Risk assessment for trustworthy data flow across collaborative business networks
In an I4.0 manufacturing environment, typified by large quantities of proprietary data moving rapidly between businesses and their supply chains, effective cybersecurity has become central in providing large manufacturers with the confidence to enter into ad-hoc collaborative production with innovative, high-tech SMEs.
Yet, becoming cybersecure is often seen as a complex and expensive process for innovative SMEs, many of whom may lack the expertise in-house to conduct extensive risk assessments. This can put SMEs at a competitive disadvantage when compared with large suppliers. The System Security Modeller tool in the EFPF platform can help address these challenges. The SSM tool is provided as one of the federated services available to the users of the EFPF platform.
A use-case implementation of the SSM tool is realised in the Circular Economy pilot of the EFPF project. The CE pilot scenario starts from the deployment of waste bin fill-level sensors in the manufacturing (and waste producing) facility of KLEEMANN, a large lift manufacturer in the European and global market. The remote monitoring of the waste bins and open top containers is made available to ELDIA, a waste management company participating in the EFPF project. The real-time distance monitoring is enabled by EFPF platform that interconnects the two companies by creating data flow from KLEEMANN to ELDIA. This data flow involves the interplay of various components such as sensors, routers, gateways, servers, scripts and applications.
EFPF Epic: By modelling these systems using the SSM tool, all parties can be confident that trusted, secure information will flow across the entire supply chain without exposing any collaborative partner, large or small, to undue cybersecurity risks.
As with any data exchange scenario, there is a risk of security breach and in particular information leaking, and the collaborating companies want to be sure that the data management system addresses the risks properly. In a typical risk management approach, the first step to address risks is to identify them. In the SSM tool, this is done through the design of a system model that includes assets, actors and relationship. By leveraging on a knowledgebase of known ICT threats, the SSM tool provides this analysis to the users or designer of the risk model. The SSM covers an extensive list of cybersecurity risks based on the implementation of ISO 27005 standard. It also includes some context specific and user-specific knowledge because the users can specify the impact of the possible problems (technically misbehaviors) on the business. Once the threats are identified through the execution of risk model(s), the SSM tool suggest a control strategy to mitigate the risks. The control strategy can be implemented by the infrastructure owner.
Th actual use-case implementation of the SSM tool in the EFPF project showed that the overhead for designing the risk models is not trivial and it pays off because the tool produces a comprehensive report that, when shared among partners, increases the mutual trust in collaborative business networks.
Access to the tool and documentation is provided through the EFPF Portal: http://portal.efpf.org/