Cookies

We use cookies to ensure that we give you the best experience on our website. By continuing to browse this repository, you give consent for essential cookies to be used. You can read more about our Privacy and Cookie Policy.


Durham Research Online
You are in:

Beware Suppliers Bearing Gifts!: Analysing coverage of supply chain cyber security in critical national infrastructure sectorial and cross-sectorial frameworks

Topping, Colin and Dwyer, Andrew and Michalec, Ola and Craggs, Barney and Rashid, Awais (2021) 'Beware Suppliers Bearing Gifts!: Analysing coverage of supply chain cyber security in critical national infrastructure sectorial and cross-sectorial frameworks.', Computers & Security, 108 . p. 102324.

Abstract

Threat actors are increasingly targeting extended supply chains and abusing client-supplier trust to conduct third-party compromise. Governments are concerned about targeted attacks against critical national infrastructures, where compromise can have significant adverse national consequences. In this paper we identify and review advice and guidance offered by authorities in the UK, US, and the EU regarding Cyber Supply Chain Risk Management (C-SCRM). We then conduct a review of sector specific guidance in the three regions for the chemical, energy, and water sectors. We assessed frameworks that each region’s sector offered organisations for C-SCRM suitability. Our results found a range of interpretations for “Supply Chain” that resulted in a diversity in the quantity and quality of advice offered by regional authorities, sectors, and their frameworks. This is exacerbated by the lack of a common taxonomy to support supply chain procurement and risk management that has led to limited coverage in most C-SCRM programs. Our results highlight the need for a taxonomy regarding C-SCRM and systematic guidance (both general and sector specific) to enable controls to be deployed to mitigate against supply chain risk. We provide an outline taxonomy based on our data analysis to promote further discussion and research.

Item Type:Article
Full text:Publisher-imposed embargo until 23 May 2022.
(AM) Accepted Manuscript
Available under License - Creative Commons Attribution Non-commercial No Derivatives 4.0.
File format - PDF
(2584Kb)
Status:Peer-reviewed
Publisher Web site:https://doi.org/10.1016/j.cose.2021.102324
Publisher statement:© 2021 This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/
Date accepted:12 May 2021
Date deposited:20 May 2021
Date of first online publication:23 May 2021
Date first made open access:23 May 2022

Save or Share this output

Export:
Export
Look up in GoogleScholar