The U.K.’s Department for Digital, Culture, Media, and Sport (DCMS) has on Monday called for views on several measures to enhance the security of digital supply chains and third-party services, in the wake of the government’s latest efforts to help British businesses deliver business continuity and increased cyber resilience. The ‘Call for Views on Supply Chain Cyber Security’ will remain open until Jul. 11.
The digital supply chain shares business critical information made up of the supply of digital products and services. Suppliers have a digital connection to an organization and that supplier’s wider digitally connected supply chain.
The agency aims to set out a framework with measures that organizations should take, including having policies to protect devices and prevent unauthorized access, ensuring data is protected at rest and in transit, keeping secure and accessible backups of data, and training staff and pursuing a positive cybersecurity culture. It also seeks opinions and views on the existing guidance for supply chain cyber risk management and testing the suitability of a proposed security framework for firms.
The information collected and analyzed through the government’s call for views will contribute to the development of policy solutions to provide further support to organizations with supplier cyber risk management guidance and assurance. It will also help to highlight what additional support or direction is required from the government to enable organizations of all sizes and sectors to become increasingly secure online.
The measures taken by the U.K. government come close on the heels of the U.S. administration releasing an Executive Order to modernize U.S. critical infrastructure, in the wake of the DarkSide ransomware attack on Colonial Pipeline.
To support organizations with their supplier risk management, the U.K.’s National Cyber Security Centre (NCSC) has developed Supply Chain Security Guidance to help organizations establish effective control and oversight of their supply chain. The principles outlined in the guidance provide advice for organizations to understand the risk, establish control of supply chains, check arrangements to gain confidence in managing supplier risk, and provide continuous improvement to enhance and maintain security.
The NCSC provides support to help organizations assess the security risks of their suppliers, including advice on identifying business-wide cybersecurity risks and vulnerabilities, such as the Cyber Assessment Framework and providing specific Supply Chain Security Guidance.
The U.K. identifies its critical national infrastructure as those components of infrastructure such as facilities, systems, sites, property, information, people, networks and processes, the loss or compromise of which would result in major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or loss of life.
“It’s essential that organizations take steps to secure their mission-critical supply chains – and remember they cannot outsource risk,” Matt Warman, U.K.’s digital infrastructure minister, said in a statement. “They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible.”
The U.K.’s Cyber Security Breaches Survey 2021 found that only 12 percent of businesses review risks coming from immediate suppliers, while just one in twenty firms (5 percent) address risks coming from wider supply chains. With organizations increasingly moving their operations online, business continuity and resilience is becoming reliant on what are often called MSPs (managed service providers), who play a critical role in the UK’s supply chains across all sectors of the economy, including government and critical national infrastructure.
The proposals could require MSPs to meet the current Cyber Assessment Framework, a set of 14 cyber security principles designed for organizations that play a vital role in the day-to-day life of the UK.
As MSPs play a critical role in the modern global digital economy, and when these suppliers are providing critical services at scale, their vulnerabilities may present a threat to the security and stability of key parts of the economy. Such loopholes may get exacerbated as several MSPs operate internationally and provide services across national borders, thereby compelling the U.K. government to identify MSPs as a priority in addressing supply chain cyber security.
As supply chains become interconnected, vulnerabilities in suppliers’ products and services correspondingly become more attractive targets for attackers who want to gain access to the organizations, the agency added.
While the government is in the early stages of understanding the cyber security risks associated with MSPs, it is clear that policy solutions are needed to address the threat. The government will work throughout 2021 to develop and publish a framework for addressing MSP-associated risks.
As companies are introducing more touchpoints in their supply chains, diligence is needed to ensure risk is assessed and mitigated, wrote Jim Birmingham in a blog post on the website of cybersecurity firm TDI Technologies. “Each time a company adds a new technology or service provider, a new element of risk is also added. This creates a greater need for a new level of insight into the security and reliability of partners,” he added.
“Supply chain cyber risk is complicated and spans the entire lifecycle of a product – design, manufacturing, distribution, deployment, maintenance, and disposal,” according to Claroty. “The more protracted and complex the life cycle, the more opportunities for threat actors to exploit the product by targeting less secure elements in the chain. And because supply chains are often global and span multiple tiers of suppliers, the responsibility of security doesn’t rest with a single organization,” the post added.