An official website of the United States government
With the continued changes in the way businesses work, cyber-attack targets are in a constant state of flux between organizations, individuals, as well as various aspects of the supply chain of interconnected goods and services. As one of the 16 critical infrastructure sectors, the manufacturing sector is known for complex integrated Information Systems (ISs) that are incorporated heavily into production operations. Many of these ISs are procured and supported by third parties, also referred to as interconnected entities in the supply chain. Disruptions to manufacturing companies would not only have significant financial losses but would also have economic and safety impacts on society. The vulnerabilities of interconnected companies created inherited exploitations in other interconnected companies. Cybersecurity practices need to be further enhanced to understand supply chain cybersecurity posture and manage the risks from lower-tier interconnected entities up to the top-level dependent organization. This paper will provide an overview of the Theory of Cybersecurity Footprint to emphasize the relationship among interconnected entities and the cybersecurity effects one organization can have on another regardless of size. This paper provides a literature review on the manufacturing industry with a recommendation for future developmental research using the Delphi method with a panel of experts to develop an index to measure cybersecurity posture based on interconnected entities from lower tiers and establish index weights specifically for the manufacturing industry.
more »
« less
This content will become publicly available on January 1, 2026
Mapping Cyber Threats in the 5G Supply Chain: Landscape, Vulnerabilities, and Risk Management
Modern 5G systems are not standalone systems that come from a single vendor or supplier. In fact, it comprises an integration of complex software, hardware, and cloud services that are developed by specialist entities. Moreover, these components have a supply chain that may have linkages and relationships between different vendors. A mobile network operator relies on the functionality and integrity of all the constituent components and their suppliers to ensure the communication network’s confidentiality, integrity, and availability. While the operator can employ cybersecurity best practices itself, it does not have control over the cybersecurity practices of its immediate vendors and the wider supply chain. Recently, attackers have exploited cyber vulnerabilities in the supplier network to launch large-scale breaches and attacks. Hence, the supply chain becomes a weak link in the overall cybersecurity of the 5G system. Hence, it is becoming crucial for operators to understand the cyber risk to their infrastructure, with a particular emphasis on the supply chain risk. In this paper, we systematically break down and analyze the 5G network architecture and its complex supply chains. We present an overview of the key challenges in the cybersecurity of 5G supply chains and propose a systemic cyber risk assessment methodology to help illuminate the risk sources and use it to manage and mitigate the risk. It will guide stakeholders in establishing a secure and resilient 5G network ecosystem, safeguarding the backbone of modern digital infrastructure against potential cybersecurity threats.
more »
« less
- Award ID(s):
- 2226232
- PAR ID:
- 10628442
- Publisher / Repository:
- IEEE
- Date Published:
- Journal Name:
- IEEE Network
- Volume:
- 39
- Issue:
- 1
- ISSN:
- 0890-8044
- Page Range / eLocation ID:
- 251 to 260
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
This report documents the program and the outcomes of Dagstuhl Seminar "EU Cyber Resilience Act: Socio-Technical and Research Challenges" (24112). This timely seminar brought together experts in computer science, tech policy, and economics, as well as industry stakeholders, national agencies, and regulators to identify new research challenges posed by the EU Cyber Resilience Act (CRA), a new EU regulation that aims to set essential cybersecurity requirements for digital products to be permissible in the EU market. The seminar focused on analyzing the proposed text and standards for identifying obstacles in standardization, developer practices, user awareness, and software analysis methods for easing adoption, certification, and enforcement. Seminar participants noted the complexity of designing meaningful cybersecurity regulations and of aligning regulatory requirements with technological advancements, market trends, and vendor incentives, referencing past challenges with GDPR and COPPA adoption and compliance. The seminar also emphasized the importance of regulators, marketplaces, and both mobile and IoT platforms in eliminating malicious and deceptive actors from the market, and promoting transparent security practices from vendors and their software supply chain. The seminar showed the need for multi-disciplinary and collaborative efforts to support the CRA’s successful implementation and enhance cybersecurity across the EU.more » « less
-
Purpose In the buyer-supplier relationship of a high-technology enterprise, the concepts of trust and risk are closely intertwined. Entering into a buyer-supplier relationship inherently involves a degree of risk, since there is always an opportunity for one of the parties to act opportunistically. Purchasing and supply managers play an important role in reducing the firm's risk profile, and must make decisions about whether or not to enter into, or remain in, a relationship with a supplier based on a subjective assessment of trust and risk. Design/methodology/approach In this paper, the authors seek to explore how trust in the buyer-supplier relationship can be quantitatively modeled in the presence of risk. The authors develop a model of trust between a buyer and supplier as a risk-based decision, in which a buyer decides to place trust in a supplier, who may either act cooperatively or opportunistically. The authors use a case study of intellectual property (IP) piracy in the electronics industry to illustrate the conceptual discussion and model development. Findings The authors produce a generalizable model that can be used to aid in decision-making and risk analysis for potential supply-chain partnerships, and is both a theoretical and practical innovation. However, the model can benefit a variety of high-technology enterprises. Originality/value While the topic of trust is widely discussed, few studies have attempted to derive a quantitative model to support trust-based decision making. This paper advanced the field of supply chain management by developing a model which relates risk and trust in the buyer-supplier relationship.more » « less
-
This paper analyses several promising policies in the electronic parts industry for disrupting the flow of counterfeit electronic parts. A socio-technical electronic part supply-chain network model has been developed to facilitate policy analysis. The model is used to understand the technical and social dynamics associated with the insertion of counterfeit electronic components into critical systems (e.g., aerospace, transportation, defense, and infrastructure) and to analyze the impact of various anti-counterfeiting policies and practices. This network model is used to assess the effectiveness of mandatory original component manufacturer buyback programs and the debarment of distributors found to provide counterfeit components. In this agent-based model, each participant in the supply chain is modeled as an independent entity governed by its own motivations and constraints. The entities in the model include the original component manufacturers, distributors, system integrators, operators, and counterfeiters. Each of these entities has dynamic behaviors and connections to the other agents. Since time is an integral factor (lead times and inventory levels can be drivers behind the appearance of counterfeits), the simulation is dynamic. The model allows the prediction of the risk of counterfeits making it into an operator’s system and the length of time between relevant supply-chain events/disruptions and the appearance of counterfeits.more » « less
-
Cybersecurity is a concern for organizations in this era. However, strengthening the security of an organization’s internal network may not be sufficient since modern organizations depend on third parties, and these dependencies may open new attack paths to cybercriminals. Cyber Third-Party Risk Management (C-TPRM) is a relatively new concept in the business world. All vendors or partners possess a potential security vulnerability and threat. Even if an organization has the best cybersecurity practice, its data, customers, and reputation may be at risk because of a third party. Organizations seek effective and efficient methods to assess their partners’ cybersecurity risks. In addition to intrusive methods to assess an organization’s cybersecurity risks, such as penetration testing, non-intrusive methods are emerging to conduct C-TPRM more easily by synthesizing the publicly available information without requiring any involvement of the subject organization. In this study, the existing methods for C-TPRM built by different companies are presented and compared to discover the commonly used indicators and criteria for the assessments. Additionally, the results of different methods assessing the cybersecurity risks of a specific organization were compared to examine reliability and consistency. The results showed that even if there is a similarity among the results, the provided security scores do not entirely converge.more » « less
