ICT-based SCs can be represented as being composed by four circles of consideration. The first inner circle, our starting point, includes all the ICT systems, equipment and devices (e.g., IoT systems, cyber physical systems, SCADA systems, Communication network assets, local hubs, switches, gateways, servers) used by the business partners and support the operation of the SCs. The second circle encapsulates the previous one and incorporates the individual Critical Information Infrastructures (CIIs) operated by the individual Business Partners involved in the SCs. The third circle encloses the two previous ones and represents the Interdependent CIIs composing the ICT-empowered SCs services. Finally, the fourth and outer circle contains all the above circles complemented with the Business Perspective of the SCs such as processes information exchange, business logic, etc. The above mentioned four circles have been identified and distinguished based on the homogeneity of characteristics (safety, technical requirements, architectures etc.) identified in each one of them.

Despite the fact that these areas have their own unique characteristics, they are not independent from each other. Inner circles can be seen as the building blocks of the external ones (“onion structure”), meaning that the security of the external circles is directly affected by the inner ones. Thus, the security and the resilience of the interdependent CIIs and the SCs’ Services (SCSs), is directly affected by the security of the individual CIIs (individual Business Partners) that compose it. However, it should be noted that the overall system is not secured by simply securing its “building blocks”. There are interdependences between the different layers that have their own specificities and require cross layer coordination. Conversely, exploring the development of a secure system out of potentially insecure components is also of interest. This can be accomplished through adopting specific measures (soft and hard security controls) like the following:

Organisational measures: Put in place and implement an effective security policy; Carry out security a risk assessment regularly; Ensure appropriate business continuity and disaster recovery plans; Establish a secure development life cycle’ Develop a full end-of-life strategy; Offer effective and secure patch management; Use proven solutions, i.e., well known communications protocols and cryptographic algorithms; Establish procedures for security incident handling; Participate in information sharing and coordinated vulnerability disclosure; Ensure the personnel is trained in privacy and security; Cybersecurity roles and responsibilities are established; Develop policy for processing of data by a third-party; Adopt cyber supply chain risk management policies; Make broad use of recognised solutions to known issues, even when it is not mandated by legislation;

Technical measures: Meet baseline security requirements for IoT; Carry out a risk assessment regarding the specific application area and complete it with suitable mitigation measures; The use of recognised solutions to known issues, even when it is not mandated by legislation; Ensure appropriate configuration of ICT systems and their segregation; Deploy cybersecurity measures to protect data at rest, in use and in motion; Apply appropriate traffic filtering; Use state-of-the-art cryptography and key storage methods; Put in place effective identity and access management; Ensure correct IT security maintenance; Develop policies for physical and environmental security.