Abstract
This paper studies how to construct Information and Communication Technology (ICT) supply chain security requirements from the perspective of ICT supply chain security assurance. Firstly, the security environment of ICT supply chain is established through ICT supply chain relationship, product life cycle stages, security driving factors and security properties. Then it is proposed to derive ICT supply chain security requirements from regulatory requirements and security best practices, each requirement is validated through the Asset-Threat-Objective-Requirement (ATOR) methodology, and 10 categories of 100 items of ICT supply chain security requirements are established in this way. Finally, the application scenarios and usages of ICT supply chain security requirements are described.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Boyens, J., Paulsen, C., Bartol, N., Shankles, S.A., Moorthy, R.: Notional supply chain risk management practices for federal information systems. National Institute of Standards and Technology, Gaithersburg, MD (2012). https://doi.org/10.6028/NIST.IR.7622
Supply Chain Compromise, Technique T1195 - Enterprise | MITRE ATT&CK®. https://attack.mitre.org/techniques/T1195/. Accessed 10 June 2023
TC260: GB/T 36637-2018 Information security technology-Guidelines for the information and communication technology supply chain risk management (in Chinese) (2018)
ENISA Threat Landscape 2022. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022. Accessed 11 May 2023
Supply Chain Integrity: An overview of the ICT supply chain risks and challenges, and vision for the way forward (2015). https://www.enisa.europa.eu/publications/sci-2015. Accessed 25 May 2023
Authoritative UK Organization Recognizes Code and Build Engineering of Huawei OLT Product MA5800. https://www.huawei.com/en/news/2019/12/huawei-ma5800-code-evaluation-build-engineering-assessment. Accessed 17 Oct 2023
Assessment of the Critical Supply Chains Supporting the U.S. ICT Industry | Homeland Security. https://www.dhs.gov/publication/assessment-critical-supply-chains-supporting-us-ict-industry. Accessed 18 May 2023
The Open Group: Open Trusted Technology Provider Framework (O-TTPF) (2021)
CVE security vulnerability database. Security vulnerabilities, exploits, references and more. https://www.cvedetails.com/index.php. Accessed 18 Oct 2023
Ghadge, A., Weiß, M., Caldwell, N.D., Wilding, R.: Managing cyber risk in supply chains: a review and research agenda. Supply Chain Manage.: Int. J. 25, 223–240 (2020). https://doi.org/10.1108/SCM-10-2018-0357
Cybersecurity Workforce Study. https://www.isc2.org/research. Accessed 18 Oct 2023
Executive Order on Improving the Nation’s Cybersecurity. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/. Accessed 19 Apr 2023
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). OJ L333, pp. 80–152 (2022). https://eur-lex.europa.eu/eli/dir/2022/2555. Accessed 18 Apr 2023
ETSI: ETSI TS 102 165-1 V5.2.5 CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA) (2022)
GSMA: FS.16 - Network Equipment Security Assurance Scheme – Development and Lifecycle Security Requirements Version 2.2 (2022)
Threat Landscape for Supply Chain Attacks. https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks. Accessed 18 Apr 2023
Miller, J.F.: Supply Chain Attack Framework and Attack Patterns. https://www.mitre.org/news-insights/publication/supply-chain-attack-framework-and-attack-patterns. Accessed 06 May 2023
Ladisa, P., Plate, H., Martinez, M., Barais, O.: Taxonomy of attacks on open-source software supply chains. arXiv preprint arXiv:2204.04008 (2022)
Okafor, C., Schorlemmer, T.R., Torres-Arias, S., Davis, J.C.: SoK: analysis of software supply chain security by establishing secure design properties. In: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, pp. 15–24 (2022). https://doi.org/10.1145/3560835.3564556
Stacy, S.: Framework for Software Supply Chain Integrity. https://safecode.org/resource-secure-development-practices/framework-for-software-supply-chain-integrity/. Accessed 18 Apr 2023
Stacy, S.: Overview of Software Integrity Controls. https://safecode.org/resource-secure-development-practices/overview-of-software-integrity-controls/. Accessed 18 Apr 2023
ISO/IEC: ISO/IEC 27036-3:2013 Information technology - Security techniques - Information security for supplier relationships - Part 3: Guidelines for information and communication technology supply chain security (2013)
ISO/IEC: ISO/IEC 20243-1:2018 Information technology - Open Trusted Technology Provider Standard (O-TTPS) - Mitigating maliciously tainted and counterfeit products - Part 1: Requirements and recommendations (2018)
Enduring Security Framework ESF. https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/Cybersecurity-Partnerships/ESF/. Accessed 19 Apr 2023
Boyens, J., Smith, A., Bartol, N., Winkler, K., Holbrook, A., Fallon, M.: Cybersecurity supply chain risk management for systems and organizations. National Institute of Standards and Technology, Gaithersburg, MD (2022). https://doi.org/10.6028/NIST.SP.800-161r1
ISO/IEC: ISO/IEC 20243-2:2018 Information technology - Open Trusted Technology Provider Standard (O-TTPS) - Mitigating maliciously tainted and counterfeit products - Part 2: Assessment procedures for the O-TTPS and ISO/IEC 20243-1:2018 (2018)
ISO/IEC: ISO/IEC 27036-1:2021 Cybersecurity - Supplier relationships - Part 1: Overview and concepts (2021)
ITU-T: X.805: Security architecture for systems providing end-to-end communications (2003)
Heinbockel, W.J., Laderman, E.R., Serrao, G.J.: Supply chain attacks and resiliency mitigations. https://www.mitre.org/news-insights/publication/supply-chain-attacks-and-resiliency-mitigations. Accessed 06 May 2023
The Minimum Elements for a Software Bill of Materials (SBOM). https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom. Accessed 22 Apr 2023
ISO/IEC: ISO/IEC 15408-1:2022 Evaluation criteria for IT security - Part 1: Introduction and general model (2022)
Cyber Resilience Act | Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act. Accessed 18 Apr 2023
Souppaya, M., Scarfone, K., Dodson, D.: Secure software development framework (SSDF) version 1.1: recommendations for mitigating the risk of software vulnerabilities. National Institute of Standards and Technology, Gaithersburg (2022). https://doi.org/10.6028/NIST.SP.800-218
BSIMM13 Foundations. https://www.synopsys.com/software-integrity/engage/bsimm-web/bsimm13-foundations. Accessed 14 June 2023
NIST: Minimum security requirements for federal information and information systems. National Institute of Standards and Technology, Gaithersburg (2006). https://doi.org/10.6028/NIST.FIPS.200
Ross, R., Pillitteri, V., Graubart, R., Bodeau, D., McQuaid, R.: Developing cyber-resilient systems: a systems security engineering approach. National Institute of Standards and Technology, Gaithersburg (2021). https://doi.org/10.6028/NIST.SP.800-160v2r1
EU-wide coordinated risk assessment of 5G networks security | Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/news/eu-wide-coordinated-risk-assessment-5g-networks-security. Accessed 20 Oct 2023
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Wei, Y., Zheng, J., Zhong, H. (2024). A Systematic Method for Constructing ICT Supply Chain Security Requirements. In: Shao, J., Katsikas, S.K., Meng, W. (eds) Emerging Information Security and Applications. EISA 2023. Communications in Computer and Information Science, vol 2004 . Springer, Singapore. https://doi.org/10.1007/978-981-99-9614-8_4
Download citation
DOI: https://doi.org/10.1007/978-981-99-9614-8_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-9613-1
Online ISBN: 978-981-99-9614-8
eBook Packages: Computer ScienceComputer Science (R0)