The "4W+1H" of Software Supply Chain Security Checklist for Critical Infrastructure

• URL: http://arxiv.org/abs/2510.26174v1
• Date: Thu, 30 Oct 2025 06:32:11 GMT
• Title: The "4W+1H" of Software Supply Chain Security Checklist for Critical Infrastructure
• Authors: Liming Dong, Sung Une Lee, Zhenchang Xing, Muhammad Ejaz Ahmed, Stefan Avgoustakis,
• Abstract summary: Increasing frequency and sophistication of software supply chain attacks pose severe risks to critical infrastructure sectors.<n>Despite growing awareness, existing security practices remain fragmented and insufficient.<n>Few existing frameworks are explicitly tailored to CI domains.
• Score: 10.196356816275996
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: The increasing frequency and sophistication of software supply chain attacks pose severe risks to critical infrastructure sectors, threatening national security, economic stability, and public safety. Despite growing awareness, existing security practices remain fragmented and insufficient, with most frameworks narrowly focused on isolated life cycle stages or lacking alignment with the specific needs of critical infrastructure (CI) sectors. In this paper, we conducted a multivocal literature review across international frameworks, Australian regulatory sources, and academic studies to identify and analyze security practices across the software supply chain, especially specific CI sector. Our analysis found that few existing frameworks are explicitly tailored to CI domains. We systematically leveraged identified software supply chain security frameworks, using a "4W+1H" analytical approach, we synthesized ten core categories (what) of software supply chain security practices, mapped them across life-cycle phases (when), stakeholder roles (who), and implementation levels (how), and examined their coverage across existing frameworks (where). Building on these insights, the paper culminates in structured, multi-layered checklist of 80 questions designed to relevant stakeholders evaluate and enhance their software supply chain security. Our findings reveal gaps between framework guidance and sector-specific needs, highlight the need for integrated, context-aware approaches to safeguard critical infrastructure from evolving software supply chain risks.

Related papers

• ORCA -- An Automated Threat Analysis Pipeline for O-RAN Continuous Development [57.61878484176942]
  Open-Radio Access Network (O-RAN) integrates numerous software components in a cloud-like deployment, opening the radio access network to previously unconsidered security threats.<n>Current vulnerability assessment practices often rely on manual, labor-intensive, and subjective investigations, leading to inconsistencies in the threat analysis.<n>We propose an automated pipeline that leverages Natural Language Processing (NLP) to minimize human intervention and associated biases.
  arXiv  Detail & Related papers  (2026-01-20T07:31:59Z)
• S3C2 SICP Summit 2025-06: Vulnerability Response Summit [51.90004414779634]
  Researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) and the Software Innovation Campus Paderborn (SICP) conducted a Vulnerability Response Summit.<n>The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security.
  arXiv  Detail & Related papers  (2025-12-02T10:05:41Z)
• Software Security Mapping Framework: Operationalization of Security Requirements [12.04694982718246]
  The Software Security Mapping Framework is a structured solution designed to operationalize security requirements across hierarchical levels.<n>The framework systematically maps 131 refined security requirements to over 400 actionable operational steps spanning the software development lifecycle.<n>It is grounded in four core security goals: Secure Software Environment, Secure Software Development, Software Traceability, and Vulnerability Management.
  arXiv  Detail & Related papers  (2025-05-22T06:34:48Z)
• S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit [50.93790634176803]
  Over the past several years, there has been an exponential increase in cyberattacks targeting software supply chains.<n>The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government.<n>Three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies.
  arXiv  Detail & Related papers  (2025-05-15T17:48:14Z)
• An Analytics-Driven Approach to Enhancing Supply Chain Visibility with Graph Neural Networks and Federated Learning [52.79646338275159]
  We propose a novel approach that integrates Federated Learning (FL) and Graph Convolutional Neural Networks (GCNs) to enhance supply chain visibility.<n>FL enables collaborative model training across countries by facilitating information sharing without requiring raw data exchange.<n>GCNs empower the framework to capture intricate relational patterns within knowledge graphs, enabling accurate link prediction to uncover hidden connections.
  arXiv  Detail & Related papers  (2025-03-10T12:15:45Z)
• SoK: The Security-Safety Continuum of Multimodal Foundation Models through Information Flow and Game-Theoretic Defenses [58.93030774141753]
  Multimodal foundation models (MFMs) integrate diverse data modalities to support complex and wide-ranging tasks.<n>In this paper, we unify the concepts of safety and security in the context of MFMs by identifying critical threats that arise from both model behavior and system-level interactions.
  arXiv  Detail & Related papers  (2024-11-17T23:06:20Z)
• S3C2 Summit 2023-11: Industry Secure Supply Chain Summit [60.025314516749205]
  This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.
  arXiv  Detail & Related papers  (2024-08-29T13:40:06Z)
• Enhancing Software Supply Chain Resilience: Strategy For Mitigating Software Supply Chain Security Risks And Ensuring Security Continuity In Development Lifecycle [0.0]
  This article delves into the strategic approaches and preventive measures necessary to safeguard the software supply chain against evolving threats. It aims to foster an understanding of the challenges and vulnerabilities inherent in software supply chain resilience. The article contributes to the ongoing effort to strengthen the security posture of software supply chains.
  arXiv  Detail & Related papers  (2024-07-08T18:10:47Z)
• SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties [6.1570934202202725]
  This paper systematizes knowledge about secure software supply chain patterns. It identifies four stages of a software supply chain attack and proposes three security properties crucial for a secured supply chain.
  arXiv  Detail & Related papers  (2024-06-14T15:16:09Z)
• SoK: A Defense-Oriented Evaluation of Software Supply Chain Security [3.165193382160046]
  We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach. This paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships.
  arXiv  Detail & Related papers  (2024-05-23T18:53:48Z)
• Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
  We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
  arXiv  Detail & Related papers  (2024-05-03T07:18:45Z)
• Software supply chain: review of attacks, risk assessment strategies and security controls [0.13812010983144798]
  The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector. We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks. This study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.
  arXiv  Detail & Related papers  (2023-05-23T15:25:39Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.