Beware suppliers bearing gifts! Analysing coverage of supply chain cyber security in critical national infrastructure sectorial and cross-sectorial frameworks

Colin Topping*, Andrew Dwyer, Ola Michalec, Barnaby Craggs, Awais Rashid

*Corresponding author for this work

Research output: Contribution to journalArticle (Academic Journal)peer-review

15 Citations (Scopus)

Abstract

Threat actors are increasingly targeting extended supply chains and abusing client-supplier trust to conduct third-party compromise. Governments are concerned about targeted attacks against critical national infrastructures, where compromise can have significant adverse national consequences. In this paper we identify and review advice and guidance offered by authorities in the UK, US, and the EU regarding Cyber Supply Chain Risk Management (C-SCRM). We then conduct a review of sector specific guidance in the three regions for the chemical, energy, and water sectors. We assessed frameworks that each region’s sector offered organisations for C-SCRM suitability. Our results found a range of interpretations for “Supply Chain” that resulted in a diversity in the quantity and quality of advice offered by regional authorities, sectors, and their frameworks. This is exacerbated by the lack of a common taxonomy to support supply chain procurement and risk management that has led to limited coverage in most C-SCRM programs. Our results highlight the need for a taxonomy regarding C-SCRM and systematic guidance (both general and sector specific) to enable controls to be deployed to mitigate against supply chain risk. We provide an outline taxonomy based on our data analysis to promote further discussion and research.
Original languageEnglish
Article number102324
JournalComputers and Security
Volume108
DOIs
Publication statusPublished - 7 Sept 2021

Bibliographical note

Funding Information:
Colin Topping is the cyber incident director at Rolls-Royce PLC. He is also undertaking a part-time Ph.D. at the Bristol Cyber Security Research Group, University of Bristol, United Kingdom. This is funded by the National Cyber Security Centre. His principal research interest is focused on cyber security within the supply chain in an ever increasing global, technical, and interdependent environment.

Publisher Copyright:
© 2021 Elsevier Ltd

Keywords

  • Common taxonomy
  • Critical national infrastructure
  • Cyber security
  • Risk management
  • Supply chain

Fingerprint

Dive into the research topics of 'Beware suppliers bearing gifts! Analysing coverage of supply chain cyber security in critical national infrastructure sectorial and cross-sectorial frameworks'. Together they form a unique fingerprint.

Cite this