by Lukas König, Martin Pirker, Simon Tjoa, Peter Kieseberg (St. Pölten University of Applied Sciences)
Information security is becoming increasingly important due to the growing threats in the digital space. In supply chains in particular, it is essential to ensure that all participating companies have achieved an adequate level of protection, as vulnerabilities in one organisation can jeopardise the entire supply chain. We present a concept for blockchain-based, distributed information security audits, where companies can prove their level of protection to each other and increase trust in supply chain security.
Information security audits, especially in the context of globally established standards such as ISO 27001, fulfil the purpose of an independent and objective assessment of a company’s security level and serve as an important part of realising security strategies, especially when considering ICT-critical infrastructures. Still, the current approaches mainly focus on single organisations. As securing supply chains is increasingly becoming a central aspect of modern companies’ overall risk assessment, the security and resilience of the underlying ICT systems of partners, suppliers as well as vendors, are playing an increasingly important role. This has also been recognised by the EU, which has addressed this issue at legislative level with the Cyber Resilience Act, as well as the NIS2 directive.
When it comes to the relationship between safe supply chains and the level of security that an individual organisation possesses, it is possible for vulnerabilities at a single point to put the entire supply chain in jeopardy over the course of time [1]. Consequently, it is not only essential for each single organisation to conduct routine security checks, but it is also essential for all of the organisations that are a part of a supply chain to participate in such checks.
Although securing supply chains is becoming increasingly important, there is still a lack of scientific work on this topic. Previous publications on distributed auditing deal with, for example, metrics for security maturity levels, records of network monitoring, or decentralised risk management. However, an actual decentralised system for securing and communicating information security audits has not yet been described, yet communicating actual threats, vulnerabilities and (successful and unsuccessful) attacks along a supply chain is key for enhancing its resilience.
One major concern is that any exchange of this kind of audit information might reveal sensitive information about an organisation’s security gaps, which means that sharing these results is not in the organisation’s own interest in terms of protection. Sharing information about security incidents, technical and organisational measures with external third parties requires a high level of trust, as such information can reveal obvious weaknesses in an organisation and therefore pose a threat to general information security.
Our basic approach to a distributed audit system [2] thus includes external and internal information security audits, i.e. audits conducted by each organisation itself, as well as audits conducted by external, independent auditors. Security audits can reveal a lot of sensitive information about an organisation. Regardless of whether the outcome of an audit is positive or negative, an audit implicitly reveals important information about company strategies and business processes. For this reason, an approval model ensures separation between organisations. This guarantees that sensitive information can only be viewed by authorised parties. In other words, internally within the company, externally, and a special position for independent inspection bodies. It is therefore a system in which trust between companies is ensured by trust in the technology.
Technologically, in our distributed audit system each participating organisation operates a local/internal version of a blockchain on which the results of information security checks are stored. These local and organisation-internal checks can be carried out both as an internal audit and as an external audit by an independent audit body. Each organisation can carry out any number of checks on the internal blockchain and store the results in a tamper-proof and interlinked manner.
A global blockchain is used to prove the security level of an organisation to other organisations, for example as part of a supply chain (see Figure 1). It is operated by an independent organisation and filled with data blocks and information. Entries for the global blockchain result from validation checks by the independent body of each participating organisation. This involves checking the organisation and its previous local blockchain entries and then attaching a validation block to the local and global blockchain.
![Figure 1: A global blockchain for validating audits across organisations [3].](/images/stories/EN137/kieseberg.png)
Figure 1: A global blockchain for validating audits across organisations [3].
In future work we plan on extending this approach to the realm of threat-information sharing, as for many highly integrated supply chains the topic of providing partners with relevant security information can even be more important than securing less important system parts in their own company. Still, as such chains might be very flexible and a multitude of partners might participate, a blockchain-based structure has a lot of benefits over a centrally provided server-based information-exchange approach. This form of a decentralised ISMS would also need functions for information override and correction, yet providing a full history of all shared security information would lead to enabling security managers to prove their information status at the time of decision-making.
References:
[1] R. Böhme, “Security audits revisited,” in Int. Conf. on Financial Cryptography and Data Security, pp. 129–147, Springer, 2012.
[2] L. König, et al., “DISA-A blockchain-based distributed information security audit,” in Int. Conf. on Information Integration and Web Intelligence, pp. 27–34, Springer Nature, 2023.
[3] L. König, et al., “Management von Informationssicherheitsaudits mithilfe von verteilten Systemen und Blockchains,” 2023.
Please contact:
Peter Kieseberg, St. Pölten UAS, Austria
