Managing cyber-risk and security in the global supply chain · PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019 A systems approach to risk, structure

Managing cyber-risk and security in the global supply chain:

A systems analysis approach to risk, structure and behavior

Daniel A. Sepúlveda EstayPhD Thesis

Main Supervisor: Prof. Jesper Larsen, PhDCo-Supervisor: Prof. Omera Khan, PhD

2018Kongens Lyngby, Denmark

Jan 8th, 2019PhD Thesis: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.

Daniel Sepulveda, PhD.• Researcher in Management Engineering Department at DTU.• Mechanical enginering undergraduate• MSc., in Industrial Engineering from Universidad Catolica de Chile• MSc., in Management Science esp. System Dynamics, Quantitative

Analysis and Real options, from MIT, USA.• PhD in Management Science, DTU

• Experience in Supply Chain Management for over 12 years• Industrial supply chain positions (both operational and strategic)• Experience in multinational companies in 5 continents (e.g.,

BHPBilliton, The Coca-Cola Company)• Managment of budgets of up to US$900 million• Negotiation of contracts of up to US$190 million• Lean Manufacturing Implementations, DWT,ISO, OHSAS, SCOR


Slide 3


Outline

Introduction

Thesis description

Methodology

Results

Implications to theory, academia and industry

Conclusions and future work

Slide 4


Cyber-attack

Slide 5

•“…offensive maneuver that targets computer information systems to either steal, alter, or

destroy…”

= ITCrawford, G.A., 1991. Information warefare: new roles for information systems in military operations


Slide 6

The dawn of the Stuxnet (2010)

Symptoms:

•Higher than usual equipment damage due to high rotation speeds

•Control systems showed nothing was wrong

•Damages result in equipment replacement


Slide 7

What Went wrong

Velocity Control

Centrifuge Rotation Speed

Control System (SCADA)

Cyber attacker

Sensor


Slide 8

Cyber-Physical Interaction

Hacker

Accident


Slide 9

Increasing problem

Rozados, I.V. and Tjahjono, B., 2014. Big data analytics in supply chain management: Trends and related research. In 6th International Conference on Operations and Supply Chain Management.

Average Cybersecurity Insurance Gross PremiumCybersecurity Breaches (2004-2013)

Rozados, I.V. and Tjahjono, B., 2014. Big data analytics in supply chain management: Trends and related research. In 6th International Conference on Operations and Supply Chain Management.

Data Types in a supply chain Variety versus Velocity/Volume


Research question

Slide 10

RQ: How can cybersecurity and cyber-resilience be managed in the global

supply chain?

Before Cyber-event

After Cyber-event


Research Questions

Slide 11


Research Questions

Slide 12


Literature Review

Slide 13

Supply Chain

(SCM)

Information Technology (ITM)

Risk & Resilience

(R&RM)

Supply chaincyber Risk & Resilience

Proposed Methodology:

1. Use a StructuredLiterature Review

2. Combined search of three domains

3. Framework of Systems thinking

4. Identification of Gaps


Literature ReviewDescriptive Analysis

Slide 14


Answer to RSQ 1

Slide 15

RSQ1: What are the supply chain cyber resilience frameworks published in literature?

Focal Concentric

Macroeconomic Evaluation

Systems Description

Time to compromise

Resource exhaustion

Epidemiological System Dynamics

Resilient architecture

Robust and resilient control

Four domains of cyber resilience

Plan absorb recover adapt cycle

Autonomous reconstitution

Attack graphs

Multi-network

Information-centric approach

5-layer networked architecture

WAMPAC

Descriptive16%

Normative72%Quantitative

12%

Papers in Sample: SCM – Descriptive: 50% IT – Quantitative: 60%

Events

Patterns

Structure


Gaps from SLR

Slide 16

Concept Gaps from SLRLong reporting cycle of incidents

Unreliable reporting of incidents

Underreporting of incidents

Mechanisms of action from cyber attack to operational disruption

Compartmentalization

Static frameworks

Historical frameworks

Suitability of methods

The people using the methods Knowledge Gap

The methods being used

The cyber-risks being managed


Research Questions

Slide 17


RSQ3: Sequence of Enquiry

Slide 18

1. Exploratory: What cyber-events with operational disruption have beenrecorded

2. Descriptive: How have these cyber-events resulted in Operational Disruption

3. Evaluative: How do these cyber-events differ from other SC risks?

RSQ3: How do cyber risks cause operational disruption in supply chains, and how does this differ from other supply chain risks?


1. Literature Review

2. Search beyondScientific Literature

3. Identify structuresthat lead to behavior

4. Compare to otherSC risks


RSQ3: Results

Slide 19


RSQ3.2: Analysis

Slide 20

Disruption from:

• Group 1: Active theft of assets

• Group 2: Passive theft of assets

• Group 3: Active product theft

• Group 4: Active interruption of operations

• Group 5: Passive interruption of operations

Operational disruption group Disruption type

Hacker protagonism Approach SC influence

Group 1 Theft of assets/resources Active Targeted DownstreamGroup 2 Theft of assets/resources Passive Non-targeted UpstreamGroup 3 Theft of Product Active Targeted DownstreamGroup 4 Interruption of operations Active Targeted DownstreamGroup 5 Interruption of operations Passive Non-targeted Upstream

