Collaboration Practices for the Cybersecurity of Supply Chains to Critical Infrastructure

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The title of the paper "Collaboration practices for the cybersecurity of supply chains to critical infrastructure" seemed quite interesting and the research claimed to enable cross fertilisation across critical infrastructures however the paper failed to demonstrate the statements made. The paper gives an overview of different standards, regulations, risk assessment but does not deep-dive into any of the OT-specific or critical infrasture domains. 

The paper briefly talks about the what the supply chain expert groups and the NCSC do, but does not shed light on the best practices to mitigate supply chain risks, or provide any examples to mitigate OT-based cyber attacks using the NCSC guidance. Very theoretical concepts provided without evidence.

The authors mention ENISAs supply chain cybersecurity document and have recreated the value chain provided in the document. This lacks originality and novelty. It would have been great to see a working example of a Critical Infrastructure Supply Chain Cybersecurity example.

The paper discusses pre-extisitng cybersecurity certifications ISO 27001 and the UK Cyber Essentials, that are not sufficient for cybersecuring IT/OT landscape, neither would enable cyber resilience. There are a wide range of standards that need to be aligned and mapped for building cyber resilience.  New regulations/directives that are a critical part for securing the network and information systems need to be included for securing the supply-chain.

The paper needs to cover basic concepts about cyber resilience.
Figure 2 briefly mentions the standard. NIST SP 800-82r2 is outdated and is no longer employed.
Table 3 is adapted from a book chapter "Cyber Resilience, Principles and Practices" and not referenced. 
The paper talks about IT and OT but misses out on discussing the standards for alignment, mitigating threat and risks in the critical infrastructure.

Overall, a weak paper - all sections need to be revised and should be able to demonstrate the statements that the authors have made. Suggest including examples, deep-diving into standards and regulations and pay attention to citing referred work. 

Author Response

Thank you for your feedback and the opportunity to improve our paper. We have re-worked all sections of the manuscript to provide the necessary improvements. Clarification and demonstration of statements made has been improved throughout the paper.

The paper covers a niche area of collective responsibility between organisations in securing CNI and defines the foundation of collaboration practices in supply chain cybersecurity. Basic concepts about cybersecurity of supply chains and best practices to mitigate risks are referred to in related works. The collaboration's outputs were produced from an OT specific context and reviewed by OT experts.

Future work will research practice experience of applying the NCSC’s new supply chain guidance to OT environments and provide an admin corp style paper to present a working example of how this works in practice.

This work is not a re-creation of ENISA’s Good Practices For Supply Chain Cybersecurity (June 2023). ENISA expects organisations to define rules and requirements for suppliers, products and services, and to manage this through contractual arrangements, defined rules and processes, including rules for subcontracting to cascade requirements along the supply chain. Our paper is highlighting the challenges of managing the supply chain through contracts which are described in 3.1.2 including the following:

‘Contractual clauses can be used for the transfer of risk management responsibilities to suppliers, but such commitments are potentially ineffective in actual implementation if not supported by an exchange of technical information and clarifications relevant to the service provision. High level contract clauses do not provide the necessary level of detail that ensures implementation to the required security level.’

Our research proposes that a collaborative discovery process of emerging security risks should be facilitated.

Standards and regulations relevant for securing supply chains are now provided in Section 2.1 including guidance from NIST, NIS2, ENISA, and the UK NCSC. ENISA already provides good practices for suppliers, integrators and service providers linked to relevant standards, so we have not reproduced that here.  

Our work is highlighting that standards are not sufficient in themselves and provides a framework for working more directly with external providers to mitigate risks that is suggested as a potentially more effective approach by NIST guidance, which is also now referred to in Section 2.4.

Figure 2 is now updated to include the Third revision of NIST SP 800-82r3 which supersedes r2.

Meagher’s book chapter on “Cyber Resilience, Principles and Practices” does not cover our principles and practice statements. Our work is different because it focuses on partnership and integrated processes with suppliers, where responsibilities cannot easily be divided and a shared responsibility emerges, requiring interworking between customer and supplier organisations. Meagher [1] designed a framework for aligning cyber-resilience activities with cybersecurity regulations and standards. This framework is applied to a fictional manufacturing company to demonstrate achieving compliance with relevant cyber laws such as NIS2, GDPR, NIST CSF. This worked example only briefly mentions third-party responsibilities and only in a specific area in relation to a wide area network that links three manufacturing plants in Ireland. Meagher also recommends vetting alternative suppliers of critical materials in business continuity planning. The gaps identified by Meagher’s analysis are very relevant to our paper so have been included in Section 2.2.  Meagher identifies a missing layer of governance for supply chain risks and managing third party vendors. This was highlighted as a ‘high-risk impact’ requiring ‘immediate attention’. Our work is attending to this missing layer. The partnership practice statements are a further development of the author’s previous work which is now explained in Section 3.5.

