Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
IoT and Supply Chain Security Read chapter Read first chapter

2022 | OriginalPaper | Chapter

2. Risk Modeling and Analysis

Authors : Tim Kieras, Junaid Farooq, Quanyan Zhu

Published in: IoT Supply Chain Security Risk Analysis and Mitigation

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

Securing the supply chain of information and communications technology (ICT) has recently emerged as a critical concern for national security and integrity. With the proliferation of Internet of Things (IoT) devices and their increasing role in controlling real world infrastructure, there is a need to analyze risks in networked systems beyond established security analyses. Existing methods in literature typically leverage attack and fault trees to analyze malicious activity and its impact. In this chapter, we develop a security risk assessment framework borrowing from system reliability theory to incorporate the supply chain. We also analyze the impact of grouping within suppliers that may pose hidden risks to the systems from malicious supply chain actors. The results show that the proposed analysis is able to reveal hidden threats posed to the IoT ecosystem from potential supplier collusion.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter IoT and Supply Chain Security
next chapter Risk Mitigation Decisions
Footnotes
1
Hierarchical decomposition refers to a process that takes a component in a system and considers it as a system in itself, returning subsystems and additional components.
 
2
In other words, given two dependencies a, b ∈ D, there may be some node x such that x ∈ Da and x ∈ Db. In such a case it would be invalid to compute (D) simply from the suppliers of a and b, denoted by sa and sb respectively, because sa and sb are not independent.
 
3
The precise legal relationships that may constitute a supplier group are left unspecified here, but may include ownership, partnership, or membership in joint ventures or cartels whether legally recognized or not.
 
