Skip to main content
SpringerLink
Log in

A Systematic Method for Constructing ICT Supply Chain Security Requirements

  • Conference paper
  • First Online:
Emerging Information Security and Applications (EISA 2023)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 2004 ))

  • 99 Accesses

Abstract

This paper studies how to construct Information and Communication Technology (ICT) supply chain security requirements from the perspective of ICT supply chain security assurance. Firstly, the security environment of ICT supply chain is established through ICT supply chain relationship, product life cycle stages, security driving factors and security properties. Then it is proposed to derive ICT supply chain security requirements from regulatory requirements and security best practices, each requirement is validated through the Asset-Threat-Objective-Requirement (ATOR) methodology, and 10 categories of 100 items of ICT supply chain security requirements are established in this way. Finally, the application scenarios and usages of ICT supply chain security requirements are described.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Boyens, J., Paulsen, C., Bartol, N., Shankles, S.A., Moorthy, R.: Notional supply chain risk management practices for federal information systems. National Institute of Standards and Technology, Gaithersburg, MD (2012). https://doi.org/10.6028/NIST.IR.7622

  2. Supply Chain Compromise, Technique T1195 - Enterprise | MITRE ATT&CK®. https://attack.mitre.org/techniques/T1195/. Accessed 10 June 2023

  3. TC260: GB/T 36637-2018 Information security technology-Guidelines for the information and communication technology supply chain risk management (in Chinese) (2018)

    Google Scholar 

  4. ENISA Threat Landscape 2022. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022. Accessed 11 May 2023

  5. Supply Chain Integrity: An overview of the ICT supply chain risks and challenges, and vision for the way forward (2015). https://www.enisa.europa.eu/publications/sci-2015. Accessed 25 May 2023

  6. Authoritative UK Organization Recognizes Code and Build Engineering of Huawei OLT Product MA5800. https://www.huawei.com/en/news/2019/12/huawei-ma5800-code-evaluation-build-engineering-assessment. Accessed 17 Oct 2023

  7. Assessment of the Critical Supply Chains Supporting the U.S. ICT Industry | Homeland Security. https://www.dhs.gov/publication/assessment-critical-supply-chains-supporting-us-ict-industry. Accessed 18 May 2023

  8. The Open Group: Open Trusted Technology Provider Framework (O-TTPF) (2021)

    Google Scholar 

  9. CVE security vulnerability database. Security vulnerabilities, exploits, references and more. https://www.cvedetails.com/index.php. Accessed 18 Oct 2023

  10. Ghadge, A., Weiß, M., Caldwell, N.D., Wilding, R.: Managing cyber risk in supply chains: a review and research agenda. Supply Chain Manage.: Int. J. 25, 223–240 (2020). https://doi.org/10.1108/SCM-10-2018-0357

    Article  Google Scholar 

  11. Cybersecurity Workforce Study. https://www.isc2.org/research. Accessed 18 Oct 2023

  12. Executive Order on Improving the Nation’s Cybersecurity. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/. Accessed 19 Apr 2023

  13. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). OJ L333, pp. 80–152 (2022). https://eur-lex.europa.eu/eli/dir/2022/2555. Accessed 18 Apr 2023

  14. ETSI: ETSI TS 102 165-1 V5.2.5 CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA) (2022)

    Google Scholar 

  15. GSMA: FS.16 - Network Equipment Security Assurance Scheme – Development and Lifecycle Security Requirements Version 2.2 (2022)

    Google Scholar 

  16. Threat Landscape for Supply Chain Attacks. https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks. Accessed 18 Apr 2023

  17. Miller, J.F.: Supply Chain Attack Framework and Attack Patterns. https://www.mitre.org/news-insights/publication/supply-chain-attack-framework-and-attack-patterns. Accessed 06 May 2023

  18. Ladisa, P., Plate, H., Martinez, M., Barais, O.: Taxonomy of attacks on open-source software supply chains. arXiv preprint arXiv:2204.04008 (2022)

  19. Okafor, C., Schorlemmer, T.R., Torres-Arias, S., Davis, J.C.: SoK: analysis of software supply chain security by establishing secure design properties. In: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, pp. 15–24 (2022). https://doi.org/10.1145/3560835.3564556

  20. Stacy, S.: Framework for Software Supply Chain Integrity. https://safecode.org/resource-secure-development-practices/framework-for-software-supply-chain-integrity/. Accessed 18 Apr 2023