Resources/Assets

Product

Operations


Example 1:Active Theft of Resources

Slide 21

Customer

Tesco Bank

Supplier

Payment Instruction

Balance Information

Payment

Product or service delivery

Hacker

Product or service delivery

Payment Instruction


Example 2:Passive Theft of Resources

Slide 22

Hacker

Payment

Payment Instruction

CFO

Bank

Supplier

Payment Order

Payment Confirmation

Product Delivery

CEO

WarehousePayment

Instruction

Leoni AG

Payment


Cyber vs. Non cyber risks

Slide 23

DimensionsCyber-risks to operations

Non-cyber-related operational risks

LatencyHigh latency, sometimes years (e.g., Stuxnet)

Low (Industrial Fire) to medium (Supplier financial stress)

Physical Location

Can affect multiple locations (e.g., Wannacry)

Localized

ComplexityCan affect many systems simultaneously

Limited complexity

Replication Perfect replication No replication

PerpetuityPerpetual until counter-action; unless programmed to end

No replication. can be perpetual (e.g., supplier financial stress)

Component versus Interaction risks

Interaction risksComponent risk (e.g., supplier, infrastructure, cargo)

AnonymityAnonymous unless explicit hacker declaration

Known perpetrator, traceable if not originally known

Operational uniqueness

of Cyber risks to SC

Latency

Physical Location

Complexity

ReplicationPerpetuity

Component vs Interaction

Anonymity


Research Questions

Slide 24


RSQ4: Systemic dynamics analysisof cyber risk

Slide 25

SLR Gaps

RSQ4: How can a systems approach be used to mitigate compartmentalization, static frameworks and historical dependence for managing cyber risks and resilience in the supply chain?

Risks Resilience

RSQ4.1a

RSQ4.1b

RSQ4.2

Systemic riskanalysis

Comparison to an established riskanalysis method

System Dynamics simulation


RSQ4.1: Methodology

Slide 26

RSQ4.1a.- How can a systemic risk analysisapproach mitigate compartmentalization, static frameworks and historical dependencefor managing cyber risks in the supply chain?


1. Case 1 Study

2. Based on STPA SystemicRisk Analysis Method

3. Identify Unsafe Control Actions

4. Identify Requirements

5. Compare to traditionalRisk Analysis Method


RSQ4.1: Methodology

Slide 27


Define the System

IdentifyAccidents

IdentifyHazards

IdentifyControl Actions

IdentifyUnsafeControl Actions

IdentifyRequirements

Cyber-Risks


RQ4.1: Methodology

Slide 28

Hierarchical Control Diagram

A1 Erroneous arrival of product

A2 Erroneous payment to supplier

A3 Product loss

A4 Product integrity compromised

A5 Payment Loss

A6 Reputational Loss

Accidents



RQ4.1: Results

Slide 29

Symbol Name NumberACC Accidents 6HAZ Hazards 6CA Control Actions 27UCA Unsafe Control Actions 119

Definition: “Endogenous exposure is the property of a system of not fulfilling its objective because of the triggering, external or internal, of an internal design flaw”


CASE 2 STUDY DESCRIPTION


Scenario description

•Silicon Valley Company–60000 employees–12,2% operating margin

•Manufactures IoT devices6 months before launch:

•Federal Agency informs breach to IP•Theft of data to 15 of 30 product lines

–Projected Sales: 25% of total revenues for next 5 years

•Theft motives unclear


Scenario description

•Potential Implications–Discovery and exploitation of Design flaws–Implant of malicious code into new products

30 days after breach•IT Blogger indicates the reverse-engineering of the products.

•Alternatives could reach the market before the intended product launch


RQ4.2: Results

Slide 33

1

2

3

1. Incident triage Phase

2. Incident management Phase

3. Recovery phase


RQ4.2: Results

Feb20, 2018Slide 34 PhD Defense: Managing cyber-risk and security in the global supply chain:A systems approach to risk, structure and behavior.

Reference Mode


RQ4.2: SD Model



RQ4.2: Results


Reference Mode


Research Questions

Slide 37


Contributions to Theory

Mechanisms that contribute an ”accident” (i.e. Cyber event) Use of ”Structural Theory of Accidents” in Supply Chains Based on systems approach to accident analysis (*) Theory of ”Endogenous exposure” Systemic Theory of Cyber-resilience

Mechanisms that contribute to a resilient response Use of Systems Theory in SC Based on the System Dynamics approach to simulation

Description of Cyber-risks wrt. other SC risks Evidence for the need of the use of resilience theory beyond Risk analysis Theory of Resilience based on endogenous nature of cyber-risks

Shortcomings in the Case Study method e.g., Incomplete understanding of dynamics

Slide 38

(*)Leveson, N., 2004. A new accident model for engineering safer systems. Safety science, 42(4), pp.237-270.

Salmon, P.M., Cornelissen, M. and Trotter, M.J., 2012. Systems-based accident analysis methods: a comparison of Accimap, HFACS, and STAMP. Safety science, 50(4), pp.1158-1170.


Contributions to Industry

Slide 39

Strategic Prepare your organization for response Cyber-risks are fundamentally different from other SC risks System Dynamics method for resilient design Systemic risk analysis method for endogenous exposure identification

and measurement

Managers as organizational designers Beyond organizational executors Use of systems thinking tools

Consider Flexibility Options Redundancy Options Response times


Current work

Cyber-Ship project ”Cyber security in the shipping industry” Development of case studies with gathering of data Simulation of dynamic systems for policy formulation w.r.t cyber risks

Dissemination of the Systemic risk approach System Dynamics in management engineering education Research work and publications about the endogenous exposure

approach to resilience design.

Slide 40

Thank you

Documents

Managing cyber-risk and security in the global supply chain · PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019 A systems approach to risk, structure