Rise in supply chain cyber attacks pushes UK’s NCSC to issue fresh cybersecurity guidance

The U.K.’s National Cyber Security Centre (NCSC) published Wednesday new cybersecurity guidance to help organizations assess and gain confidence in the cybersecurity of their supply chains. The advisory comes in response to growing trends in supply chain attacks and calls upon organizations to work with suppliers to identify weaknesses and boost resilience. 

The guidance has been published in conjunction with the Cross Market Operational Resilience Group (CMORG) which supports the improvement of the operational resilience of the financial sector, though the advice is for organizations in any sector. Designed to help medium and larger organizations, the advisory assesses the cyber risks of working with suppliers and gains assurance that mitigations are in place for vulnerabilities associated with working with suppliers.

The NCSC cybersecurity guidance describes typical supplier relationships, and ways that organizations are exposed to vulnerabilities and cyber-attacks through the supply chain, and defines expected outcomes and key steps to help assess the supply chain’s approach to cybersecurity. It supplements the NCSC’s Supply Chain Principles (published in 2020) which is referenced throughout.

Supply chain attacks can cause far-reaching and costly disruption, yet the latest U.K. government data shows just over one in ten businesses review the risks posed by their immediate suppliers accounting for 13 percent, and the proportion for the wider supply chain is about 7 percent.

“Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers,” Ian McCormack, deputy director for government cyber resilience at the NCSC, said on Wednesday. “With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place. Our new guidance will help organisations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”

“UK organisations of all sizes are increasingly reliant on a range of IT services to run their business, so it’s vital these technologies are secure,” Julia Lopez, cyber minister, said. “I urge businesses to follow this expert guidance from our world-leading National Cyber Security Centre. It will help firms protect themselves and their customers from damaging cyber attacks by strengthening cyber security right across their supply chains.”

The cybersecurity guidance is aimed at procurement specialists, risk managers, and cybersecurity professionals wanting to establish (or improve) an approach for assessing the cyber security of their organization’s supply chain, Ian McCormack, deputy director for government at the NCSC, said. “It can be applied ‘from scratch’, or can build upon any existing risk management techniques and approaches that you may have in use,” he added.

The interconnected and distributed nature of the supply chain can make it difficult to know how suppliers are managing and maintaining their cybersecurity. In recent years, there’s been a significant increase in the number of cyber attacks resulting from vulnerabilities in the supply chain. These attacks can result in devastating, expensive, and long-term ramifications for affected organizations, their supply chains, and their customers.

The NCSC identifies that organizations with limited resources may face challenges such as low recognition or understanding of the risk that poor supply chain cybersecurity can pose, lack of investment to protect against supply chain risks, limited visibility into supply chains, insufficient tools and expertise to evaluate suppliers’ cybersecurity, and not knowing what they should be asking their suppliers to do.

The NCSC cybersecurity guidance is broken into five stages, with key steps in each stage. The first stage enables organizations to gain knowledge about their organization’s approach to cybersecurity risk management. It helps provide a better understanding of the threats to the supply chain based on the nature of the relationship with suppliers, and the access they have to the organization’s systems and services. It will also provide an increased understanding of existing risk appetite and processes within the organization, senior buy-in to implement change to establish or improve supply chain cybersecurity, and a team established to develop a new approach for assessing supply chain cybersecurity.

The next stage works towards developing an approach to assessing supply chain cybersecurity, by understanding and prioritizing what the organization cares about and creating key components for the approach. To determine the critical aspects in the organization that need the most protection, such as the ‘crown jewels’, they must take into consideration potential threats, vulnerabilities, impact, and the organization’s risk appetite. The cybersecurity guidance also calls upon organizations to create key components for their approach by generating a repeatable, consistent approach for assessing the cybersecurity of suppliers.

In the third stage, the NCSC guidance works on embedding new security practices throughout the contract lifecycle of new suppliers, from procurement and supplier selection through to contract closure. The move will likely lead to cybersecurity practices embedded throughout the acquisition process, supported by a multidisciplinary team of cybersecurity-trained professionals. It will also increase awareness of supply chain threats amongst staff, and performance being regularly measured against defined metrics, visible to board members.

The next stage integrates the approach into existing supplier contracts. It also reviews existing contracts either upon renewal, or sooner where critical suppliers are concerned. The initiative will likely lead to a register recording all suppliers, and ‘high priority’ suppliers are risk assessed against defined security controls. Suppliers with security shortfalls are identified, and a plan to improve their security is agreed upon. Additionally, an improved approach based on lessons learned from the activity and performance is being regularly measured against defined metrics, visible to board members.

The last stage works on periodically refining organizational approaches as new issues emerge will reduce the likelihood of risks being introduced into the organizations via the supply chain. This will lead to a foundation established to continuously improve.

In addition to the cybersecurity guidance focused on improving supply chain cyber resilience, the NCSC has published a range of advice to help organizations improve their own cybersecurity. These include the 10 Steps to Cyber Security guidance, aimed at larger organizations, and the Small Business Guide for smaller organizations.

Supply chain attacks have been a cause of concern for governments around the world. Last month, the Office of Management and Budget (OMB) in the U.S. published a memorandum that focuses on enhancing the security of the software supply chain through secure software development practices. The OMB memorandum builds on U.S. President Joe Biden’s Executive Order 14028 released last May, which focuses on the security and integrity of the software supply chain, emphasizing the importance of secure software development environments.

Before that, in July, the Cyber Security Agency of Singapore (CSA) released a CII Supply Chain program paper that acts as a blueprint for the CSA, sector leads, CIIOs (critical information infrastructure owners), and vendors to build cybersecurity and resilience into the CII supply chain in response to the evolving threat landscape and increased digitalization. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.