NCSC joins international partners to publish new supply chain guidance.
As organisations continue to shore up their own cyber defences, cyber criminals are increasingly looking for other routes into their systems. High profile supply chain attacks such as the 2020 Solarwinds compromise remind us that key suppliers, such as IT suppliers who have access to their customers' IT estates, are a particular target. In response, earlier this month, the UK’s National Cyber Security Centre (NCSC) joined international cyber agency partners from the US, Australia, Canada and New Zealand to release new supply chain guidance. The guidance is aimed at IT service providers and their customers and is part of a wider initiative to protect organisations in light of a heightened cyber threat created by the Russian invasion of Ukraine.
Supply chain guidance
The guidance contains a series of practical steps for managed service providers (MSPs) and their customers to consider which include suggested:
- actions for MSPs to take: these include the usual good practice technical measures such as identifying and disabling accounts that are no longer in use, network segregation, applying updates, enforcing multi-factor authentication (MFA) on MSP accounts that access the customer environment and monitoring them for unexplained failed authentication. It also suggests that organisations store their most important logs for at least six months in recognition of the fact that it often takes time for an organisation to detect an incident; and
- contractual protections customers should include in their agreements with MSPs: for example, it recommends that the contract clearly identifies ownership of ICT security roles and responsibilities, includes obligations on the supplier to notify the customer of any ‘confirmed or suspected security events/incidents’ and requires MFA on the products/services the customer receives. The contract should also cover back-ups (which should be easily retrievable – e.g. a cloud-based solution or location that is air-gapped from the organisational network) and incident response planning (with these plans being regularly tested).
MSPs are defined as ‘entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement.’ However, the guidance does not cover cloud providers. Separately, the NCSC recently refreshed its cloud security guidance to ensure that it reflects current risks and adheres to the NCSC’s newly published principles-based technology assurance approach.
Comment
This is not the first supply chain guidance released by the NCSC - see for example its 2018 Supply chain security guidance. It is, however, interesting that it comes at a time when the UK Government is consulting on whether to expand the NIS regime to cover MSPs (see our blog) and arguably reflects concerns amongst the global security community that organisations are not taking supply chain risk (particularly with IT suppliers) seriously enough. Recent UK Government research (see our blog) shows that, despite supply chain risk being flagged as a key cyber risk for a number of years now, only 13% of business assessed the risks posed by their immediate suppliers; with even fewer (7%) looking at their wider supply chain. However, the same research suggests that it may not be an easy problem to solve. Issues such as a perceived lack of time/money/skills, not knowing which suppliers to check and a lack of information from suppliers were all highlighted as barriers to addressing and managing supply chain risk, and it is not clear how successfully this guidance will be able to address all of those concerns.