Traceability in supply chains: A Cyber security analysis

Digital technologies are increasingly being adopted in modern supply chains for product traceability, enabling data sharing amongst trading partners, quick availability of product data, and end-to-end visibility of products. This adoption increases the system attack-surface and the number of cyber threats capable of harmful business impact, such as leak of business data, disruption of business operations, and loss of reputation, intellectual prop-erty and financial assets. A supply chain network thus needs an effective cyber security and threat management strategy, which requires reaching a thorough understanding of the most important assets and resources in a supply chain traceability system, the cyber threats that may impact them, and potential countermeasures. This article contributes a comprehensive threat modeling report on supply chain traceability systems, where we make explicit more than a hundred relations between assets, threats and countermeasures of relevance to supply chain traceability. Our analysis is reproducible, extensible and falsifiable. Reproducibility is achieved by following a systematic asset-centric threat modeling approach and adopting the STRIDE threat model to present a description of common threats; extensibility by using a layered-architecture for supply chains which the analyst can accommodate to a concrete implementation; and falsifiability by providing the sources used to establish the relation (asset, threat, countermeasure). Albeit the focus of the analysis is on technology, for the sake of completeness, the article briefly analyses secure traceability in supply chains when people and processes are made part of the system. (c) 2021 Elsevier Ltd. All rights reserved.