  21. Stacy, S.: Overview of Software Integrity Controls. https://safecode.org/resource-secure-development-practices/overview-of-software-integrity-controls/. Accessed 18 Apr 2023

  22. ISO/IEC: ISO/IEC 27036-3:2013 Information technology - Security techniques - Information security for supplier relationships - Part 3: Guidelines for information and communication technology supply chain security (2013)

    Google Scholar 

  23. ISO/IEC: ISO/IEC 20243-1:2018 Information technology - Open Trusted Technology Provider Standard (O-TTPS) - Mitigating maliciously tainted and counterfeit products - Part 1: Requirements and recommendations (2018)

    Google Scholar 

  24. Enduring Security Framework ESF. https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/Cybersecurity-Partnerships/ESF/. Accessed 19 Apr 2023

  25. Boyens, J., Smith, A., Bartol, N., Winkler, K., Holbrook, A., Fallon, M.: Cybersecurity supply chain risk management for systems and organizations. National Institute of Standards and Technology, Gaithersburg, MD (2022). https://doi.org/10.6028/NIST.SP.800-161r1

  26. ISO/IEC: ISO/IEC 20243-2:2018 Information technology - Open Trusted Technology Provider Standard (O-TTPS) - Mitigating maliciously tainted and counterfeit products - Part 2: Assessment procedures for the O-TTPS and ISO/IEC 20243-1:2018 (2018)

    Google Scholar 

  27. ISO/IEC: ISO/IEC 27036-1:2021 Cybersecurity - Supplier relationships - Part 1: Overview and concepts (2021)

    Google Scholar 

  28. ITU-T: X.805: Security architecture for systems providing end-to-end communications (2003)

    Google Scholar 

  29. Heinbockel, W.J., Laderman, E.R., Serrao, G.J.: Supply chain attacks and resiliency mitigations. https://www.mitre.org/news-insights/publication/supply-chain-attacks-and-resiliency-mitigations. Accessed 06 May 2023

  30. The Minimum Elements for a Software Bill of Materials (SBOM). https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom. Accessed 22 Apr 2023

  31. ISO/IEC: ISO/IEC 15408-1:2022 Evaluation criteria for IT security - Part 1: Introduction and general model (2022)

    Google Scholar 

  32. Cyber Resilience Act | Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act. Accessed 18 Apr 2023

  33. Souppaya, M., Scarfone, K., Dodson, D.: Secure software development framework (SSDF) version 1.1: recommendations for mitigating the risk of software vulnerabilities. National Institute of Standards and Technology, Gaithersburg (2022). https://doi.org/10.6028/NIST.SP.800-218

  34. BSIMM13 Foundations. https://www.synopsys.com/software-integrity/engage/bsimm-web/bsimm13-foundations. Accessed 14 June 2023

  35. NIST: Minimum security requirements for federal information and information systems. National Institute of Standards and Technology, Gaithersburg (2006). https://doi.org/10.6028/NIST.FIPS.200

  36. Ross, R., Pillitteri, V., Graubart, R., Bodeau, D., McQuaid, R.: Developing cyber-resilient systems: a systems security engineering approach. National Institute of Standards and Technology, Gaithersburg (2021). https://doi.org/10.6028/NIST.SP.800-160v2r1

  37. EU-wide coordinated risk assessment of 5G networks security | Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/news/eu-wide-coordinated-risk-assessment-5g-networks-security. Accessed 20 Oct 2023

Download references

Author information

Authors and Affiliations

  1. ZTE Corporation, Nanjing, China

    Yinxing Wei, Jun Zheng & Hong Zhong

Authors
  1. Yinxing Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hong Zhong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yinxing Wei .

Editor information

Editors and Affiliations

  1. Zhejiang Gongshang University, Hangzhou, China

    Jun Shao

  2. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis K. Katsikas

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wei, Y., Zheng, J., Zhong, H. (2024). A Systematic Method for Constructing ICT Supply Chain Security Requirements. In: Shao, J., Katsikas, S.K., Meng, W. (eds) Emerging Information Security and Applications. EISA 2023. Communications in Computer and Information Science, vol 2004 . Springer, Singapore. https://doi.org/10.1007/978-981-99-9614-8_4

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-9614-8_4

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-9613-1

  • Online ISBN: 978-981-99-9614-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation