Cyber Security Threat Modeling for Supply Chain Organizational Environments

Cyber security in a supply chain (SC) provides an organization the secure network facilities to meet its overall business objectives. The integration of technologies has improved business processes, increased production speed, and reduced distribution costs. However, the increased interdependencies among various supply chain stakeholders have brought many challenges including lack of third party audit mechanisms and cascading cyber threats. This has led to attacks such as the manipulation of the design specifications, alterations, and manipulation during distribution. The aim of this paper is to investigate and understand supply chain threats. In particular, the paper contributes towards modeling and analyzing CSC attacks and cyber threat reporting among supply chain stakeholders. We consider concepts such as goal, actor, attack, TTP, and threat actor relevant to the supply chain, threat model, and requirements domain, and modeled the attack using the widely known STIX threat model. The proposed model was analyzed using a running example of a smart grid case study and an algorithm to model the attack. A discrete probability method for calculating the conditional probabilities was used to determine the attack propagation and cascading effects, and the results showed that our approach effectively analyzed the threats. We have recommended a list of CSC controls to improve the overall security of the studied organization

Defending Against Firmware Cyber Attacks on Safety-Critical Systems

In the past, it was not possible to update the underlying software in many industrial control devices. Engineering teams had to ‘rip and replace’ obsolete components. However, the ability to make firmware updates has provided significant benefits to the companies who use Programmable Logic Controllers (PLCs), switches, gateways and bridges as well as an array of smart sensor/actuators. These updates include security patches when vulnerabilities are identified in existing devices; they can be distributed by physical media but are increasingly downloaded over Internet connections. These mechanisms pose a growing threat to the cyber security of safety-critical applications, which are illustrated by recent attacks on safety-related infrastructures across the Ukraine. Subsequent sections explain how malware can be distributed within firmware updates. Even when attackers cannot reverse engineer the code necessary to disguise their attack, they can undermine a device by forcing it into a constant upload cycle where the firmware installation never terminates. In this paper, we present means of mitigating the risks of firmware attack on safety-critical systems as part of wider initiatives to secure national critical infrastructures. Technical solutions, including firmware hashing, must be augmented by organizational measures to secure the supply chain within individual plants, across companies and throughout safety-related industries

Rapid Mission Assurance Assessment via Sociotechnical Modeling and Simulation

How do organizations rapidly assess command-level effects of cyber attacks? Leaders need a way of assuring themselves that their organization, people, and information technology can continue their missions in a contested cyber environment. To do this, leaders should: 1) require assessments be more than analogical, anecdotal or simplistic snapshots in time; 2) demand the ability to rapidly model their organizations; 3) identify their organization’s structural vulnerabilities; and 4) have the ability to forecast mission assurance scenarios. Using text mining to build agent based dynamic network models of information processing organizations, I examine impacts of contested cyber environments on three common focus areas of information assurance—confidentiality, integrity, and availability. I find that assessing impacts of cyber attacks is a nuanced affair dependent on the nature of the attack, the nature of the organization and its missions, and the nature of the measurements. For well-manned information processing organizations, many attacks are in the nuisance range and that only multipronged or severe attacks cause meaningful failure. I also find that such organizations can design for resiliency and provide guidelines in how to do so

Cyber Security in Procurement of Third-Party Suppliers: A Case Study of the Norwegian Power Sector

The Norwegian power sector is currently experiencing an increasingly complex supply chain, affected by digitalization. This case study examines how digitalization has changed the procurement of third-party suppliers of Information Technology (IT) and Operational Technology (OT), focusing on cyber security, in the Norwegian power sector. The thesis investigates why cyber security in current procurements of third-party suppliers is challenging, in addition to how it is possible to make better decisions with the procurement of third-party suppliers. Literature findings originating from our Systematic Literature Review (SLR) identifies the need for conducting an exploration of procurement challenges, related to cyber security, in the Norwegian power sector. Qualitative research by utilizing Semi-Structured Interviews (SSI) was applied to acquire an in-depth understanding of participants' experiences concerning procurement. Our study includes a total of ten interviewees which was divided into four segments of the Norwegian power sector: Production, Support System, Distribution System Operator (DSO) and Transmission System Operator (TSO). By analyzing of our empirical findings and literature findings we demonstrated that there is a variety of cyber security challenges in the procurement of third-party suppliers. Most centrally, a lack of cyber security competence and low capacity of in-house expertise within the Norwegian power sector. Additionally, there is a lack of standardized requirements regarding cyber security in procurements of third-party suppliers. Certain Norwegian power companies are too small to make demands towards larger third-party suppliers making it challenging to apply desired cyber security requirements. On this basis, it is recommended that the Norwegian power sector apply competence and capacity enhancing measures

Cyber Security in Procurement of Third-Party Suppliers: A Case Study of the Norwegian Power Sector

