Improving Critical Infrastructure Protection by Enhancing Software Acquisition Process Through Blockchain

Proliferating supply chain attacks indicate that today's practices are insufficient for ensuring security and increasingly represent the weakest link in cybersecurity of software-based operational technologies. By tracking every action of integrating procured software components into an existing system, from analyzing vendors’ security to auditing purchaser's supply chain, a more secure software supply chain can be provided. Hyperledger Fabric, as a permissioned blockchain network, provides immutable i.e. tamper-proof solution for tracking the information stored on the ledger, while allowing only preauthorized actors to participate in the network. An approach that is taken in this paper is to track the software components that are introduced in the system, whether they are commercial-off-the-shelf components or tailor-made components and track their security analysis by utilizing blockchain technology. By defining Organization in blockchain network which can participate in the supply chain management process, this paper demonstrates the benefits of utilizing Hyperledger Fabric for managing acquired software components that are introduced in critical infrastructure. Given the analyzed use cases and proposed architecture, it can be concluded that Hyperledger Fabric blockchain provides necessary trust in a multi-party environment which is the basis for more efficient auditing of the whole process. The trustworthy logs and easier auditing are the key enablers for a supply chain management process that can address the described needs.