Cyber Risk Management in Supply Chains: Three Essays on Cyber Resilience, Business Continuity, and Information Security

Sadeghi, J. Kiarash

08 1900

This dissertation provides empirical and theoretical support for the antecedents and consequences of cyber resilience via three essays on cyber resilience. Essay 1 comprises 2 studies using a multi-method empirical research effort to determine whether emphasizing suppliers' implementation and use of business continuity management (S-BCM) is actually beneficial to buyers. In Study 1, data from 150 managers was collected via a survey-based questionnaire to determine whether buyers' adoption of monitoring supplier operational performance (MS-OP) and monitoring S-BCM (MS-BCM) enhances S-BCM implementation and use. Evidence from Study 1 suggests that MS-BCM is more effective than MS-OP. Moreover, the results suggest that while buyer power positively augments the effectiveness of MS-BCM, it actually has a diminishing effect on the effectiveness of MS-OP. Study 2 uses the data of 114 managers from a vignette-based experiment to determine whether S-BCM leads to improved buyer operational and financial performance. Study 2 offers evidence that confirms the positive link between S-BCM and buyer operational and financial performance. The results also suggest that the use of reward power further enhances the association between S-BCM and buyer performance. Using two studies, Essay 2 examines how supply chain power and learning can be related to cyber resilience capability. Study 1 indicated that powerful buyers and supply chain learning from new knowledge contribute to visibility to build cyber resilience while dominant suppliers are reluctant to share information. The results of Study-2 show that supply chain and operations managers believe that companies and their suppliers would have better operational performance if they invest in the accuracy of visibility. Moreover, supply chains properly can avoid, maintain, and recover from cyber disruption when real-time information is available. Essay 3 focuses on the role of downstream complexity along with enterprise resource planning (ERP) in building cyber resilience in supply chains. The results reveal that ERP systems help supply chains to mitigate the negative effect of downstream complexity on the impact of information sharing in a secure system needed to build cyber resilience in times of data breaches and cyber-attacks. Although the use of information technology increases cyber risk, supply chain managers should take advantage of ERP systems to mitigate the negative effect of complexity in supply chain cyber resilience.

supply chain cyber resilience

supply chain resilience

Business Administration, Marketing

Cyber resilience for critical infrastructure : A systematic review

Naserinia, Vahid

January 2021

Critical infrastructure is a term to define the network of crucial assets for the functioning of a society and modern economies. The complexity of critical infrastructures and the ability to connect smart devices to these networks make them more vulnerable to cyberattacks. One of the cutting events pointing out gaps and importance of the cyber resilience in the nation's infrastructure systems, including Industrial Control Systems (ICS), was the discovery of Stuxnet in 2010, a malicious computer worm attacking Iranian nuclear facilities. The vulnerability of cyber systems was further revealed by a cyberattack on the SCADA system in Ukraine in 2015. This paper uses both a systematic literature strategy base on the Preferred Reporting Items for Systematic reviews and Meta-Analyses (PRISMA) statement and co-occurrence analysis by VOSviewer, a tool for visualization of similarities, to explore the specific research domains of cyber resilience for critical infrastructures and to understand the current trend of development and future research orientation. Despite the literature's emphasis on essential industries, the results show that, of all exposure parameters, the organization's sector is most consistently connected with the emergence of cyber resilience traits. The sector is also important in terms of the kind of attack and its effect on data. The attacked entities in the sample have a low level of cyber resilience, as evidenced by the surprisingly low intensity of devoted Cyber Security (CS) operational setting, use of CS structures, the resilience of Prevention, Detection, and Recovery controls (PDR), and organizations' reactions to their stakeholders following cyber attacks. The studied countries do not consistently adopt cyber resilience features. The prevalence of resilience traits, on the other hand, seems to have a beneficial influence on the frequency of litigation and sanctions. Furthermore, improved protection, detection, and recovery measures increase the frequency of responsibilities and expectations to stakeholders following cyber assaults.

