Information systems are increasingly “involved” within the Supply Chains (SCs) of Domestic Critical Infrastructures (DCIs), domestic operators of essential services, and national strategic industrial assets. These systems represent extremely appealing targets, due to the disruptive impact attainable by compromising such strategic services. The recent history also shows that they are often affected by, sometimes even evident, vulnerabilities that are difficult to fix. It is often the case that an attack to a critical infrastructure originates from one of the companies belonging to its supply chain. This happens because they have special accesses to the DCI’s information system. As a consequence, the overall level of security of the whole supply chain is determined by that of the company having the weakest cyber defense.
This is why in January 2012, President Obama released the National Strategy for Global Supply Chain Security. International trade has been and continues to be a powerful engine of the global economic growth. However, new serious threats are posed by vulnerabilities in the cyber supply chain. Of the many components – including hardware, firmware, and software – that compose a technological product, most contain elements stemming from a broad global market (without considering the specific needs of the target infrastructure), making it difficult to ascertain the complete security of an end product. Considering the market for technological goods and components continuing to rapidly grow every year, the complexity of a supply chain can be gargantuan. As a matter of fact, it often involves diverse interactions among suppliers, integrators, and services. Everything from missiles, energy grids, watering systems to smartphones, relying on these information products, the need for mutual trust in supply chain cyber security has never been more critical.
All of this enormously enlarges the attack surface, as it creates opportunities for adversaries to insert counterfeits, tamper with products, and introduce malicious software and hardware. These malicious cyber-physical activities are difficult to detect, and their impact can be particularly significant when DCIs are involved.
To make the situation even worse, the fast development of new technologies is causing a paradigm shift. New actors are becoming more and more central when dealing with DCIs and their SCs. For instance, the Internet of Things (IoT) is introducing ubiquitous computing in the industrial processes (Industry 4.0) and Cyber Physical Systems (CPSs). Similarly, cloud computing provides a new integration with powerful, remote services. More recently, Fog Computing introduced the notion of application adaptation through code mobility for providing guarantees, e.g., responsiveness and low latency, that the cloud alone cannot achieve. These technologies do have many and multifaceted security implications.
We claim that the current technologies cannot provide adequate support for the design and maintenance of a secure SC. This technical limitation poses a severe threat on the digital development of countries. Indeed, it is simply unrealistic for modern nations to give up with the creation of DCI and SC.
For these reasons, adequate security techniques and countermeasures must be developed in order to support the development process. Such techniques must rely on strongly validated methodologies, providing adequate security guarantees. Moreover, they must be applicable to real systems and properly scale on their actual dimensions.