The aim of the document is detailing the requirements of the project together with its Key Performance Indicators to set the bases of the next development steps and allow the assessment of the results.
The first chapter of this document provides an introduction to the overall contextualisation of the topics within the project BIECO.
The second chapter starts with the definition of the software supply chain and describes the main aspects relevant for trust development.
In the third chapter, the major classes of cyber security risks and threats are described, with a special focus on the most significant scenarios which can be found in the framework of the software supply chain.
Project goals and requirements are then identified in chapter four to respond to the previously mentioned issues in the use cases under the focus of BIECO. Preliminary work to define KPIs for each of the use-cases is considered as well. On the basis of the results presented here, a detailed description of the three use-cases will be presented in Deliverable 2.2 to pave the way to the final definition of specific goals of the project as will be described in Deliverable 2.2.
Chapter five presents the beyond state of the art activities to be developed within BIECO.
In Chapter six problems and gaps are identified. This is to support and set a starting point for Deliverable 2.2 “Use-Case Definition”, in further defining the next development steps to be taken within the scope of BIECO.
The whole document is mainly related to Objective 1 and Task 2.1 which are reported here for convenience.
Objective 1 (WP2)
CHALLENGE: ICT supply chains are complex ecosystems in which many actors (systems, components, users, developers and organizations) are involved, pursuing higher productivity and competitiveness. In most of the cases these actors have no control or access to the rest of the components provided by the other parties, so they have to assume that these elements are following the best security practices and their behaviour adheres to the expected. However, vulnerabilities exist and a cybersecurity issue in one of the ICT components can affect the integrity of the whole supply chain. Even though there are some individual tools that address different security aspects, there is a need of providing a complete solution that addresses all of them and reinforces trust within the complete supply chain.
PROPOSITION: In BIECO, a holistic security framework for ensuring trust within ICT supply chains will be provided. The framework will comprise a set of tools and methodologies for vulnerability assessment, auditing, risk analysis, determining the best mitigation strategies, ensuring resilience and certifying the security and privacy properties of the ICT components and the complete supply chain. The tools will be deployed on a cloud platform that will follow the guidelines of the designed reference architecture.
The partners will contribute with their unique insights, providing detailed descriptions of relevant scenarios and the cybersecurity risks and threats encountered in a software supply chain, along with a list of expected improvements.
This task is not aimed at finding solutions, serving only as a means to clearly identify problems and gaps and better define the set of goals to be reached. Even if initial discussions already started and list of requirements were defined as necessary for the definition of the proposal, a further and deepest analysis needs to be performed.
With these requirements acting as the foundation, a list of Key Performance Indicators (KPIs) related to software supply chain cybersecurity will be defined, supporting the development of the remaining tasks during the remainder of the project. Following this line of work, a list of adequate indicators will be elaborated for the evaluation of each of the use cases together with T2.2. With this approach, a precise and well-defined foundation can be built guaranteeing that the BIECO’s development is appropriately planned and implemented.