230 likes | 429 Views
SCM SECURITY. 서울대학교 제조통합자동화 연구실 석사 1 년 강윤철. Contents. Cyber attacks against SCM systems. Adding security to Logistics. Cyber attacks against supply chain management systems : a short note. International Journal of Physical Distribution & Logistics Management , Vol.30 No. 7/8,2000. Pp.710-716
E N D
SCM SECURITY 서울대학교 제조통합자동화 연구실석사1년 강윤철
Contents • Cyber attacks against SCM systems. • Adding security to Logistics Manufacturing Automation and Integrations Laboratory
Cyber attacks against supply chain management systems : a short note International Journal of Physical Distribution & Logistics Management, Vol.30 No. 7/8,2000. Pp.710-716 Matthew WarrenSchool of Computing and mathematics,Deakin University,Geelong,Victoria,Australia,andWilliam Hutchinson School of Management Information Systems,Edith Cowan University,Perth,Western Australia,Australia
Widespread use of computer systems • A new dependence upon computers and the data they contain • All this information is at risk of either being misused for fraudulent purposes or modified for malicious reasons • The true level of UK losses from computer fraud and misuse was around ₤1.1 bilion a year (Robson,1994) Manufacturing Automation and Integrations Laboratory
Electronic commerce and SCM(1/2) • Managing information about demand Providing on-line information from customer service,sales support,etc. to the required business area or customer • Managing physical flow of goods Provide on-line information to aid production planning, procurement, inventory management,etc Manufacturing Automation and Integrations Laboratory
Electronic commerce and SCM(2/2) • Managing financial flows The ability of financial organizations to supply suppliers and customers with detailed financial information on-line • Order Management By offering on-line cost estimation and pricing, on-line order planning and order generation, on-line oreder billing and account/payment management, etc. Manufacturing Automation and Integrations Laboratory
The security risks • Security is usually not as tight as in secured military systems, and these systems tend to be always on-line via the Internet • Many organizations do not consider the security risks when developing on-line services Manufacturing Automation and Integrations Laboratory
Password sniffing/cracking software • One of the simplest and most common method attacks, using software packages such as Brute(PC based) , Passfinder(Mac based) , Crack V4.1(Unix based) • Unauthorized access could allow the hacker to: -Delete, or change data relating to orders, pricing, or product descriptions -Copy data for use by a competitor or fraudulent purposes Manufacturing Automation and Integrations Laboratory
Spoofing attacks • IP spoofing It works by forging the “from” address so that the message appears to have originated from somewhere other than its actual source • Web spoofing An attacker sets up a fake Web site to lure users in the hope of stealing their credit card numbers or other information ex) www.MICROS0FT.com Manufacturing Automation and Integrations Laboratory
To protect against bogus Web sites • The Secure Sockets Layer tool cannot determine a fake Web site • Add authentication software between the client and server • Use of “digital signatures” electronic IDs that include a public key,name,address of the user,all digitally signed and encrypted with a private key Manufacturing Automation and Integrations Laboratory
Denial of service attacks • Access to a computer or network resource is intentionally blocked or degraded as a result of malicious action taken by another user ex) e-mail bomb attacks , Ping O’Death Hackers with a low level expertise Manufacturing Automation and Integrations Laboratory
Direct attack • By hacking Web sites they will gain a global audience for their actions and they will also be able to discredit the security of the companies using the on-line services • Attacking computer files and destroying, modifying or extracting data Manufacturing Automation and Integrations Laboratory
To reduce computer security risks • Implement protective security measures such as passwords, access control, encryption in accordance to a defined secu rity standard such as AS/NZS (information security manage ment) • Accredit themselves against security standards such as AS/NZS • Raise awareness of security issues such as Y2K, electronic commerce risks among their staff Manufacturing Automation and Integrations Laboratory
Conclusion • A recent survey of Australian IT companies had no policy regarding hackers • Organizations conducting electronic commerce (including SCM) via the Internet should be aware of the risks involved and some the impacts if they became victims to hackers Manufacturing Automation and Integrations Laboratory
Adding security to digital American Shipper, Vol. 44 No.1 , January 2002 Philip Damas
SURF Bolero.net • The London-based information technology company • Electronic messaging system that provides security • A “title registry” system • Trade facilitation system that checks document content against other documents to establish automatically Manufacturing Automation and Integrations Laboratory
SURF • Settlement Utility for managing Risk and Finance • A new value added service that fully automates the documentary settlement process Manufacturing Automation and Integrations Laboratory
SURF process • SURF manages the workflow between all parties involved in the transactions 1.Buyer and seller enter into a SURF Agreement 2.Banks provide guarantees of payment or performance on request 3.The seller presents trade documents 4.SURF check compliance and issues a discrepancy report if needed 5.When documents are compliant, SURF requests completion of payment conditions 6.When conditions are met, documents are released to the buyer Manufacturing Automation and Integrations Laboratory
SURF proposal SURF proposal Request for acceptance Lodging SURF proposal Making SURF proposal process SURF Buyer Seller Bolero coreMessaging Platform About parties to the agreement,the goods being traded, trade documents required, the form and timing of payment Manufacturing Automation and Integrations Laboratory
Notification Acceptance Acceptance of proposal Notification of acceptance Establishing the SURF agreement SURF Buyer Seller Bolero coreMessaging Platform The Buyer is notified of the Seller’s acceptance Manufacturing Automation and Integrations Laboratory
Benefits • SURF can enable an exporter working on open account with a customer to reconcile the purchase order, the invoice and other fulfillment documents • Can be used by forwarders or other logistics providers to release documents against freight payments • Using for documentary letters of credit • Encryption Manufacturing Automation and Integrations Laboratory
My Conclusions (1/2) • 첫번째 article Hacker 들의 여러 공격 형태와 이에 따른 파장을 잘 설명해 놓았지만, 피상적이고 상식적인 내용이 주를 이루었으며 또한 SCM 망을 대상으로 한 공격이 아니더라도 이러한 형태의 공격은 일반적인 유형이다. SCM 망에 특화되어 있는 보안 방법의 설명이 없어서 아쉬움. Manufacturing Automation and Integrations Laboratory
My Conclusions (2/2) • APL 의 e-B/L의 사례 • Very large multinational companies and transport providers • Logistics 상에서 고려해 볼 수 있는 보안체계 solution들 중 하나로 보여짐. Manufacturing Automation and Integrations Laboratory