Abstract: System security protection is crucial to critical information infrastructures (CII), and  software supply chain risk analysis is indispensable. In recent years, the number of supply chain attack incidents has increased rapidly. This paper first analysis the potential problems of “external” software components, personnel, tools, etc., which are the main causes of software supply chain threats, and then summarize the current research of domestic and foreign policies and technologies. Based on these findings, a software supply chain security framework for power industry systems is proposed. It covers 15 groups of security measures across 4 aspects, including external component governance, supplier management, development and operation facilities reinforcement, usage mechanism of the software bill of materials (SBOM), all of which can be  further extended. This framework can provide references on software supply chain security protection in power industry information systems.

Key words: critical information infrastructure (CII), system security, software supply chain, security framework, power industry

摘要： 关键信息基础设施中系统的安全保护至关重要，软件供应链风险分析在其中不可或缺.近年来供应链攻击事件迅速增长，形势严峻.以软件供应链威胁的主要诱因，如“外部”的软件成分、人员、支撑工具等要素的潜在问题分析为出发点，结合对国内外政策和技术的现状研究，提出了针对电力行业系统的软件供应链安全保障框架，涵盖了外部组件治理、供应商管理、研运设施加固、软件物料清单应用机制4方面15组安全方法，并可持续扩展，旨在为电力行业重要信息系统的软件供应链安全防护提供参考.

关键词: 关键信息基础设施, 系统安全, 软件供应链, 安全保障框架, 电力行业