Background

Modern production systems are highly dependent on well-functioning supply chains. However, the complexity of such supply chains is increasing. There are different reasons for this. The trend towards tailor-made products, for instance, the just-in production to minimize storage costs, and the segmentation of product and service providers into many companies are a challenge for logistics and management. Measures need to be taken on many levels to enable lean production processes while simultaneously protecting the systems against attacks and malfunctioning. These measures encompass the general adaptability of production facilities to new tasks, the adjustment of the supply chains to the customer requests on the one hand and the delivery capacities of the providers on the other, as well as the establishment of resilient systems that keep up performing tasks even when affected by disruptions.

Project Content

The size and the structure of companies working together result in different degrees of organisation and depending on this different security risks have to be considered. For instance, the supply chains need to be flexible among partners who are on equal terms and who serve many different costumers. Hence, it can be difficult to create a common platform and this makes such structures vulnerable to social engineering (i.e., trick staff members into breaking standard security procedures). Large companies, on the other hand, usually spend a great a deal of money on security issues and set up their own platforms, which are to be used by all members for communication and different types of transactions. However, their suppliers are sometimes small companies, which do not have the resources to invest in large-scale security measures. They are often the back-door, which intruders use to start their attacks.

The scenarios outlined above make clear that different factors need to considered when dealing with security risks. This is done in the current project. By widening the scope of investigation, a more holistic view on security issues is adopted. Technical aspects are not examined in isolation without taking into account factors such as social engineering and organisational structures. Moreover, the project team moves out of the laboratory and tests the usefulness of their methods by applying them to “real world” security problems. Another distinguishing feature is that the team puts great effort in establishing the concept of resilience as a new standard in IT-Security.    

Goals & Methods

The main aim of the current project is to examine the ways in which supply chains are vulnerable to cyber-attacks. During this process different degrees of organisation and different lines of business and industry are taken into consideration. Methods that help to identify cyber-attacks and methods that increase the resilience and robustness of the systems in operation are developed. Also, the outcomes are applied  to “real world” use cases.

The project team aims

• to determine what it needs to build secure and resilient systems with regard to supply chains. This requires a taxonomy to bridge communication gabs between different fields.
• to develop practical solutions with the help of partners coming from different businesses. Taking into account the degree of organisation plays a prominent role here.
• to move beyond technical solutions by paying special attention to the overall system. This includes – apart from measures to handle direct and indirect attacks (via suppliers e.g.) on the software architecture – measures to prevent social engineering (i.e., manipulating staff members).
• to publish findings and methods and to integrate the insights gained into educational programs. Not only this includes new and existing programs but also courses outside academia.  

Results

One of the long-term goals of the current project is to replace the traditional and often one-sided concepts of IT-Security with a more holistic view that also puts greater emphasis on resilience and adaptability. Systems with a high degree of organization such as modern supply chains are far more complex than the average web-service and for this reason they cannot be defended against attacks on all levels. By contrast, resilience is more than a defensive line. It is aimed at creating an architecture that reacts and adapts to malfunctions, attacks, and disruptions in a way that does not compromise the overall functionality of the system. This also means to reject a reductionist view where the focus is on single aspects only. Resilience is a wider concept which takes organizational and management structures as well as the communication within and between companies into consideration. To sum up, resilience is not a concept that is only of interest for technicians; it is about the “big picture”.