The Norwegian power sector is currently experiencing an increasingly complex supply chain, affected by digitalization. This case study examines how digitalization has changed the procurement of third-party suppliers of Information Technology (IT) and Operational Technology (OT), focusing on cyber security, in the Norwegian power sector. The thesis investigates why cyber security in current procurements of third-party suppliers is challenging, in addition to how it is possible to make better decisions with the procurement of third-party suppliers. Literature findings originating from our Systematic Literature Review (SLR) identifies the need for conducting an exploration of procurement challenges, related to cyber security, in the Norwegian power sector. Qualitative research by utilizing Semi-Structured Interviews (SSI) was applied to acquire an in-depth understanding of participants' experiences concerning procurement. Our study includes a total of ten interviewees which was divided into four segments of the Norwegian power sector: Production, Support System, Distribution System Operator (DSO) and Transmission System Operator (TSO). By analyzing of our empirical findings and literature findings we demonstrated that there is a variety of cyber security challenges in the procurement of third-party suppliers. Most centrally, a lack of cyber security competence and low capacity of in-house expertise within the Norwegian power sector. Additionally, there is a lack of standardized requirements regarding cyber security in procurements of third-party suppliers. Certain Norwegian power companies are too small to make demands towards larger third-party suppliers making it challenging to apply desired cyber security requirements. On this basis, it is recommended that the Norwegian power sector apply competence and capacity enhancing measures

Risk Assessment Framework for Evaluation of Cybersecurity Threats and Vulnerabilities in Medical Devices

Medical devices are vulnerable to cybersecurity exploitation and, while they can provide improvements to clinical care, they can put healthcare organizations and their patients at risk of adverse impacts. Evidence has shown that the proliferation of devices on medical networks present cybersecurity challenges for healthcare organizations due to their lack of built-in cybersecurity controls and the inability for organizations to implement security controls on them. The negative impacts of cybersecurity exploitation in healthcare can include the loss of patient confidentiality, risk to patient safety, negative financial consequences for the organization, and loss of business reputation. Assessing the risk of vulnerabilities and threats to medical devices can inform healthcare organizations toward prioritization of resources to reduce risk most effectively. In this research, we build upon a database-driven approach to risk assessment that is based on the elements of threat, vulnerability, asset, and control (TVA-C). We contribute a novel framework for the cybersecurity risk assessment of medical devices. Using a series of papers, we answer questions related to the risk assessment of networked medical devices. We first conducted a case study empirical analysis that determined the scope of security vulnerabilities in a typical computerized medical environment. We then created a cybersecurity risk framework to identify threats and vulnerabilities to medical devices and produce a quantified risk assessment. These results supported actionable decision making at managerial and operational levels of a typical healthcare organization. Finally, we applied the framework using a data set of medical devices received from a partnering healthcare organization. We compare the assessment results of our framework to a commercial risk assessment vulnerability management system used to analyze the same assets. The study also compares our framework results to the NIST Common Vulnerability Scoring System (CVSS) scores related to identified vulnerabilities reported through the Common Vulnerability and Exposure (CVE) program. As a result of these studies, we recognize several contributions to the area of healthcare cybersecurity. To begin with, we provide the first comprehensive vulnerability assessment of a robotic surgical environment, using a da Vinci surgical robot along with its supporting computing assets. This assessment supports the assertion that networked computer environments are at risk of being compromised in healthcare facilities. Next, our framework, known as MedDevRisk, provides a novel method for risk quantification. In addition, our assessment approach uniquely considers the assets that are of value to a medical organization, going beyond the medical device itself. Finally, our incorporation of risk scenarios into the framework represents a novel approach to medical device risk assessment, which was synthesized from other well-known standards. To our knowledge, our research is the first to apply a quantified assessment framework to the problem area of healthcare cybersecurity and medical networked devices. We would conclude that a reduction in the uncertainty about the riskiness of the cybersecurity status of medical devices can be achieved using this framework

