Mapping the Risks: NCSC’s Guidance on Supply Chain Security
Table Of Contents:
Cyber attacks affecting an organisation’s supply chain – rather than the organisation directly – are becoming increasingly commonplace.
If your supplier is breached, an organisation’s assets are at risk. Mindful of this, attackers have adopted the tactic of deploying attacks through the software supply chain. As previously reported, a form of attack that first came to prominence with the NotPetya ransomware attack of 2017 and the SolarWinds breach of 2020 is becoming a scourge of corporate security.
The exploitation of a vulnerability in the MOVEit file transfer software to steal data and attempt to extort payment from users of the technology illustrates how supply chain attacks are being used as an attack vector by cybercriminals as well as nation-states.
Commercial software packages, open-source components and elements of cloud technology are all at risk from supply chain attacks.
The objectives of supply chain attacks can range from sabotage to malware distribution, ransomware and even cyber espionage. A chain is only as strong as its weakest component, and problems can arise from providers of technology to an organisation’s suppliers as much as from vendors someone has a direct business relationship with, further complicating the picture.
Supply Chain Dependencies
The UK National Cyber Security Centre (NCSC) ‘s 2022 Annual Review singled out supply chain security as a key “future threat challenge”. The NCSC followed that warning earlier this year with guidance on how organisations can map their supply chain risks.
The guidance, aimed at medium to large organisations, provides practical steps to assess cyber security in supply chains better. This is a challenging task, as the NCSC acknowledges.
“Supply chains are often large and complex, and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it,” the UK government’s information assurance agency explains.
The daunting task of mapping supply chain dependencies can be handled by breaking it down into manageable parts, including:
- What product or service is being provided, by whom, and the importance of that asset to an organisation
- An inventory of suppliers and their subcontractors, showing how they are connected
Assurance experts have welcomed the NCSC’s mapping advice guidance.
Piers Wilson, director of the Chartered Institute of Information Security (CIISec), told ISMS.online: “The NCSC guidance highlights the need to identify and understand suppliers and their individual risks at all levels of the chain. Some suppliers you might share data with, while others won’t touch your data while providing critical support. Regardless, all of these increase the potential attack surface.”
Wilson continued: “Then there are systemic risks from the likes of cloud or managed service providers that might underpin not just your business but other organisations you rely on.”
Part of the process involves mapping dependencies, a process akin to taking an asset inventory. Wilson explained: “The assessment and audit processes used to map the supply chain needs to be fit for purpose, repeatable, and cope with business needs. They also need to provide the necessary information on risks, the status of cyber hygiene and the wider attack surface. NCSC’s guidance is a step towards achieving this.”
Supply chain risks emerged as a critical challenge in ISMS.online’s recent State of Information Security report. In a survey of 500 senior information security professionals, 30% of respondents cited managing vendor and third-party risk as a “top information security challenge”. Over half (57%) of organisations surveyed experienced a breach due to a supply chain compromise.
Overload
CIISec warned that supply chain mapping would likely put increased strain on already hard-pressed security teams.
CIISec’s Wilson commented: “Following NCSC and ISO guidelines will help security teams identify the most efficient and effective way to map and protect their supply chains. But in addition, the industry needs to keep investing in training and attracting fresh blood, so teams are given the skills and support they need and don’t burn out.”
Establishing a Framework
ISO 27001 is an international standard for information security management systems. The framework offers guidelines for maintaining corporate data’s confidentiality, integrity, and availability.
The information security standard’s best-practice approach helps organisations manage their information security with recommendations that cover people, processes, and technology.
The NCSC’s mapping advice cites its own Cyber Essentials and ISO and product certifications as tools that help chart supply chain mapping.
Luke Dash, ISMS.online’s chief exec, said that organisations need to work with their suppliers in a joint effort to map supply chain risks, using ISO 27001 as a guide. “ISO 27001, renowned for its comprehensive approach to managing information security risks, perfectly complements the NCSC’s supply chain mapping advice by providing a robust framework for organisations seeking to safeguard their digital assets,” Dash explained. “Both entities prioritise the critical risk assessment step, emphasising the need for organisations to identify and evaluate risks associated with their information assets and supply chains.
Dash added: “By undertaking a joint risk assessment journey, organisations can comprehensively understand potential vulnerabilities, empowering them to implement targeted security measures.”
Part of the risk management process involves gauging suppliers’ security maturity before using this data to inform procurement decisions. ISMS.online’s Dash explained: “The NCSC’s supply chain mapping advice stresses the significance of assessing suppliers’ security practices, including their understanding of emerging threats and incident response capabilities. Harmonising these criteria enables organisations to make informed decisions, selecting suppliers with robust security postures that align with their stringent standards.”
Contractual agreements also play an essential role in creating a cohesive framework. “ISO 27001 highlights the importance of establishing clear agreements defining information security responsibilities and supplier expectations,” said ISMS.online’s Dash. “In perfect alignment, the NCSC’s supply chain mapping advice encourages organisations to incorporate security requirements within contractual arrangements, ensuring adherence to rigorous security standards throughout the supply chain.”
Continuous monitoring and review are vital components in both the NCSC’s supply chain mapping advice and ISO 27001, allowing the complimentary frameworks to be applied in tandem with each other.“ISO 27001’s emphasis on continuous improvement aligns seamlessly with the NCSC’s recommendation for a regular reassessment of supply chain risks and periodic reviews of supplier security practices,” ISMS.online’s Dash concluded.
“By adopting this shared approach, organisations remain agile, proactively addressing emerging threats and ensuring the ongoing security of their supply chains.”
Simplify Your Supply Chain Management Today
Find out how our ISMS solution enables a simple, secure and sustainable approach to supply chain management and information management with ISO 27001 and over 50 other frameworks.