NCSC issues guidance on protecting against supply chain cyber risks
- Published: Thursday, 13 October 2022 09:51
The UK National Cyber Security Centre (NCSC) has published new guidance to help organizations effectively assess and gain confidence in the cyber security of their supply chains. The new guidance is designed to help medium and larger organizations effectively assess the cyber risks of working with suppliers and gain assurance that mitigations are in place.
Supply chain attacks can cause far-reaching and costly disruption, yet the latest UK government data shows just over one in ten businesses review the risks posed by their immediate suppliers (13 percent), and the proportion for the wider supply chain is just 7 percent.
Ian McCormack, NCSC Deputy Director for Government Cyber Resilience, said:
“Supply chain attacks are a major cyber threat facing organizations and incidents can have a profound, long-lasting impact on businesses and customers.
“With incidents on the rise, it is vital organizations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
“Our new guidance will help organizations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”
The guidance has been published in conjunction with the Cross Market Operational Resilience Group (CMORG) which supports the improvement of the operational resilience of the financial sector, though the advice is for organizations in any sector.
It aims to help cyber security professionals, risk managers and procurement specialists put into practice the NCSC’s 12 supply chain security principles and follows the government’s response to a call for views last year which highlighted the need for further advice.
Read ‘How to assess and gain confidence in your supply chain cyber security’.
Andy Zollo, Regional Vice President, EMEA at Imperva:
“While a business may have the right security controls in place, it doesn’t mean their vendors across the supply chain do. This is particularly important when a business relies on third-party software or API dependencies. The NCSC’s new guidance will be helpful for organizations that are trying to navigate this complex risk.
The expanding software supply chain - along with the complexity of modern applications - means vulnerabilities will be introduced at a greater velocity. To help address the growing scale of attacks within the software development lifecycle, organizations need to adopt a threat model that includes all parts of the supply chain, including Nth-party code. The approach should focus on protecting the data and all paths to it, recognizing the intractable problem of third-party software applications and libraries that have direct access to sensitive data.
Organizations must also think differently about protection. Modern applications are powered by a complex ecosystem of APIs, microservices, and serverless functions. Defense starts by identifying run-time application behavior and blocking unexpected behaviors that can lead to a novel attack.
Further, having visibility into specific APIs – and the data they’re accessing – is fundamental. API ecosystems are growing rapidly to enable applications and databases to seamlessly work together to exchange data. Without the right protection, an API is a critical part of the software supply chain that can be compromised as a pathway for hackers to access an organization’s sensitive data.
A supply chain attack as more than just a security issue; it’s an operational threat that can impact the physical supply chain and the wider economy. For example, software security issues targeted at an order fulfilment application could cause downstream disruption to the physical supply chain, such as stopping orders from leaving the warehouse and leaving customers without their goods. This represents a complex issue that impacts both businesses and consumers.”
Steve Judd, Senior Solutions Architect at Jetstack, by Venafi
“The guidance from NCSC on securing software supply chains is a positive step towards raising awareness of the issue in the wake of damaging attacks, such as SolarWinds and the Log4J vulnerability. However, it offers the security industry very little in the way of actionable, technical information as it mainly focusses on issues such as supplier and stakeholder communication and 'identifying your crown jewels'. With this information being aimed at security professionals – among others – it lacks a bit of depth and can only take organizations so far in the journey to securing software supply chains. We must have more sophisticated, technical guidance on issues such as the provenance of open source software if we’re to counter this complex problem.
“The government should be recommending specific tools and guidance from trusted sources that will help organizations to evaluate their software supply chain’s security posture and prioritise critical tasks. This can seem like an overwhelming mission for already stretched teams, but there are tools which help developer and security teams to assess their supply chain security posture. From here they can prioritise how to move forward and identify which aspects are quick wins, and others that are longer term projects. Without this kind of fastidious approach and collaboration between governments and the industry, we will continue to leave supply chains vulnerable.”