Cyber resilience

critical infrastructures

systematic review

Information Systems, Social aspects

Who hacked my toaster? : A study about security management of the Internet of Things. / Vem har hackat min brödrost? : En studie om säkerhetshantering av Internet of Things

Hakkestad, Mårten, Rynningsjö, Simon

January 2019

The Internet of Things is a growing area with growing security concerns, new threat emerge almost everyday. Keeping up to date, monitor the network and devices and responding to compromised devices and networks are a hard and complex matters.  This bachelor’s thesis aims to discover how a IT-company can work with security management within the Internet of Things, this is done by looking into how a IT-company can work with updating, monitoring and responding within the Internet of Things, as well what challenges there are with working with this.  A qualitative research approach was used for this case study along with an interpretative perspective, as well as abductive reasoning. Interviews were performed with employees of a large IT-company based in Sweden, along with extensive document analysis.  Our bachelor’s thesis results in challenges with Security Management within the areas updating, monitoring and responding along with how our Case Company works with these security challenges. Largely these challenges can be summarized that everything is harder with the number of devices there are within the Internet of Things / Internet of Things eller Sakernas internet är ett växande område med en växande hotbild och nya hot uppkommer dagligen. Att hålla sig uppdaterad, övervaka nätverk och enheter samt att reagera på att enheter och nätverk blir hackade är en svår och komplicerad uppgift. Den här uppsatsen ämnar undersöka hur ett IT-företag kan arbeta med säkerhetshantering inom Internet of Things. Detta har gjorts genom att kolla utmaningar och säkerhetslösningar inom de tre områdena uppdatera, övervaka och reagera.  En kvalitativ forskningsmetod har använts i denna fallstudie tillsammans med ett tolkande synsätt och en abduktiv ansats. Vi har utfört intervjuer på ett stort IT-företag baserat i Sverige tillsammans med en utförlig dokumentanalys.  Resultatet av denna uppsats påvisar ett antal utmaningar inom säkerhetshanteringen inom områdena uppdatera, övervaka och reagera tillsammans med hur vårt fallföretag jobbar med att motarbeta dessa utmaningar. I stort sett kan utmaningarna sammanfattas till att allting är svårare när mängden enheten är så hög som den är inom Internet of Things.

Internet of Things

IoT

Updating

Monitoring

Responding

Security Management

Cyber Resilience

Middle of Life

MoL

Sakernas Internet

Internet of Things

IoT

Uppdatera

Övervaka

Reagera

Säkerhetshantering

Cyber Motståndskraft

Cyber Resilience

Mitten av Livet

MaL

Information Systems, Social aspects

Cyber Resilience Act och utveckling av produkter med digitala delar : Är svenska mjukvaruföretag redo för lagkraven?

Carlsson, Anton

January 2023

The number of products with digital elements in the world is increasing rapidly every year followed by a rising number of cyberattacks against them. To address the substantial number of products with digital elements that have inadequate cybersecurity measures the European Commission has proposed the Cyber Resilience Act. The act imposes requirements on the cybersecurity measures of all products with digital elements, this includes all products that have a direct or indirect logical or physical data connection to another device or to a network. This study investigates the awareness of Swedish software companiesregarding the Cyber Resilience Act, as well as their current development processes. The research methodology employed in this study includes a literature review and semi-structured interviews with selected software companies. The study concludes that only a small number of companies are aware of the bill, and many will need to modify or entirely revamp their development processes to comply with the legal requirements. Furthermore,there is also some discussion about the Cyber Resilience Act's position in European legislation and the development principles that can assist companies in fulfilling the legal requirements proposed. / Antalet produkter med digitala delar i världen ökar markant varje år och det gör även cyberattackerna mot dessa. I ett försök att hantera det stora antalet produkter med bristande cybersäkerhetsåtgärder så har europakommissionen kommit med ett lagförslag, Cyber Resilience Act. Cyber Resilience Act ställer krav på cybersäkerhetsåtgärderna hos alla produkter med digitala delar vilket innefattar alla produkter som har en direkt eller indirekt logisk eller fysisk dataanslutning till en annan enhet eller till ett nätverk. I den här uppsatsen undersöks svenska mjukvaruföretags medvetenhet om Cyber Resilience Act samt hur utvecklingsprocesser i dagsläget ser ut påföretagen. Undersökningen har skett i form av litteraturstudie samt semistrukturerade intervjuer med företag. Slutsatserna som dras från uppsatsen är att väldigt få företag är medvetna om lagförslaget och många företag kommer behöva modifiera eller helt ändra sina utvecklingsprocesser för att bemöta lagkraven. Cyber Resilience Acts plats i europeisk lagstiftning samt utvecklingsprinciper som kan hjälpa företag att uppfylla lagkraven diskuteras även i uppsatsen.