Cybersecurity for Manufacturers: Securing the Digitized and Connected Factory

As manufacturing becomes increasingly digitized and data-driven, manufacturers will find themselves at serious risk. Although there has yet to be a major successful cyberattack on a U.S. manufacturing operation, threats continue to rise. The complexities of multi-organizational dependencies and data-management in modern supply chains mean that vulnerabilities are multiplying. There is widespread agreement among manufacturers, government agencies, cybersecurity firms, and leading academic computer science departments that U.S. industrial firms are doing too little to address these looming challenges. Unfortunately, manufacturers in general do not see themselves to be at particular risk. This lack of recognition of the threat may represent the greatest risk of cybersecurity failure for manufacturers. Public and private stakeholders must act before a significant attack on U.S. manufacturers provides a wake-up call. Cybersecurity for the manufacturing supply chain is a particularly serious need. Manufacturing supply chains are connected, integrated, and interdependent; security of the entire supply chain depends on security at the local factory level. Increasing digitization in manufacturing— especially with the rise of Digital Manufacturing, Smart Manufacturing, the Smart Factory, and Industry 4.0, combined with broader market trends such as the Internet of Things (IoT)— exponentially increases connectedness. At the same time, the diversity of manufacturers—from large, sophisticated corporations to small job shops—creates weakest-link vulnerabilities that can be addressed most effectively by public-private partnerships. Experts consulted in the development of this report called for more holistic thinking in industrial cybersecurity: improvements to technologies, management practices, workforce training, and learning processes that span units and supply chains. Solving the emerging security challenges will require commitment to continuous improvement, as well as investments in research and development (R&D) and threat-awareness initiatives. This holistic thinking should be applied across interoperating units and supply chains.National Science Foundation, Grant No. 1552534https://deepblue.lib.umich.edu/bitstream/2027.42/145442/1/MForesight_CybersecurityReport_Web.pd

Cyber warfare: threats and opportunities

Relatório apresentado à Universidade Fernando Pessoa como parte dos requisitos para o cumprimento do programa de Pós-Doutoramento em Ciências da InformaçãoCybersecurity has gone through several changes that have presented new challenges in recent years, complicated by the rise of cybercrime and digital warfare. With the introduction of militarizing the space domain, it has become apparent that we must consider multidomain concepts. Thus, the threat landscape has again shifted, and defenders must become knowledgeable about how the cyber domain crosses into maritime, land, air, and space. The traditional thinking of protecting enterprise systems locked away in a building is no longer. Thus, we have the emergence of cyber warfare and cyber as a fifth domain that brings together maritime, land, space, and air. These domains are not just for the military but the civilian sector as well. Understanding the role of cyber and how it can be used to take advantage or secure the remaining domains will give entities the upper hand in strategy. The technological advancements that pave the way to the mass implementation of the Internet of Things (IoT) and Internet connectivity to everyday devices have led to an explosion in cyberattacks such as breaches resulting in millions of accounts being compromised. (Dawson, Eltayeb, & Omar, 2016). Bad actors such as those focused on criminal activities regarding human trafficking and espionage navigate these domains to circumvent law enforcement agencies globally. We must understand how exploitation, circumvention, and defense needs to occur in a multidomain concept. However, knowing that the cyber domain is a domain that goes through land, maritime, space, and air can be an area that serves as a central point for realizing assured security. Executive Orders (EO), laws, policies, doctrine, and other directives have shaped the landscape of cybersecurity. New EOs have been released that allow a cyber-attack with responsive measures such as one that involves military force. Laws created that impose rights for Personal Identifiable Information (PII) being breached, leaving millions of individuals unprotected. One of these most well-known items is General Data Protection Regulation (GDPR) as it relates to the European Union (EU) and the evolving threats with hyperconnectivity (Martínez, 2019a; Martínez, 2019b). Understanding the role of cybercrime and digital warfare and how they continue to play in shaping the technological landscape is critical. These various actions change the spectrum regarding combating nefarious actors or design errors that leave the system susceptible. As attacks continue to rise from bad actors such as nation-states, terrorists, and other entities, it is essential to understand the threat landscape and select cybersecurity methodologies that can be put in place to provide adequate measures. This document presents the work form a post-doctoral project that provides a perspective of cybersecurity under a information science perspective. This six-month project allows to stress the broadly importance that information and its management (not just within the information security context), and the urgent need to deal with cybersecurity as a societal challenge. The document is organized in four main chapters presenting different but complementary issues, going from high level to a more operational level: National Cybersecurity Education: Bridging Defense to Offense, stressing the importance of societal awareness and education. Emerging Technologies in the Fourth Industrial Revolution, stressing the importance to consider cybersecurity issues as core ones, even to economic and production areas. Nefarious Activities within the Deep Layers of the Internet, stressing the need to be part of digital places where information is traded, shared and, even sometimes, created. The fourth chapter provide a few hints and issues related with software development and test: Software Security Considerations. A final session presents several remarks as Final Thoughts, closing the work pointing out some of the current challenges that we are facing of.N/

Zero Trust and Advanced Persistent Threats: Who Will Win the War?