Literature
1.
C.K. Wu, K.F. Tsang, Y. Liu, H. Zhu, Y. Wei, H. Wang, T.T. Yu, Supply chain of things: A connected solution to enhance supply chain productivity. IEEE Communications Magazine 57(8), 78–83 (2019)CrossRef
2.
C. Folk, D.C. Hurley, W.K. Kaplow, J.F.X. Payne, The security implications of the Internet of things, AFCEA International Cyber Committee, Gaithersburg, MD, Tech. Rep. (2015)
3.
A. Levite, ICT supply chain integrity: Principles for governmental and corporate policies (2019)
4.
C.S. Tang, Perspectives in supply chain risk management. Int. J. Prod. Econ. 103(2), 451–488 (2006)CrossRef
5.
T. Omitola, G. Wills, Towards mapping the security challenges of the Internet of things (IoT) supply chain. Procedia Comput. Sci. 126, 441–450 (2018)CrossRef
6.
R.E. Hiromoto, M. Haney, A. Vakanski, A secure architecture for IoT with supply chain risk management, in 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS 2017), vol. 1 (2017), pp. 431–435
7.
C. Nissen, J. Gronager, R. Metzger, H. Rishikof, Deliver uncompromised: A strategy for supply chain security and resilience in response to the changing character of war, Mitre Corporation, Tech. Rep. (2018)
8.
J. Boyens, C. Paulsen, R. Moorthy, N. Bartol, Supply chain risk management practices for federal information systems and organizations, National Institute of Standards and Technology, Gaithersburg, MD, Tech. Rep. (2015)
9.
K. Boeckl, M. Fagan, W. Fisher, N. Lefkovitz, K.N. Megas, E. Nadeau, B. Piccarreta, D.G. O’Rourke, K. Scarfone, Considerations for managing Internet of things (IoT) cybersecurity and privacy risks, National Institute of Standards and Technology, Gaithersburg, MD, Tech. Rep. (2019)
10.
11.
B. Kordy, L. Piètre-Cambacédès, P. Schweitzer, DAG-based attack and defense modeling: Don’t miss the forest for the attack trees. Comput. Sci. Rev. 13, 1–38 (2014)CrossRef
12.
W. Xiong, R. Lagerström, Threat modeling–a systematic literature review. Comput. Secur. 84, 53 (2019)CrossRef
13.
R. Zimmerman, Q. Zhu, F. de Leon, Z. Guo, Conceptual modeling framework to integrate resilient and interdependent infrastructure in extreme weather. J. Infrastructure Syst. 23(4), 04017034 (2017)
14.
R. Zimmerman, Q. Zhu, C. Dimitri, Promoting resilience for food, energy, and water interdependencies. J. Environ. Stud. Sci. 6(1), 50–61 (2016)CrossRef
15.
R. Zimmerman, Q. Zhu, C. Dimitri, A network framework for dynamic models of urban food, energy and water systems (fews). Environ. Prog. Sustain. Energy 37(1), 122–131 (2018)CrossRef
16.
L. Huang, J. Chen, Q. Zhu, A large-scale Markov game approach to dynamic protection of interdependent infrastructure networks, in International Conference on Decision and Game Theory for Security (Springer, 2017), pp. 357–376
17.
L. Huang, J. Chen, Q. Zhu, Distributed and optimal resilient planning of large-scale interdependent critical infrastructures, in 2018 Winter Simulation Conference (WSC) (IEEE, 2018), pp. 1096–1107
18.
L. Huang, J. Chen, Q. Zhu, A factored MDP approach to optimal mechanism design for resilient large-scale interdependent critical infrastructures, in 2017 Workshop on Modeling and Simulation of Cyber-Physical Energy Systems (MSCPES) (IEEE, 2017), pp. 1–6
19.
B. Schneier, Attack trees: A formal, methodical way of describing the security of systems, based on varying attacks. Dr. Dobb’s J. 12, 21 (1999)
20.
E.G. Amoroso, Fundamentals of Computer Security Technology (PTR Prentice Hall, Englewood Cliffs, 1994)
21.
A. Roy, D.S. Kim, and K.S. Trivedi, Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)CrossRef
22.
J. Homer, S. Zhang, X. Ou, D. Schmidt, Y. Du, S.R. Rajagopalan, A. Singhal, Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561–597 (2013)CrossRef
23.
L. Wang, T. Islam, T. Long, A. Singhal, S. Jajodia, An attack graph-based probabilistic security metric, in IFIP Annual Conference on Data and Applications Security and Privacy (Springer, 2008), pp. 283–296
24.
M. Gribaudo, M. Iacono, S. Marrone, Exploiting bayesian networks for the analysis of combined attack trees. Electron. Notes Theoret. Comput. Sci. 310, 91–111 (2015)CrossRef
25.
N. Poolsappasit, R. Dewri, I. Ray, Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2011)CrossRef
26.
O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs, in Proceedings IEEE Symposium on Security and Privacy (2002), pp. 273–284
27.
X. Ou, W.F. Boyer, M.A. McQueen, A scalable approach to attack graph generation, in Proceedings of the 13th ACM Conference on Computer and Communications Security (2006), pp. 336–345
28.
Z. Qian, J. Fu, Q. Zhu, A receding-horizon MDP approach for performance evaluation of moving target defense in networks, in 2020 IEEE Conference on Control Technology and Applications (CCTA) (IEEE, 2020), pp. 1–7
29.
L. Huang, Q. Zhu, Farsighted risk mitigation of lateral movement using dynamic cognitive honeypots, in International Conference on Decision and Game Theory for Security (Springer, 2020), pp. 125–146
30.
S. Mauw, M. Oostdijk, Foundations of attack trees, in International Conference on Information Security and Cryptology (Springer, 2005), pp. 186–198
31.
S. Jha, O. Sheyner, J. Wing, Two formal analyses of attack graphs, in Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15 (2002), pp. 49–63
32.
M. Rausand, A. Høyland, System Reliability Theory: Models, Statistical Methods, and Applications, vol. 396 (Wiley, 2003)
33.
S. Contini, V. Matuzas, Analysis of large fault trees based on functional decomposition. Reliab. Eng. Syst. Saf. 96(3), 383–390 (2011)CrossRef
34.
F. Baiardi, C. Telmon, D. Sgandurra, Hierarchical, model-based risk management of critical infrastructures. Reliab. Eng. Syst. Saf. 94(9), 1403–1415 (2009)CrossRef
35.
D.W. Coit, E. Zio, The evolution of system reliability optimization, Reliab. Eng. Syst. Saf. 192, 106259 (2018)CrossRef
36.
M. Todinov, Methods for analysis of complex reliability networks, in Risk-Based Reliability Analysis and Generic Principles for Risk Reduction (Elsevier, 2007), pp. 31–58
37.
N. Leveson, Engineering a Safer World: Systems Thinking Applied to Safety (MIT Press, 2011)
38.
39.
NIST SP 800–30: Guide for conducting risk assessments, National Institute of Standards and Technology, Gaithersburg, MD, Tech. Rep. (2012)
40.
J. Fussell, E. Henry, N. Marshall, MOCUS: A computer program to obtain minimal sets from fault trees, Aerojet Nuclear Co., Idaho Falls, Idaho (USA), Tech. Rep. (1974)
41.
W.S. Lee, D.L. Grosh, F.A. Tillman, C.H. Lie, Fault tree analysis, methods, and applications: A review. IEEE Trans. Reliab. 34(3), 194–203 (1985)CrossRef
42.
A. Rauzy, Toward an efficient implementation of the MOCUS algorithm. IEEE Trans. Reliab. 52(2), 175–180 (2003)CrossRef
Metadata
Title
Risk Modeling and Analysis
Authors
Tim Kieras
Junaid Farooq
Quanyan Zhu
Copyright Year
2022
Book
IoT Supply Chain Security Risk Analysis and Mitigation

Print ISBN: 978-3-031-08479-9

Electronic ISBN: 978-3-031-08480-5

Copyright Year: 2022

DOI
https://doi.org/10.1007/978-3-031-08480-5_2

Premium Partner

    Image Credits