Design and validation of the Medusa supply chain risk assessment methodology and system

Supply chains (SC) can be viewed as complex interconnected systems that play a vital role of the transportation and delivery of goods and services. SC usually involves various critical infrastructures, mainly in the transportation sector and exhibit intra-sector and cross-border dependencies with various business entities. Although efforts have been made to standardise supply chain risk assessment (SCRA) approaches, there is a lack of targeted methodologies. In our previous work (Polemi and Kotzanikolaou, 2015) we have proposed a preliminary version of the Medusa SCRA methodology, compliant with ISO28001. The primary goal of Medusa is to assess the risks of an SC rising from the interconnections and interdependencies between the various entities within it. In this paper, we significantly extend our previous work, in order to define all specific details of the Medusa SC RA, such as estimations of threat levels, consequences, risk scales, cascading risks; generation of a baseline SC security policy and identification of security controls. Furthermore, we validate our methodology based on real case scenarios, derived from the pilot operations of the Medusa project and we provide implementation details of the Medusa collaborative system which hosts the methodology and offers SC RA services to the involved BPs.

[1]  Stefano Panzieri,et al.  A Holistic-Reductionistic Approach for Modeling Interdependencies , 2009, Critical Infrastructure Protection.

[2]  Nineta Polemi,et al.  Open Issues and Proposals in the IT Security Management of Commercial Ports: The S-PORT National Case , 2012, SEC.

[3]  Matthew Henry,et al.  Risk Analysis in Interdependent Infrastructures , 2007, Critical Infrastructure Protection.

[4]  Nineta Polemi,et al.  Collaborative Security Management Services for Port Information Systems , 2012, DCNET/ICE-B/OPTICS.

[5]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[6]  Kenji Watanabe,et al.  A Framework for Modeling Interdependencies in Japan's Critical Infrastructures , 2009, Critical Infrastructure Protection.

[7]  Giannopoulos Georgios,et al.  Risk assessment methodologies for critical infrastructure protection. Part II: A new approach , 2015 .

[8]  Per Hokstad,et al.  Risk and interdependencies in critical infrastructures : a guideline for analysis , 2012 .

[9]  Panayiotis Kotzanikolaou,et al.  Assessing n-order dependencies between critical infrastructures , 2013, Int. J. Crit. Infrastructures.

[10]  Enrico Zio,et al.  Modeling Interdependent Network Systems for Identifying Cascade-Safe Operating Margins , 2011, IEEE Transactions on Reliability.

[11]  Panayiotis Kotzanikolaou,et al.  Risk assessment methodology for interdependent critical infrastructures , 2011 .

[12]  Nineta Polemi,et al.  Medusa: A Supply Chain Risk Assessment Methodology , 2015, CSP Forum.

[13]  James P. Peerenboom,et al.  Identifying, understanding, and analyzing critical infrastructure interdependencies , 2001 .