Beyond SolarWinds: The systemic risks of critical infrastructures, state of play, and future directions

The just concluded 16th edition of the World Economic Forum's Global Risks Report has ranked Cybersecurity failure as a significant global threat. This awakening is not surprising, maybe even late, as witnessed by the reliance of large part of critical sectors on the cyber infrastructure during the undergoing pandemic, or like shown by the recent and devastating SolarWinds attacks, whose implications and aftermaths are still to be completely understood. In this paper, we provide several contributions towards the provisioning of a comprehensive, robust, and reliable framework for the cybersecurity of critical infrastructures. In particular, we first revise the scope and definition of critical infrastructures. Later, we expand the introduced concept to capture the modern deployment and operations of critical infrastructures, highlighting their interconnectedness and dependency with the software supply chain. Then, we show how the SolarWinds attack has exploited the defined model to perform one of the most devastating black hat operations ever seen. Finally, we also show some research directions to secure the software supply chain, calling for an approach that necessarily requires the interplay of sound theory, viable solutions, and legislation interventions.