Certifying the Security and Resilience of Supply Chain Services

CYRENE addresses the problem of assessing and certifying security and resilience requirements of Supply Chain Services (SCSs). To this end the project provides services, building blocks and components for an enhanced Risk Assessment (RA) process that can also serve as a Conformity Assessment (CA) process for assessing security threats and vulnerabilities and evaluate the security and resilience of SCS and its security objectives. A major innovation of the project is the dual use of the RCA Methodology as it can be used by individual SCS Providers and Business Partners to assess and manage SCS risks and generate the SCS Protection Profiles (PP, i.e. security claims) but may also be used by third party Auditors and Certification Bodies to access the cybersecurity objectives, requirements and validity of the SCS PP claims. CYRENE's certification scheme is an extension of the ENISA EUCC. Moreover, the project develops a platform and a set of accompanying tools for supporting the certification process. The certification process, the scheme and the toolset will be validated in two trials that pertain to real world scenarios and the feedback from the trials will used as the basis for formulating a set of best practices.

The importance of modern supply chains can not be overstated as they underlie almost any activity of modern societies. Their smooth operation is top requirement, whereas their disruption typically has profound societal, economic and political impact. The certification of supply chain service security and resilience increases the confidence of consumers and contributes to a competitive and trustworthy Digital Single Market.

The objectives of CYRENE are:

- Create tailored and risk-based security and privacy certification schemes for trusted supply chain services powered by ICT systems.

- Develop a novel dynamic cybersecurity risk and conformity assessment process to support different types of conformity assessment.

- Develop a certification scheme for supply chain services.

- Specify model and simulation services to dynamically forecast, detect and prevent supply chain cyber security and privacy risks and define mitigation strategies.

- Validate the CYRENE solution through its application to real SC services.

- Develop Best Practices and Standards Enhancements for supply chain service risk assessment and certification.

- Contribute towards strengthening EU’ cybersecurity capacity and tackle future cybersecurity challenges.

CYRENE started off by collecting security and legal requirements for supply chain services (SCSs). Security requirements were collected from SCS stakeholders (both project partners and external stakeholders through online questionnaires) while legal requirements were collected by the legal partner of the consortium. The requirements were classified, analyzed and reported. The analysis of the requirements led to the specification of the conformity certification assessment scheme and the conformity assessment process, which was defined as a stepwise multi-level evidence-driven assessment process among different actors (auditors, assessors, supply chain services providers, administrators and security officers) with hierarchical access control rights. Moreover, ontological models for infrastructure dependencies and events as well as for hardware and software assets, threats, vulnerabilities, cyber dependencies, actors and interactions among them and algorithms for cascading effects of threats, risks and vulnerabilities have been developed. Moreover, an architecture has been defined for a platform to support the conformity assessment process. The successful completion of the aforementioned outcomes marked the fulfillment of the first three milestones MS1, MS2, MS3 of the project.

Further work focused on the design and implementation of the prerequisites (i.e. assets, vulnerabilities, supply chain services, business processes in a relational database schema compliant with CVSS3.1) to facilitate the horizontal calculation of the risks between interconnected supply chains that involve multiple actors (i.e. supply chain providers, auditors and assessors).

Automatic crawling services were designed and implemented to collect and mine information from the dark web. Similarly, a data pipeline for data processing, curation, storage, graph and text analytics was implemented. Machine Learning has been employed to classify text according to the relevance of its content to cyber-attacks, illegal activities and emerging events detected in dark web forums, marketplaces and sites. The Threat Intelligence Sharing Platform has been used to bind and classify the extracted terms from the dark web into cyber concepts correlated with cyber security incidents and malware.

Appropriate technologies have also been setup to allow successful integration of the aforementioned developed modules. They include a GitLab repository for uploading of relevant module code to the integration system, a number of integration tools such as Kafka broker, Elasticsearch, and keycloak for secure access. Additionally, the Redmine environment has been setup for issue reporting and tracking of project activities. The continuous integration tasks include the aforementioned GitLab environment for code repository for the process that runs the tests and deploys the code for every iteration. Finally, a template for info collection that will lead to the testing scheme of individual modules as well as the integrated system has been circulated. Moreover, WP5 activities include the design of the experimentation methodology with the creation of appropriate templates to lead to the actual design of the experiments to take place in WP6.

The following project results have the progressed the State of the Art:

The Conformity/Certification Assessment Scheme: The proposed scheme extends ENISA's EUCC (Cybersecurity Certification Scheme) and focuses on complex interconnected supply chain services, which are viewed at three abstraction layers, namely, business processes, interconnected infrastructures, and digital assets. The resulting highly diverse ecosystem of actors, processes, and supporting technologies is a Target of Evaluation for which conformity requirements are expressed for ensuring its security and resilience.

The Risk and Conformity Evaluation (RCA) Process & Multi-Level Evidence-Driven Supply Chain Risk Assessment: The methodology has specified the steps of a RCA process and the functions, formulas, computations that are required to perform a collaborative SC risk assessment across different organizations and roles. The steps include the stakeholders involved in the collaborative process, the roles and authorizations of each stakeholder, and the collaboration workflows associated with the assessment and simulation processes. The process is of dual use: it may be used by SCS stakeholders to assess their part of the supply chain and also formulate security claims, but can also be used by third party assessors and certification bodies to certify expressed security claims.

The CYRENE Ontology for Infrastructure Dependencies and Events: the Ontology models relations of SC assets and cyber dependencies among them when they participate in business processes. The business processes compose supply chain services where organizations and people with various roles participate with different and hierarchical access rights.