关键信息基础设施软件供应链风险分析及应对方法研究OA北大核心CSTPCD

System security protection is crucial to critical information infrastructures(CII),and software supply chain risk analysis is indispensable.In recent years,the number of supply chain attack incidents has increased rapidly.This paper first analysis the potential problems of"external"software components,personnel,tools,etc.,which are the main causes of software supply chain threats,and then summarize the current research of domestic and foreign policies and technologies.Based on these findings,a software supply chain security framework for power industry systems is proposed.It covers 15 groups of security measures across 4 aspects,including external component governance,supplier management,development and operation facilities reinforcement,usage mechanism of the software bill of materials(SBOM),all of which can be further extended.This framework can provide references on software supply chain security protection in power industry information systems.