University of Twente Student Theses


Cyber Security in the Supply Chain of Industrial Embedded Devices

Waalewijn, Dennis (2014) Cyber Security in the Supply Chain of Industrial Embedded Devices.

[img] PDF
Abstract:Cyber Security in the Supply Chain of Industrial Devices is vital to security of industries, countries and even the world, because when the energy, oil & gas, dairy, water management, beer and many more sectors are compromised in the supply chain a disaster that is not easy to prevent could be happening. An industrial device might be tampered with during shipment and after installation perform malicious actions in an industrial process. Such attacks are not uncommon at mobile embedded devices, therefore it is also likely industrial embedded devices are targeted too. However, because of the complex chain there is currently too little knowledge where in the supply chain may lie the possible threats. This knowledge is needed to be able to implement countermeasures where necessary in order to reduce the likelihood of attacks happening and to reduce the impact of an attack. To do this, A 'threat model' is derived from a literature study and reported incidents on PLCs/PACs. How these incidents could be translated in the supply chain is then determined by modelling attack trees. The threats have been looked at from an threat actors' point of view and show what a threat actor could achieve by interfering with the supply chain of industrial embedded devices. Next to that, a taxonomy of threat actors is used in order to show who would be able to perform such threat. The result is 35 theoretical threat scenarios that could be occurring in the supply chain of industrial devices. The threat scenario's are categorised generically as hardware counterfeiting, firmware/software tampering, intellectual property theft and the installation of backdoors. The threat model is then tested in reality by interview sessions with three different stakeholders of the supply chain, an OEM, a Systems Integrator and an Asset Owner. The interview consisted of four groups of questions; general production process; supply chain related; incident report; controls and measures in place. By performing three open interviews the supply chain is seen three perspectives, namely the Original Equipment Manufacturer, System Integrator and an Asset Owner. Following from these interviews and the literary research, this thesis gives insight into the state of the supply chain and threats that the devices in the supply chain face.
Item Type:Essay (Master)
KPMG, Amstelveen, The Netherlands
Faculty:BMS: Behavioural, Management and Social Sciences
Subject:54 computer science
Programme:Business Information Technology MSc (60025)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page