Kieras, Timothy, Farooq, Muhammad Junaid, Zhu, Quanyan.
2020.
RIoTS: Risk Analysis of IoT Supply Chain Threats. 2020 IEEE 6th World Forum on Internet of Things (WF-IoT). :1—6.
Securing the supply chain of information and communications technology (ICT) has recently emerged as a critical concern for national security and integrity. With the proliferation of Internet of Things (IoT) devices and their increasing role in controlling real world infrastructure, there is a need to analyze risks in networked systems beyond established security analyses. Existing methods in literature typically leverage attack and fault trees to analyze malicious activity and its impact. In this paper, we develop RIoTS, a security risk assessment framework borrowing from system reliability theory to incorporate the supply chain. We also analyze the impact of grouping within suppliers that may pose hidden risks to the systems from malicious supply chain actors. The results show that the proposed analysis is able to reveal hidden threats posed to the IoT ecosystem from potential supplier collusion.
Kieras, Timothy, Farooq, Muhammad Junaid, Zhu, Quanyan.
2020.
Modeling and Assessment of IoT Supply Chain Security Risks: The Role of Structural and Parametric Uncertainties. 2020 IEEE Security and Privacy Workshops (SPW). :163—170.
Supply chain security threats pose new challenges to security risk modeling techniques for complex ICT systems such as the IoT. With established techniques drawn from attack trees and reliability analysis providing needed points of reference, graph-based analysis can provide a framework for considering the role of suppliers in such systems. We present such a framework here while highlighting the need for a component-centered model. Given resource limitations when applying this model to existing systems, we study various classes of uncertainties in model development, including structural uncertainties and uncertainties in the magnitude of estimated event probabilities. Using case studies, we find that structural uncertainties constitute a greater challenge to model utility and as such should receive particular attention. Best practices in the face of these uncertainties are proposed.