Cyber Resilience Act

Cybersäkerhet

EU Cyberlagar

Produkter med digitala delar

Uppkopplade produkter

Engineering and Technology

Teknik och teknologier

Law

Juridik

Intrusion Detection and Recovery of a Cyber-Power System

Zhu, Ruoxi

06 June 2024

The advent of Information and Communications Technology (ICT) in power systems has revolutionized the monitoring, operation, and control mechanisms through advanced control and communication functions. However, this integration significantly elevates the vulnerability of modern power systems to cyber intrusions, posing severe risks to the integrity and reliability of the power grid. This dissertation presents the results of a comprehensive study into the detection of cyber intrusions and restoration of cyber-power systems post-attack with a focus on IEC 61850 based substations and recovery methodologies in the cyber-physical system framework. The first step of this study is to develop a novel Intrusion Detection System (IDS) specifically designed for deployment in automated substations. The proposed IDS effectively identifies falsified measurements within Manufacturing Messaging Specification (MMS) messages by verifying the consistency of electric circuit laws. This distributed approach helps avoid the transfer of contaminated measurements from substations to the control center, ensuring the integrity of SCADA systems. Utilizing a cyber-physical system testbed and the IEEE 39-bus test system, the IDS demonstrates high detection accuracy and validates its efficacy in real-time operational environments. Building upon the intrusion detection methodology, this dissertation advances into cyber system recovery strategies, which are designed to meet the challenges of restoring a power grid as a cyber-physical system following catastrophic cyberattacks. A novel restoration strategy is proposed, emphasizing the self-recovery of a substation automation system (SAS) within the substation through dynamic network reconfiguration and collaborative efforts among Intelligent Electronic Devices (IEDs). This strategy, validated through a cyber-power system testbed incorporating SDN technology and IEC 61850 protocol, highlights the critical role of cyber recovery in maintaining grid resilience. Further, this research extends its methodology to include a cyber-physical system restoration strategy that integrates an optimization-based multi-system restoration approach with cyber-power system simulation for constraint checking. This innovative strategy developed and validated using an Software Defined Networking (SDN) network for the IEEE 39-bus system, demonstrates the capability to efficiently restore the cyber-power system and maximize restoration capability following a large-scale cyberattack. Overall, this dissertation makes original contributions to the field of power system security by developing and validating effective mechanisms for the detection of and recovery from cyber intrusions in the cyber-power system. Here are the main contributions of this dissertation: 1) This work develops a distributed IDS, specifically designed for the substation automation environment, capable of pinpointing the targets of cyberattacks, including sophisticated attacks involving multiple substations. The effectiveness of this IDS in a real-time operational context is validated to demonstrate its efficiency and potential for widespread deployment. 2) A novel recovery strategy is proposed to restore the critical functions of substations following cyberattacks. This strategy emphasizes local recovery procedures that leverage the collaboration of devices within the substation network, circumventing the need for external control during the initial recovery phase. The implementation and validation of this method through a cyber-physical system testbed—specifically, within an IEC 61850 based Substation Automation System (SAS)—underscores its practicality and effectiveness in real-world scenarios. 3) The dissertation results in a new co-restoration strategy that integrates mixed integer linear programming to sequentially optimize the restoration of generators, power components, and communication nodes. This approach ensures optimal restoration decisions within a limited time horizon, enhancing the recovery capabilities of the cyber-power system. The application of an SDN based network simulator facilitates accurate modeling of cyber-power system interactions, including communication constraints and dynamic restoration scenarios. The strategy's adaptability is further improved by real-time assessment of the feasibility of the restoration sequence incorporating power flow and communication network constraints to ensure an effective recovery process. / Doctor of Philosophy / Electricity is a critical service that supports the society and economy. Today, electric power systems are becoming smarter, using advanced Information and Communications Technology to manage and distribute electricity more efficiently. This new technology creates a smart grid, a network that not only delivers power but also uses computers and other tools to remotely monitor electricity flows and address any issues that may arise. However, these smart systems with high connectivity utilizing information and communication systems can be vulnerable to cyberattacks, which could disrupt the electricity supply. To protect against these threats, this study is focused on creating systems that can detect when an abnormal condition is taking place in the cyber-power grid. These detection systems are designed to detect and identify signs of cyberattacks at key points in the power network, particularly at substations, which play a vital role in the delivery of electricity. Substations control the power grid operating conditions to make sure that electricity service is reliable and efficient for the consumers Just like traffic lights help manage the flow of vehicles, substations manage the flow of electricity to make sure electric energy is delivered to where it needed. Once a cyberattack is detected, the next step is to stop the attack and mitigate the impact it may have made to ensure that the power grid returns to normal operations as quickly as possible. This dissertation is concerned with the development and validation of analytical and computational methods to quickly identify the cyberattacks and prevent the disruptions to the electricity service. Also, the focus of this work is also on a coordinated recovery of both the cyber system ( digital controls and monitoring) and power system (physical infrastructure including transformers and transmission and distribution lines). This co-restoration approach is key to sustain the critical electricity service and ensures that the grid is resilient against the cyber threats. By developing strategies that address both the cyber and physical aspects, the proposed methodology aims to minimize downtime and reduce the impact of large-scale cyberattacks on the electrical infrastructure. The impact of the results of this dissertation is the enhancement of security and resilience of the electric energy supply in an era where the risks of cyber threats are increasingly significantly. Overall, by developing new methodologies to detect and respond to cyberattacks, the cyber-power system's capability to withstand and recover from cyberattacks is enhanced in the increasingly technology-dependent power grid environment.

