ebook img

IoT Supply Chain Security Risk Analysis and Mitigation: Modeling, Computations, and Software Tools PDF

142 Pages·2022·3.403 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview IoT Supply Chain Security Risk Analysis and Mitigation: Modeling, Computations, and Software Tools

SpringerBriefs in Computer Science Timothy Kieras · Junaid Farooq · Quanyan Zhu IoT Supply Chain Security Risk Analysis and Mitigation Modeling, Computations, and Software Tools SpringerBriefs in Computer Science SeriesEditors StanZdonik,BrownUniversity,Providence,RI,USA ShashiShekhar,UniversityofMinnesota,Minneapolis,MN,USA XindongWu,UniversityofVermont,Burlington,VT,USA LakhmiC.Jain,UniversityofSouthAustralia,Adelaide,SA,Australia DavidPadua,UniversityofIllinoisUrbana-Champaign,Urbana,IL,USA XueminShermanShen,UniversityofWaterloo,Waterloo,ON,Canada BorkoFurht,FloridaAtlanticUniversity,BocaRaton,FL,USA V.S.Subrahmanian,UniversityofMaryland,CollegePark,MD,USA MartialHebert,CarnegieMellonUniversity,Pittsburgh,PA,USA KatsushiIkeuchi,UniversityofTokyo,Tokyo,Japan BrunoSiciliano,UniversitàdiNapoliFedericoII,Napoli,Italy SushilJajodia,GeorgeMasonUniversity,Fairfax,VA,USA NewtonLee,InstituteforEducation,ResearchandScholarships,LosAngeles,CA, USA SpringerBriefs present concise summaries of cutting-edge research and practical applicationsacrossawidespectrumoffields.Featuringcompactvolumesof50to 125pages,theseriescoversarangeofcontentfromprofessionaltoacademic. Typicaltopicsmightinclude: (cid:129) Atimelyreportofstate-of-theartanalyticaltechniques (cid:129) A bridge between new research results, as published in journal articles, and a contextualliteraturereview (cid:129) Asnapshotofahotoremergingtopic (cid:129) Anin-depthcasestudyorclinicalexample (cid:129) Apresentationofcoreconceptsthatstudentsmustunderstandinordertomake independentcontributions Briefsallowauthorstopresenttheirideasandreaderstoabsorbthemwithminimal time investment. Briefs will be published as part of Springer’s eBook collection, withmillionsofusersworldwide.Inaddition,Briefswillbeavailableforindividual print and electronic purchase. Briefs are characterized by fast, global electronic dissemination, standard publishing contracts, easy-to-use manuscript preparation and formatting guidelines, and expedited production schedules. We aim for pub- lication 8–12 weeks after acceptance. Both solicited and unsolicited manuscripts areconsideredforpublicationinthisseries. **Indexing:ThisseriesisindexedinScopus,Ei-Compendex,andzbMATH** Timothy Kieras (cid:129) Junaid Farooq (cid:129) Quanyan Zhu IoT Supply Chain Security Risk Analysis and Mitigation Modeling, Computations, and Software Tools TimothyKieras JunaidFarooq NewYorkUniversity UniversityofMichigan-Dearborn Brooklyn,NY,USA Dearborn,MI,USA QuanyanZhu NewYorkUniversity Brooklyn,NY,USA ISSN2191-5768 ISSN2191-5776 (electronic) SpringerBriefsinComputerScience ISBN978-3-031-08479-9 ISBN978-3-031-08480-5 (eBook) https://doi.org/10.1007/978-3-031-08480-5 ©TheAuthor(s),underexclusivelicensetoSpringerNatureSwitzerlandAG2022 Thisworkissubjecttocopyright.AllrightsaresolelyandexclusivelylicensedbythePublisher,whether thewholeorpartofthematerialisconcerned,specificallytherightsoftranslation,reprinting,reuse ofillustrations,recitation,broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,and transmissionorinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilar ordissimilarmethodologynowknownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthors,andtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressedorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictional claimsinpublishedmapsandinstitutionalaffiliations. ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Toourfamilieswhosesupporthasbeen instrumentalinthecompletionofthiswork Preface Supply chain risk is a well-studied subject in business processes and logistics management literature. However, its scope is evolving and becoming wider as the systems and processes are becoming more complex. Modern information technology(IT),operationaltechnology(OT),andInternetofthings(IoT)systems have complex global supply chains. Moreover, there is an intricate blend of softwareandhardwaresystems,whicharemanufactured, controlled,andoperated by different entities. It is thus becoming critically important to have knowledge and understanding of what vendors are linked to the system and what risk do these vendors bring to the system operation. The cybersecurity of IoT-enabled infrastructure systems overarchingly depends on the confidentiality, integrity, and availabilityofthesoftwareandhardwarecomponentsincludingtheirsupplychain. Thecomplexnetworkofcomponentsinvolvesvariousactorsandorganizationsthat designandintegratedifferentsub-componentsofthelargersystem.Theinsecurity of one sub-component in the supply chain can have downstream effects on the securityandresiliencyofIoT-enabledinfrastructuresystems. This book aims to provide the necessary tools for quantitative understanding and assessment of the supply chain risk threats to critical infrastructure owners and operators. In a typical IoT-enabled infrastructure system, there is a complex integration of multiple components enabling various IT and OT functions. Each component is supplied by a vendor or a network of vendors, which have different levelsoftrustworthinessfromtheperspectiveofthestakeholders.Certainsuppliers mayhavealong-standinghistoryofsuccessfuloperationandcomplywithessential