CCE Theses and Dissertations

Date of Award

2024

Document Type

Dissertation

Degree Name

Doctor of Philosophy Cybersecurity Management

Department

College of Computing and Engineering

Advisor

Yair Levy

Committee Member

Ling Wang

Committee Member

Ajoy Kumar

Keywords

Cybersecurity footprint, Data breach, Index model, Interconnected entities, Manufacturing threats, Supply chain risks

Abstract

With the continued changes in how businesses work, cyber-attack targets are constantly in flux between organizations, individuals, and various aspects of the supply chain of interconnected companies delivering goods and services. As one of the 16 critical infrastructure sectors, manufacturing is known for complex integrated Information Systems (ISs) incorporated heavily into production operations. Many of these ISs are procured and supported by third parties, also called interconnected entities in the supply chain. Disruptions to manufacturing companies would not only have significant financial losses but would also have economic and safety impacts on society. The vulnerabilities of interconnected companies create inherited exploitations in other interconnected companies. Cybersecurity practices must be enhanced to understand supply chain cybersecurity posture and manage the risks from lower-tier interconnected entities to the top-level dependent organization. The Theory of Cybersecurity Footprint is at the core of this study, emphasizing the relationship among interconnected entities and the effects one organization can have on another regardless of size.

The goal of this research study was to develop an index to measure the cyber posture of manufacturing organizations based on their interconnected entities. Prior research regarding CMMC 2.0 Level 1 and the referenced domains and elements were leveraged to establish the constructs of an index. A multi-phase developmental research approach was conducted. In Phase 1, 30 cybersecurity Subject Matter Experts (SMEs) were engaged to establish aspects of the index. A pre-analysis data screening was performed with descriptive statistics to address the first three research questions for the importance of domains, elements, and tiers, as well as the number of tiers to establish weight measures. The level of agreement among the SMEs confirmed all domains were important, while 18 of 26 elements were considered important and included in the development of the index. Additionally, the SMEs provided input to questions to determine the response scale options used in a subsequent survey tool called the Cyber Organizational Risk Exposure (CORE) Survey.

In Phase 2, there were significant challenges in recruiting manufacturing companies willing to engage suppliers and vendors in their supply chain. A repeated number of communication methods overcame the lack of interest and commitment to recruit key manufacturing contacts to participate in a pilot group. A pilot group of six manufacturing companies reviewed the CORE Survey questions and provided insightful feedback to refine a final version of the survey. The pilot group’s responses to the 18 questions were used to validate the calculation of CORE scores using the weights of the domains and the elements, as well as the Cybersecurity Footprint Index for Manufacturing (CFI-Mfg). A web-based application prototype was developed to verify the resulting CORE scores as an additional testing method. Immediately following the submission of the web-based application, a CORE score was calculated and displayed on a scale of 0 to 100. The CORE scores for each of the pilot group manufacturing companies were used to calculate three different CFI-Mfg scores based on one, two, and three tiers and a different number of entities in the tiers. The calculated CFI-Mfg Scores were 66.33, 51.26, and 60.26 respectively.

In Phase 3, several manufacturing associations and the FBI-affiliated InfraGard were contacted in an attempt to recruit manufacturing companies for participation in this phase. This effort was also met with a lack of interest and resistance. The initial communication with key contacts was promising, and they expressed a willingness through emails and phone calls; however, as the information was shared with members, there was either no follow-through or no continued interest from the manufacturing associations. To gain participation, companies having Business-to-Business (B2B) relationships supporting manufacturing companies were targeted. With the dedicated support of key consulting contacts and strong relationships with their clients, over 70 B2B companies participated in Phase 3.

The resulting CORE scores were used to calculate 60 CFI-Mfg scores based on a different number of tiers, as well as a different number of entities in the tiers. A combination of descriptive statistics and one-way analysis of variance (ANOVA) was used to determine the significance of CFI-Mfg based on the number of interconnected entities, the number of tiers of interconnected entities, and a set of attack surface variables. The attack surface variables included (a) number of workstations and laptops, (b) number of network file servers, (c) number of application servers, (d) number of public cloud instances, (e) number of firewalls and switches, (f) number of multi-function printers, (g) number of mobile devices, (h) number of IoT devices, and (i) number of employees. Each of the variables did not appear to be significant in the determination of a CFI-Mfg score. However, the combination of the CORE Survey to gather data from interconnected entities in the supply chain can be used to determine the CFI-Mfg as a single tier of all entities and to assess an organization’s cyber posture on a measurable scale. Discussions, implications, and future research recommendations are provided.

Download
Share Feedback

Share

COinS