Thank you for your suggestions giving us the opportunity to improve the quality of this manuscript.

Reviewer 2 Report

Comments and Suggestions for Authors

This manuscript has given the cross-fertilization of cybersecurity experiences between several sectors including energy, rail, aviation, water, health, and food. The authors have analyzed the application of existing supply chain guidance identified gaps, particularly for OT systems.

The work has great practical value, but there is insufficient theoretical analysis and innovative instruction for application. 

Comments on the Quality of English Language

Minor editing of English language required. Several figures are not clear.

Author Response

Thank you for your feedback and the opportunity to improve our paper. We have re-worked all sections of the manuscript to provide the necessary improvements.

A more extensive literature review is now given in Section 2, with a better explanation of the work's novelty. A more structured research design is presented in Table 1 and additional detail on the method in Section 2 to assist application.

We have also improved the clarity of Figure 2 so it is more readable.

Thank you for your suggestions giving us the opportunity to improve the quality of this manuscript.

Reviewer 3 Report

Comments and Suggestions for Authors

The proposed manuscript focuses on the issues on supply chain cybersecurity based on the partnership collaboration. The problem is worth investigating and adheres to the scientific scope of the journal. Hovewer, the paper needs major revision before its acceptance for publication. The main reviewer's suggestions include:

1. The Introduction section needs rewritting - the current version does not provide a sufficient literature review on this topis, no research gap is defined, no clear aims and contributions of this text are presented, no scope of the paper is included,

2. The section Materials and Metods - also needs improvement - the autors does not present how the partnership was established (maybe a scheme with the clear presentation of SCEG - accordin to the text: the group has grown to include 40 active members across operators, suppliers, consultants, academia and NCSC ), how the experts develop the presented solutions (maybe a scheme with the main steps and achieved results?)

3. There is no Conclusion section provided - at least should be added after the discussion section. It should refer to the main aims of this work, provide the limitation of this study, present the future possible research steps, etc. As a result, the Discussion section also needs rewritting - should be focused on the research and practical insights of the developed reference model

4. The Results section should also include (at the beginning of this section) a broad view of the reference model underlining the model, standards etc....

5. The figure 2 has low quality - should be improved (hardly readable)

6. The paper has no sufficient literature review on the topic of supply chain cybersecurity

 

Author Response

Thank you for your feedback and the opportunity to improve our paper. We have re-worked all sections of the manuscript to provide the necessary improvements.

A more extensive literature review is now given in Section 2, with an improved explanation of the work's novelty and the research aims. We have now provided more detail on how the partnership was established and the steps to working together in Section 2 and Table 2.

We have also improved the clarity of Figure 2 so it is more readable.

Additional practical insights and key findings from the reference model analysis are provided in Table 3.

A conclusion and future work section has been added at the end, and better explanations of the work throughout.

Thank you for your suggestions giving us the opportunity to improve the quality of this manuscript.

Reviewer 4 Report

Comments and Suggestions for Authors

The submitted paper is interesting, however, it refers to a small amount of papers about the similiar problems. It clearly shows that the review of the literature is still on the early stage. It requires its extention. 

The text is more oriented to books, as its chapter is more theoretical than practical. Is it possible to add more practical issues? I could not find any information about the novelty of your results. why is it different than others.

Author Response

Thank you for your feedback and the opportunity to improve our paper. We have re-worked all sections of the manuscript to provide the necessary improvements.

A more extensive literature review is now given in Section 2, with an improved explanation of our work's novelty and the research aims. We have now provided more detail on how the partnership was established and the steps to working together in Section 2 and Table 2.

Additional practical insights and key findings from the reference model analysis are provided in Table 3, and better explanations of the work have been inserted throughout.

Thank you for your suggestions giving us the opportunity to improve the quality of this manuscript.

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

Typo's and in-text citations need to be corrected.

Lines 171, 186 and 193 

 

Author Response

Thank you for your comments. The typo’s have now been corrected and appropriate citations have been inserted into line 172 and line 187, and line 195.

Thank you for providing a second review of our paper. 

Reviewer 3 Report

Comments and Suggestions for Authors

The proposed manuscript has been revised according the reviewer's suggestions. It can be published in the current form.

Author Response

Thank you for accepting our revised version for publication.