Advanced Persistent Threats (APTs) are state-sponsored actors who break into computer networks for political or industrial espionage. Because of the nature of cyberspace and ever-changing sophisticated attack techniques, it is challenging to prevent and detect APT attacks. 2020 United States Federal Government data breach once again showed how difficult to protect networks from targeted attacks. Among many other solutions and techniques, zero trust is a promising security architecture that might effectively prevent the intrusion attempts of APT actors. In the zero trust model, no process insider or outside the network is trusted by default. Zero trust is also called perimeterless security to indicate that it changes the focus from network devices to assets. All processes are required to verify themselves to access the resources. In this paper, we focused on APT prevention. We sought an answer to the question: could the 2020 United States Federal Government data breach have been prevented if the attacked networks used zero trust architecture? To answer this question, we used MITRE\u27s ATT&CK® framework to extract how the APT29 threat group techniques could be mitigated to prevent initial access to federal networks. Secondly, we listed basic constructs of the zero trust model using NIST Special Publication 800-207 and several other academic and industry resources. Finally, we analyzed how zero trust can prevent malicious APT activities. We found that zero trust has a strong potential of preventing APT attacks or mitigating them significantly. We also suggested that vulnerability scanning, application developer guidance, and training should not be neglected in zero trust implementations as they are not explicitly or strongly mentioned in NIST SP 800-207 and are among the mostly referred controls in academic and industry publications

Connected vehicles:organizational cybersecurity processes and their evaluation

Abstract. Vehicles have become increasingly network connected cyber physical systems and they are vulnerable to cyberattacks. In the wake of multiple vehicle hacks, automotive industry and governments have recognized the critical need of cybersecurity to be integrated into vehicle development framework and get manufactures involved in managing whole vehicle lifecycle. The United Nations Economic Commission for Europe (UNECE) WP.29 (World Forum for Harmonization of Vehicle Regulations) committee published in 2021 two new regulations for road vehicles type approval: R155 for cybersecurity and R156 for software update. The latter of these influence also to agricultural vehicle manufacturers, which is the empirical context of this study. Also new cybersecurity engineering standard from International Standardization Organization (ISO) and Society of Automotive Engineers (SAE) organizations change organizations risk management framework. The vehicle manufacturers must think security from an entirely new standpoint: how to reduce vehicle cybersecurity risk to other road users. This thesis investigates automotive regulations and standards related to cybersecurity and cybersecurity management processes. The methodology of the empirical part is design science that is a suitable method for the development of new artifacts and solutions. This study developed an organization status evaluation tool in the form of a questionnaire. Stakeholders can use the tool to collect information about organizational capabilities for comprehensive vehicles cybersecurity management process. As a main result this thesis provides base information for cybersecurity principles and processes for cybersecurity management, and an overview of current automotive regulation and automotive cybersecurity related standards.Verkotetut ajoneuvot : organisaation kyberturvallisuusprosessit ja niiden arviointi. Tiivistelmä. Ajoneuvoista on tullut kyberhyökkäyksille alttiita tietoverkkoon yhdistettyjä kyberfyysisiä järjestelmiä. Ajoneuvojen hakkeroinnit herättivät hallitukset ja ajoneuvoteollisuuden huomaamaan, että kyberturvallisuus on integroitava osaksi ajoneuvojen kehitysympäristöä ja valmistajat on saatava mukaan hallitsemaan ajoneuvon koko elinkaarta. Yhdistyneiden Kansakuntien Euroopan talouskomission (UNECE) WP.29 (World Forum for Harmonization of Vehicle Regulations) -komitean jäsenet julkaisivat vuonna 2021 kaksi uutta tyyppihyväksyntäsäädöstä maantiekäyttöön tarkoitetuille ajoneuvoille. Nämä ovat kyberturvallisuuteen R155 ja ohjelmistopäivitykseen R156 liittyvät säädökset, joista jälkimmäinen vaikuttaa myös maatalousajoneuvojen valmistajiin. Myös uusi International Standardization Organization (ISO) ja Society of Automotive Engineers (SAE) organisaatioiden yhdessä tekemä kyberturvallisuuden suunnittelustandardi muuttaa organisaatioiden riskienhallintaa. Ajoneuvovalmistajien on pohdittava turvallisuutta aivan uudesta näkökulmasta; kuinka pienentää ajoneuvojen kyberturvallisuusriskiä muille tienkäyttäjille. Tämä opinnäytetyö tutkii kyberturvallisuuteen liittyviä autoalan säädöksiä ja standardeja sekä kyberturvallisuuden johtamisprosesseja. Työn empiirinen osa käsittelee maatalousajonevoihin erikoistunutta yritystä. Empiirisen osan metodologia on suunnittelutiede, joka soveltuu uusien artefaktien ja ratkaisujen kehittämiseen. Tutkimuksen empiirisessä osassa kehitettiin uusi arviointityökalu, jolla sidosryhmät voivat kerätä tietoja organisaation valmiuksista ajoneuvojen kyberturvallisuuden hallintaan. Tämä opinnäytetyö tarjoaa pohjatietoa kyberturvallisuuden periaatteista ja kyberturvallisuuden hallinnan prosesseista sekä yleiskatsauksen nykyiseen autoalan sääntelyyn ja kyberturvallisuuteen liittyviin ajoneuvostandardeihin