Topping, Colin and Dwyer, Andrew and Michalec, Ola and Craggs, Barney and Rashid, Awais (2021) 'Beware Suppliers Bearing Gifts!: Analysing coverage of supply chain cyber security in critical national infrastructure sectorial and cross-sectorial frameworks.', Computers & Security, 108 . p. 102324.
Threat actors are increasingly targeting extended supply chains and abusing client-supplier trust to conduct third-party compromise. Governments are concerned about targeted attacks against critical national infrastructures, where compromise can have significant adverse national consequences. In this paper we identify and review advice and guidance offered by authorities in the UK, US, and the EU regarding Cyber Supply Chain Risk Management (C-SCRM). We then conduct a review of sector specific guidance in the three regions for the chemical, energy, and water sectors. We assessed frameworks that each region’s sector offered organisations for C-SCRM suitability. Our results found a range of interpretations for “Supply Chain” that resulted in a diversity in the quantity and quality of advice offered by regional authorities, sectors, and their frameworks. This is exacerbated by the lack of a common taxonomy to support supply chain procurement and risk management that has led to limited coverage in most C-SCRM programs. Our results highlight the need for a taxonomy regarding C-SCRM and systematic guidance (both general and sector specific) to enable controls to be deployed to mitigate against supply chain risk. We provide an outline taxonomy based on our data analysis to promote further discussion and research.
|Full text:||Publisher-imposed embargo until 23 May 2022. |
(AM) Accepted Manuscript
Available under License - Creative Commons Attribution Non-commercial No Derivatives 4.0.
File format - PDF (2584Kb)
|Publisher Web site:||https://doi.org/10.1016/j.cose.2021.102324|
|Publisher statement:||© 2021 This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/|
|Date accepted:||12 May 2021|
|Date deposited:||20 May 2021|
|Date of first online publication:||23 May 2021|
|Date first made open access:||23 May 2022|
Save or Share this output
|Look up in GoogleScholar|