Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2018
Kongens Lyngby, Denmark
Daniel Sepulveda, PhD.
• Researcher in Management Engineering Department at DTU.
• Mechanical enginering undergraduate
• MSc., in Industrial Engineering from Universidad Catolica de Chile
• MSc., in Management Science esp. System Dynamics, Quantitative
Analysis and Real options, from MIT, USA.
• PhD in Management Science, DTU
PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Slide 3 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Outline
Introduction
Thesis description
Methodology
Results
Slide 4 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Cyber-attack
= IT
Slide 5 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
The dawn of the Stuxnet (2010)
Symptoms:
Slide 6 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
What Went wrong
Control
System
(SCADA)
Velocity Sensor
Control
Cyber
attacker
Centrifuge
Rotation
Speed
Slide 7 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Cyber-Physical Interaction
Accident
Hacker
Slide 8 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Increasing problem
Rozados, I.V. and Tjahjono, B., 2014. Big data analytics in supply chain management: Trends and
related research. In 6th International Conference on Operations and Supply Chain Management.
Rozados, I.V. and Tjahjono, B., 2014. Big data analytics in supply chain management: Trends and
related research. In 6th International Conference on Operations and Supply Chain Management.
Slide 9 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Research question
Before Cyber-event
Slide 10 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Research Questions
Slide 11 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Research Questions
Slide 12 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Literature Review
Proposed Methodology:
Supply Chain 1. Use a Structured
(SCM) Literature Review
2. Combined search of
Risk & three domains
Supply chain Resilience
cyber Risk & 3. Framework of
Resilience (R&RM) Systems thinking
4. Identification of
Gaps
Information
Technology (ITM)
Slide 13 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Literature Review
Descriptive Analysis
Slide 14 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Answer to RSQ 1
RSQ1: What are the supply
chain cyber resilience
Resilient architecture
frameworks published in
Robust and resilient control
literature?
Four domains of cyber resilience
Structure Normative
Quantitative 72%
12% Patterns
Time to compromise
Resource exhaustion
Papers in Sample:
Epidemiological System Dynamics SCM – Descriptive: 50%
IT – Quantitative: 60%
Slide 15 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Gaps
from SLR
Slide 16 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Research Questions
Slide 17 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RSQ3: Sequence of Enquiry
Proposed Methodology:
1. Exploratory: What cyber-events with
operational disruption have been 1. Literature Review
recorded 2. Search beyond
Scientific Literature
2. Descriptive: How have these cyber- 3. Identify structures
events resulted in Operational that lead to behavior
Disruption
4. Compare to other
SC risks
3. Evaluative: How do these cyber-events
differ from other SC risks?
Slide 18 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RSQ3: Results
Slide 19 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RSQ3.2: Analysis
Operational disruption Hacker
group Disruption type protagonism Approach SC influence
Group 1 Theft of assets/resources Active Targeted Downstream
Group 2 Theft of assets/resources Passive Non-targeted Upstream
Group 3 Theft of Product Active Targeted Downstream
Group 4 Interruption of operations Active Targeted Downstream
Group 5 Interruption of operations Passive Non-targeted Upstream
Disruption from:
Slide 20 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Example 1:
Active Theft of Resources
Hacker Customer
Payment Balance
Instruction Information
Payment
Instruction
Tesco
Bank
Product or
service
delivery
Product or Payment
service
delivery
Supplier
Slide 21 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Example 2:
Passive Theft of Resources
Leoni AG
Hacker CEO
Payment
Payment Instruction
Instruction
CFO Warehouse
Payment Payment
Order Confirmation
Payment
Bank Product
Delivery
Payment
Supplier
Slide 22 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Cyber vs. Non cyber risks
Latency
Non-cyber-related
Dimensions
Cyber-risks to operations operational risks
Component
versus Component risk (e.g., supplier,
Interaction risks
Interaction infrastructure, cargo)
Perpetuity Replication
risks
Slide 23 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Research Questions
Slide 24 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RSQ4: Systemic dynamics analysis
of cyber risk
RSQ4: How can a systems approach be used to
mitigate compartmentalization, static frameworks
SLR Gaps and historical dependence for managing cyber risks
and resilience in the supply chain?
Risks Resilience
RSQ4.1a RSQ4.2
Comparison to an
established risk
analysis method
Slide 25 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RSQ4.1a.- How can a systemic risk analysis
RSQ4.1: Methodology
approach mitigate compartmentalization,
static frameworks and historical dependence
for managing cyber risks in the supply chain?
Proposed Methodology:
1. Case 1 Study
2. Based on STPA Systemic
Risk Analysis Method
3. Identify Unsafe Control
Actions
4. Identify Requirements
5. Compare to traditional
Risk Analysis Method
Slide 26 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RSQ4.1a.- How can a systemic risk analysis
RSQ4.1: Methodology
approach mitigate compartmentalization,
static frameworks and historical dependence
for managing cyber risks in the supply chain?
Define the
System
Identify
Accidents
Identify
Hazards Identify
Requirements
Identify
Control
Actions
Identify
Unsafe
Control
Actions
Cyber-Risks
Slide 27 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RSQ4.1a.- How can a systemic risk analysis
RQ4.1: Methodology
approach mitigate compartmentalization,
static frameworks and historical dependence
for managing cyber risks in the supply chain?
Accidents
A1 Erroneous arrival of product
A2 Erroneous payment to supplier
A3 Product loss
A4 Product integrity compromised
A5 Payment Loss
A6 Reputational Loss
Slide 28 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RSQ4.1a.- How can a systemic risk analysis
RQ4.1: Results
approach mitigate compartmentalization,
static frameworks and historical dependence
for managing cyber risks in the supply chain?
Slide 29 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
CASE 2
STUDY DESCRIPTION
Scenario description
PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Scenario description
•Potential Implications
–Discovery and exploitation of Design flaws
–Implant of malicious code into new products
30 days after breach
•IT Blogger indicates the reverse-engineering of the
products.
•Alternatives could reach the market before the
intended product launch
PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RQ4.2: Results
1 3
Slide 33 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
RQ4.2: Results
Reference Mode
Slide 34 PhD
PhDDefense: Managingcyber-risk
Thesis: Managing cyber-riskand
andsecurity
securityininthe
theglobal
globalsupply
supplychain:
chain: Jan 8th,2018
Feb20, 2019
A systems approach to risk, structure and behavior.
RQ4.2: SD Model
Slide 35 PhD
PhDDefense: Managingcyber-risk
Thesis: Managing cyber-riskand
andsecurity
securityininthe
theglobal
globalsupply
supplychain:
chain: Jan 8th,2018
Feb20, 2019
A systems approach to risk, structure and behavior.
RQ4.2: Results
Reference Mode
Slide 36 PhD
PhDDefense: Managingcyber-risk
Thesis: Managing cyber-riskand
andsecurity
securityininthe
theglobal
globalsupply
supplychain:
chain: Jan 8th,2018
Feb20, 2019
A systems approach to risk, structure and behavior.
Research Questions
Slide 37 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Contributions to Theory
Slide 38 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Contributions to Industry
Strategic
Prepare your organization for response
Cyber-risks are fundamentally different from other SC risks
System Dynamics method for resilient design
Systemic risk analysis method for endogenous exposure identification
and measurement
Consider
Flexibility Options
Redundancy Options
Response times
Slide 39 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Current work
Slide 40 PhD Thesis: Managing cyber-risk and security in the global supply chain: Jan 8th, 2019
A systems approach to risk, structure and behavior.
Thank you