Säkra leveranskedjor för IT-system

This study investigates what cyber supply chains are and investigates the threat landscape surrounding them. The purpose of the study is to give a better understanding of the risks that can emerge in a cyber supply chain for IT systems and how to mitigate them. The knowledge presented in this report is intended to ease discussions about the cyber supply chains and their associated risks for IT systems in the Swedish Armed Forces. The report foremost addresses readers working with acquisition, development and maintenance of IT systems at the Swedish Armed Forces. Two case studies were conducted to investigate the complexity in cyber supply chains for both hardware and software. The results of the case studies show that there are many parties involved in the cyber supply chains and that they are include actors from across the globe. The study shows that there is no simple solution for securing cyber supply chains. Instead, it requires solid risk management that addresses all suppliers, integrators, objects and processes in the supply chain. The risk management goal is to receive a resilience against adversarial threats in the supply chain. The study presents fifteen important principles with actions, based on publications from Nist, Enisa, Mitre and Safecode. These principles does not constitute a complete list with all actions needed to secure a supply chain. Instead, it provides a starting point with some actions that are especially worth considering.