g., supplier financial stress)
Component versus Interaction risks
Interaction risksComponent risk (e.g., supplier, infrastructure, cargo)
AnonymityAnonymous unless explicit hacker declaration
Known perpetrator, traceable if not originally known
Operational uniqueness
of Cyber risks to SC
Latency
Physical Location
Complexity
ReplicationPerpetuity
Component vs Interaction
Anonymity
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Research Questions
Slide 24
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RSQ4: Systemic dynamics analysisof cyber risk
Slide 25
SLR Gaps
RSQ4: How can a systems approach be used to mitigate compartmentalization, static frameworks and historical dependence for managing cyber risks and resilience in the supply chain?
Risks Resilience
RSQ4.1a
RSQ4.1b
RSQ4.2
Systemic riskanalysis
Comparison to an established riskanalysis method
System Dynamics simulation
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RSQ4.1: Methodology
Slide 26
RSQ4.1a.- How can a systemic risk analysisapproach mitigate compartmentalization, static frameworks and historical dependencefor managing cyber risks in the supply chain?
Proposed Methodology:
1. Case 1 Study
2. Based on STPA SystemicRisk Analysis Method
3. Identify Unsafe Control Actions
4. Identify Requirements
5. Compare to traditionalRisk Analysis Method
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RSQ4.1: Methodology
Slide 27
RSQ4.1a.- How can a systemic risk analysisapproach mitigate compartmentalization, static frameworks and historical dependencefor managing cyber risks in the supply chain?
Define the System
IdentifyAccidents
IdentifyHazards
IdentifyControl Actions
IdentifyUnsafeControl Actions
IdentifyRequirements
Cyber-Risks
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RQ4.1: Methodology
Slide 28
Hierarchical Control Diagram
A1 Erroneous arrival of product
A2 Erroneous payment to supplier
A3 Product loss
A4 Product integrity compromised
A5 Payment Loss
A6 Reputational Loss
Accidents
RSQ4.1a.- How can a systemic risk analysisapproach mitigate compartmentalization, static frameworks and historical dependencefor managing cyber risks in the supply chain?
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RQ4.1: Results
Slide 29
Symbol Name NumberACC Accidents 6HAZ Hazards 6CA Control Actions 27UCA Unsafe Control Actions 119
Definition: “Endogenous exposure is the property of a system of not fulfilling its objective because of the triggering, external or internal, of an internal design flaw”
RSQ4.1a.- How can a systemic risk analysisapproach mitigate compartmentalization, static frameworks and historical dependencefor managing cyber risks in the supply chain?
CASE 2 STUDY DESCRIPTION
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Scenario description
•Silicon Valley Company–60000 employees–12,2% operating margin
•Manufactures IoT devices6 months before launch:
•Federal Agency informs breach to IP•Theft of data to 15 of 30 product lines
–Projected Sales: 25% of total revenues for next 5 years
•Theft motives unclear
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Scenario description
•Potential Implications–Discovery and exploitation of Design flaws–Implant of malicious code into new products
30 days after breach•IT Blogger indicates the reverse-engineering of the products.
•Alternatives could reach the market before the intended product launch
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RQ4.2: Results
Slide 33
1
2
3
1. Incident triage Phase
2. Incident management Phase
3. Recovery phase
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RQ4.2: Results
Feb20, 2018Slide 34 PhD Defense: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Reference Mode
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RQ4.2: SD Model
Feb20, 2018Slide 35 PhD Defense: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
RQ4.2: Results
Feb20, 2018Slide 36 PhD Defense: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Reference Mode
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Research Questions
Slide 37
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Contributions to Theory
Mechanisms that contribute an ”accident” (i.e. Cyber event) Use of ”Structural Theory of Accidents” in Supply Chains Based on systems approach to accident analysis (*) Theory of ”Endogenous exposure” Systemic Theory of Cyber-resilience
Mechanisms that contribute to a resilient response Use of Systems Theory in SC Based on the System Dynamics approach to simulation
Description of Cyber-risks wrt. other SC risks Evidence for the need of the use of resilience theory beyond Risk analysis Theory of Resilience based on endogenous nature of cyber-risks
Shortcomings in the Case Study method e.g., Incomplete understanding of dynamics
Slide 38
(*)Leveson, N., 2004. A new accident model for engineering safer systems. Safety science, 42(4), pp.237-270.
Salmon, P.M., Cornelissen, M. and Trotter, M.J., 2012. Systems-based accident analysis methods: a comparison of Accimap, HFACS, and STAMP. Safety science, 50(4), pp.1158-1170.
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Contributions to Industry
Slide 39
Strategic Prepare your organization for response Cyber-risks are fundamentally different from other SC risks System Dynamics method for resilient design Systemic risk analysis method for endogenous exposure identification
and measurement
Managers as organizational designers Beyond organizational executors Use of systems thinking tools
Consider Flexibility Options Redundancy Options Response times
Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.
Current work
Cyber-Ship project ”Cyber security in the shipping industry” Development of case studies with gathering of data Simulation of dynamic systems for policy formulation w.r.t cyber risks
Dissemination of the Systemic risk approach System Dynamics in management engineering education Research work and publications about the endogenous exposure
approach to resilience design.
Slide 40
Thank you