cybersecuritypractices.Ontheotherhand,therearemanynewerandpotentiallyless securevendors,whichcanintroduceunknownvulnerabilitiestotheoverallsystem security.Thesupplychainfrontaddsanotherdimensiontothesystemreliabilityon top of component reliabilities. Furthermore, a particular component in the system may itself be very reliable but may have been procured from a less trustworthy vendor. Similarly, a component may not be very reliable but may have a highly trustworthysupplier.Therefore,itiscriticallyimportanttounderstandthedelicate interplaybetweencomponentreliabilitiesandthetrustworthinessoftheirsuppliers. vii viii Preface Currently, there is a severe dearth of supply chain risk assessment tools that prevents system operators to analyze the risk to their infrastructure from a supply chain standpoint. Moreover, there is a lack of tools that can assist with supplier selectionfromalternativesandprovideinsightsaboutsupplychaindecisions.This bookisaimedatunfoldingtheemergingsupplychainriskanalysisecosystemand providingapeakintoapracticalsoftwaretooltohelpanalyzetherisk.Thedescribed softwaretool,referredtoasI-SCRAM,willenablecriticalinfrastructureownersto makeriskinformeddecisionsrelatingtothesupplychainwhiledeployingtheirIT and OT systems. Providing such information to decision-makers will reduce the possibility of being affected by supply chain attacks from malicious IT and OT vendors.Wehopethatthisbookwillprovideabroadunderstandingoftheemerging cyber supply chain security in the context of IoT systems to academics, industry professionals,andgovernmentofficials. Brooklyn,NY,USA TimothyKieras Dearborn,MI,USA JunaidFarooq Brooklyn,NY,USA QuanyanZhu March2022 Acknowledgments Wewouldliketoacknowledgethesupportofourrespectiveinstitutions,NewYork University (NYU) and the University of Michigan-Dearborn, that have enabled us to pursue this work. We would appreciate all past and current members of the Laboratory for Agile and Resilient Complex Systems (LARX) at NYU who have providedusinvaluablefeedbackandcreatedanenvironmenttoallowintellectually engagingwork.SpecificthanksgotoYunfeiGefromLARXwhohashelpedfinish Chapter 4 with case studies and numerical examples. Without her assistance, this book would not be completed on time. We are also thankful to members of the Center of Cyber Security at NYU, in particular, Prof. Nasir Memon and Dr. Ed Amoroso,whohavesupportedthisworkfromtheverybeginning.Thisworkisalso aresultofmanyunforgettablediscussionswithourcolleaguesandfriends,towhom weareeternallythankful. WealsoacknowledgetheinstrumentalfundingsupportfromtheCriticalInfras- tructureResilienceInstitute(CIRI),aDepartmentofHomelandSecurityCenterof ExcellenceattheUniversityofIllinoisatUrbana-Champaign.Wearethankfulfor research inputs from Randy Sandone and David Nicol and administrative support from Elaina Buhs and Andrea Whitesell at CIRI. Their continued support has made possible the development of I-SCRAM, a software tool for supply chain risk analysis and mitigation for IT, OT, and IoT systems. We are also grateful to constructive reviews from many anonymous reviewers of this work and insightful comments from many participants who attended our tutorials, workshops, and conferencepresentations. ix Contents 1 IoTandSupplyChainSecurity ............................................ 1 1.1 VendorLandscapeofIoTSystems..................................... 1 1.2 BriefTaxonomyofSupplyChainSecurity ............................ 3 1.3 IoTSupplyChainRisk:HardtoObserveandHardtoControl....... 5 1.3.1 DissectingSupplyChainLinksinIoT......................... 6 1.4 IoTRiskImplicationsandConsequences.............................. 7 1.4.1 KeyFeaturesofIoTSecurity................................... 8 1.5 ChallengesinCyberSupplyChainRiskAnalysisofIoT............. 9 1.6 SupplyChainResilience................................................ 10 1.6.1 Top-DownApproachtoManagingRisk....................... 11 1.6.2 Bottom-UpApproachtoManagingRisk...................... 12 1.7 OverviewoftheBook................................................... 13 References..................................................................... 13 2 RiskModelingandAnalysis ................................................ 15 2.1 RiskScoringinComponentGraphs.................................... 15 2.1.1 Introduction..................................................... 15 2.1.2 RelatedWork.................................................... 16 2.1.3 Contributions.................................................... 18 2.2 SystemModelforRiskAssessment.................................... 19 2.2.1 ModelDefinitions............................................... 19 2.2.2 SupplierTrust................................................... 23 2.2.3 SystemicRiskGraph ........................................... 25 2.3 RiskAnalysisMetrics .................................................. 25 2.3.1 SystemicRiskFunction ........................................ 26 2.3.2 SupplierInvolvementMeasure................................. 27 2.4 UncertaintiesinModelDevelopment.................................. 28 2.4.1 ParametricUncertaintiesinProbabilityEstimates............ 28 2.4.2 StructuralModelingUncertainties............................. 28 2.5 UncertaintyCaseStudies............................................... 29 2.5.1 Case0:GroundTruth........................................... 29 xi

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.