Intrusion Detection

Intrusion Mitigation

Cyber Resilience

Cyber-Physical System

Cyber System Recovery

SCADA

DNP3

Digital Substations

IEC 61850

Mieux vaut prévenir et guérir : la réaction du public envers la posture de cyber-résilience des entreprises après un vol de données

Toma, Traian

08 1900

Les recherches montrent que les clients ne prennent guère de mesures pour se protéger des crimes qui peuvent découler d’une brèche de renseignements confidentiels au sein d’une entreprise. Plutôt, ils considèrent que la firme — hébergeuse de leurs informations personnelles — a la responsabilité absolue en matière de la confidentialité continue de leurs données. Les commerces qui manquent de protéger adéquatement les informations clients risquent en contrepartie de subir des torts réputationnels ruineux. Cela dit, peu de travaux explicatifs sont effectués sur la résilience des entreprises face à la réaction négative du public après un vol de données. Ainsi, une étude expérimentale basée sur des vignettes de cas a été menée à l’aide du modèle de la victime « idéale ». Les mises en situation illustrent : (1) une entreprise victime décrite comme ayant une forte posture de cyber-résilience ; (2) une entreprise victime décrite comme ayant une faible posture de cyber-résilience. Un échantillon final de 664 participants a été aléatoirement affecté à l’une des deux conditions expérimentales principales. Les résultats révèlent que, comparativement à une faible posture de cyber-résilience, une bonne posture de cyber-résilience minimise les attitudes négatives des clients et favorise leurs intentions comportementales positives vis-à-vis la firme victime. À la lumière de ces résultats, la cyber-résilience, qui a principalement fait l’objet d’une attention conceptuelle, acquiert un fondement empirique. Par ailleurs, ce projet de recherche contribue plus généralement au développement de la victimologie des entreprises. / Research shows that customers take few measures to protect themselves from crimes that may follow data theft at a business. They rather consider that the firm—the host of their personal information—holds exclusive responsibility over the continued confidentiality of their data. Companies that fail to properly secure customer information may, in return, risk experiencing ruinous reputational harm. That said, little explanatory research is done on the resilience of businesses to negative public reaction after data theft. Consequently, a vignette-based experimental study was conducted using the “ideal” victim model. The scenarios feature: (1) a breached business described as having a strong cyber-resilience posture; (2) a breached business described as having a weak cyber-resilience posture. A final sample of 664 participants was randomly assigned to one of the two main experimental conditions. Results reveal that compared to a weak cyber-resilience posture, a good cyber-resilience posture minimizes negative customer attitudes and promotes positive customer behavioural intentions towards the company. Considering these results, cyber-resilience, which has mainly received conceptual attention, gains empirical support. Furthermore, this research project contributes more broadly to the evolution of the victimology of businesses.

Cybersécurité

Cyber-résilience

Brèche de données

Réputation

Réaction sociale

Gestion des risques

Communication de crise

Faute de la victime

Victime idéale

Vignettes de cas

Cybersecurity

Cyber-resilience

Data breach

Social reaction

Risk management

Crisis communication

Victim blaming

Ideal victim

Vignettes