The cyber threat to UK business 2017-2018 report – NCSC

Supply chain cyber attacks are somewhat below the radar, rarely get publicity, and can be very damaging.

Interesting observations in the above on supply chain:

2017 saw some significant examples of supply chain attacks, including the compromise of a large number of managed service providers (MSPs), enabling access to commercially sensitive data from them and their clients. At least two software companies had their products (MeDoc and CCleaner) compromised at source, resulting in their customers being infected with malware when downloading the software/update (NCSC, 2018)

Cyber security of the supply chain is of course not a new concept, and has been an integral part of IA theory and practice for decades. However in recent years the nature of the supply chain has changed, and continues to change. With a rise in a variety of third-party services, complementing self-hosted and maintained solutions, the risk picture from relying on third party vendors has changed considerably.

This requires new approaches to managing the risk posed by the supply chain. There is a whole slew of topics relevant here; some that crop up in my mind include:

  • Security practices and plans of the supplier, for instance are they ISO 27001 compliant, and if so what is the scope of compliance?
  • Asset management within the supply base, and typical security desirables including access control
  • Information security management at a practical level: incident management, patch management, assurance maintenance plans, and so on.
  • Cyber Essentials (including Plus)
  • Policies used by suppliers to manage their information security process
  • How the supplier organises information security, including roles and responsibilities
  • Supplier HR processes, including confidentiality clauses in contracts of employment, and so on
  • How suppliers themselves will manage their supply chain, recognising that a cyber attack can occur at any level of the supply chain (attackers will probe and attack the weakest part of the supply chain if it becomes clearly beneficial)
  • How the supplier acquires systems and develops solutions using them
  • Physical, communications and operations security
  • Management of cryptographic technology

All of the above can be encompassed in good ISO standards implementation, and before getting to the stage of formalising a relationship with a service provider, certification under standards such as ISO/IEC 27001 should be in the forefront of technology leaders.

Of course that is a sensible process for a B2B type situation, for a long-lived contract over several years, and where both sides have the capability to adapt and respond to the shared goals of a supply chain contract.

However in many cases, particularly software products as opposed to services or hybrid supply, it’s often not practical to require adherence to an industry standard. Suppliers may hold some certifications of relevance, but their scope and the flexibility to enhance their coverage may not be feasible.

In other cases, the supply chain cannot offer standards compliance and does not attempt to do so. Some examples where that can occur is the use of FOSS in software systems, and tools/ technologies that are developed by relatively small startups or groups of individuals. This group of the supply chain is growing considerably, and the potential impact on organisational IT infrastructure is substantial.

It’s an increasingly complex picture managing the security risk of IT supply chains, and setting aside the type of supply chain and the products or services concerned, in all cases the requirement to risk assess and treat supply chain cyber security risk is substantial.

It’s a bit of a cliche, but risk cannot be transferred away from the risk owner, and it’s a mistake to view supply chains as a means of transferring risk.