Abstract
Threat actors are increasingly targeting extended supply chains and abusing client-supplier trust to conduct third-party compromise. Governments are concerned about targeted attacks against critical national infrastructures, where compromise can have significant adverse national consequences. In this paper we identify and review advice and guidance offered by authorities in the UK, US, and the EU regarding Cyber Supply Chain Risk Management (C-SCRM). We then conduct a review of sector specific guidance in the three regions for the chemical, energy, and water sectors. We assessed frameworks that each region’s sector offered organisations for C-SCRM suitability. Our results found a range of interpretations for “Supply Chain” that resulted in a diversity in the quantity and quality of advice offered by regional authorities, sectors, and their frameworks. This is exacerbated by the lack of a common taxonomy to support supply chain procurement and risk management that has led to limited coverage in most C-SCRM programs. Our results highlight the need for a taxonomy regarding C-SCRM and systematic guidance (both general and sector specific) to enable controls to be deployed to mitigate against supply chain risk. We provide an outline taxonomy based on our data analysis to promote further discussion and research.
Original language | English |
---|---|
Article number | 102324 |
Journal | Computers and Security |
Volume | 108 |
DOIs | |
Publication status | Published - 7 Sept 2021 |
Bibliographical note
Funding Information:Colin Topping is the cyber incident director at Rolls-Royce PLC. He is also undertaking a part-time Ph.D. at the Bristol Cyber Security Research Group, University of Bristol, United Kingdom. This is funded by the National Cyber Security Centre. His principal research interest is focused on cyber security within the supply chain in an ever increasing global, technical, and interdependent environment.
Publisher Copyright:
© 2021 Elsevier Ltd
Keywords
- Common taxonomy
- Critical national infrastructure
- Cyber security
- Risk management
- Supply chain