OT Supply Chain Security: Prioritizing and Quantifying Third-Party Cyber Risk
Author
Santinhos Borges, Pedro Manuel
Term
4. semester
Education
Publication year
2026
Pages
82
Abstract
About 30% of reported security breaches involve third parties, and the EU’s NIS2 Directive, focused on essential and important entities, requires management of supplier-related cyber risk. This risk is especially acute for operators of Operational Technology (OT), because devices remain in use for many years, availability and integrity often take priority over confidentiality, and failures can affect physical processes and human safety. This thesis reviews current practice and proposes a five-layer framework, Supply Chain OT Risk Assessment (SCORA), that guides an OT asset owner from third-party vulnerability data to prioritization, financial impact, and a vendor overview. The layers: ingest SBOM (a software bill of materials), SCA (software composition analysis), and VEX (statements on whether known vulnerabilities are exploitable); adjust CVSS (Common Vulnerability Scoring System) into an OT-Adjusted Severity Score (OASS) using modifiers for human safety, the AIC triad (availability, integrity, confidentiality), and legacy systems; add an EPSS-based breach probability (Exploit Prediction Scoring System) and triage the results; convert remaining risk into annualized expected loss using the FAIR model (Factor Analysis of Information Risk); and aggregate by vendor while considering transparency and supply-chain depth. The framework is demonstrated in a water-treatment scenario, and the findings are discussed.
Omtrent 30 % af alle rapporterede sikkerhedsbrud involverer nu tredjeparter, og NIS2-direktivet, med fokus på væsentlige og vigtige enheder, kræver styring af leverandørers cyberrisiko. Risikoen er særligt høj for operatører af Operationel Teknologi (OT), fordi udstyr bruges i mange år, tilgængelighed og integritet ofte vægtes over fortrolighed, og fejl kan påvirke fysiske processer og menneskelig sikkerhed. Dette speciale gennemgår aktuelle praksisser og foreslår et femlags rammeværk, Supply Chain OT Risk Assessment (SCORA), der guider en OT-ejer fra tredjeparts sårbarhedsdata til prioritering, økonomisk vurdering og en leverandøroversigt. Lagene: indlæser SBOM (en software-stykliste), SCA (softwarekompositionsanalyse) og VEX (erklæringer om hvorvidt kendte sårbarheder er udnyttelige); justerer CVSS (Common Vulnerability Scoring System) til en OT-justeret alvorsscore (OASS) med modifikatorer for menneskelig sikkerhed, AIC-triaden (tilgængelighed, integritet, fortrolighed) og legacy-systemer; tilføjer en EPSS-baseret brudsandsynlighed (Exploit Prediction Scoring System) og prioriterer resultaterne; omsætter resterende risici til årligt forventet tab efter FAIR-modellen (Factor Analysis of Information Risk); og aggregerer pr. leverandør med hensyn til gennemsigtighed og forsyningskædens dybde. Rammeværket demonstreres i et vandbehandlingsscenarie, og resultaterne diskuteres.
[This apstract has been rewritten with the help of AI based on the project's original abstract]
Keywords
Supply Chain Security ; OT security ; SBOM ; SCA ; VEX ; CVSS ; EPSS ; FAIR model ; CISA KEV Catalogue ; ICS Advisory Project