UK NCSC outlines 5 steps to assessing supplier cybersecurity

The UK’s National Cyber Security Centre (NCSC) has published a new five-step guide to help medium- to large-size organisations assess the cybersecurity of their supply chain. The guidance describes typical supplier relationships and ways that organisations are exposed to vulnerabilities and cyberattacks via the supply chain. It also defines expected outcomes and key steps to help businesses evaluate their supply chain’s approach to cybersecurity.

Whilst the NCSC claims its new guidance will help businesses effectively address supply chain security and gain confidence in their partners, security experts question whether it is detailed enough to tackle the complex supply chain security issues organizations face. Meanwhile, new research reveals that most global organisations say they are at increasing risk of ransomware compromise via their supply chain partners.

5 steps to assessing the cybersecurity of your supply chain

The NCSC’s new guidance is broken down into five distinct stages designed to act as a practical guide for organisations to effectively assess the cybersecurity of their supply chains:

Step 1 – Before you start: Understand why your organisation should care about supply chain cybersecurity, identify the key players in your organisation and understand how your organisation evaluates risk. The outputs from this stage should include:

• Better understanding of the threats to your supply chain based on the nature of the relationship you have with your suppliers (and the access they have to your systems and services).
• Establishment of a team to develop a new approach to assessing supply chain cybersecurity and senior buy-in to implement change.
• Increased understanding of existing risk appetites and processes within your organisation.

Step 2 – Develop an approach to assess supply chain cybersecurity: “Once you’ve determined the critical aspects in your organisation that you need to protect the most, create a repeatable, consistent approach for assessing the cybersecurity of your suppliers,” the NCSC wrote. This includes:

• Prioritise your organisation’s “crown jewels.”
• Create a set of security profiles.
• Determine the security profile for each supplier.
• Define the minimum cybersecurity requirements for each security profile.
• Decide how to assess your suppliers.
• Plan for non-compliance.
• Create contractual clauses.

Outputs from this stage include a clear understanding of the most critical aspects of your organisation with criteria for determining what assurances you need from suppliers to be able to protect them, questions for determining the security profile of each supplier and a supplier security management plan to track compliance with cybersecurity requirements.

Step 3 – Apply the approach to new supplier relationships: “Embed new security practices throughout the contract lifecycle of new suppliers, from procurement and supplier selection through to contract closure,” the NCSC advised. This should focus on educating teams to ensure the people involved in assessing suppliers are aware of the threats posed, understand their role in reducing the risk and the process that you have defined for your organisation. It should also involve embedding cybersecurity controls throughout the contract’s duration, from decision to outsource, supplier selection, contract award, supplier delivery to termination, along with regular mentoring of supplier performance and reporting of progress to the board. Expected outputs are:

• Embed cybersecurity practices throughout the acquisition process, supported by a multi-disciplinary team of cybersecurity trained professionals.
• Increase awareness of supply chain threats amongst staff.
• Measure performance against defined metrics visible to board members.

Step 4 – Integrate the framework into existing contracts: “With a new approach in place, review your existing contracts either upon renewal, or sooner where critical suppliers are concerned,” the NCSC wrote. This should include:

• Identify existing contracts.
• Assess risk of contracts.
• Support your suppliers.
• Review contractual clauses.

As with step 3, this stage should involve regular mentoring of supplier performance with reporting of progress to the board. Expected outputs include a register recording all suppliers, identification of suppliers with security shortfalls and an improved approach based on lessons learned.

Step 5 – Strive for continuous improvement: “Periodically refining your approach as new issues emerge will reduce the likelihood of risks being introduced into your organisation via the supply chain,” the NCSC stated. Three key aspects here are to evaluate the framework and its components regularly, maintain awareness of evolving threats and update practices accordingly, and collaboration with suppliers – all with the aim of establishing a foundation for continuous improvement.

NCSC guidance a good start, too vague to address complex supply chain security challenges

Commenting on the new guidance, Ian McCormack, NCSC deputy director for Government Cyber Resilience, said that supply chain attacks are a major cyberthreat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. “It is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place. Our new guidance will help organisations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”

Whilst security experts praise the intentions behind the guidance, they question whether it is detailed enough, with some criticising it for being too vague to truly address the intricate supply chain security challenges companies face. “The NCSC’s advice on assessing supply chain security is a positive step in recognition of the issue and prominence of supply chain attacks. However, there is a need to have more hands-on guidance around how to implement the recommendations,” Matt Barker, president, Cloud Native Services at Venafi, tells CSO. “For example, section two offers advice such as defining a security profile for each supplier and some guidance on assessing the impact a supplier breach on your own organisation, yet this skims over the complexity of managing third-party risk, particularly when it comes to the provenance of software components. Essentially, it’s a good guide on what companies need to do to secure supply chains, but it lacks technical advice on how to achieve this and won’t push the needle against attacks like SolarWinds or the Log4j vulnerability.”

Varun Badhwar, CEO and co-founder of Endor Labs, agrees, adding that the NCSC’s guidance doesn’t give the cybersecurity community specific technical standards to follow, with much of the framework left open for interpretation. “The process needs many more steps, and the industry at large needs more standardization, technology innovation and strong enforcement.”

For James Bore, security hygienist and consultant, the main issue is that if an organisation is unaware of, or uncaring, about security, then the guidance will make little difference, while those who already have a mature approach should have these measures already in place. “There will be some that fall into the gap between the two, and the biggest beneficiaries of this I can see would be organisations with limited security expertise but a pre-existing procurement process that this could be coupled into.”

Businesses say supply chain partners increase risk of ransomware attack

According to new research from Trend Micro, most global organisations (76%) think their supply chain partners increase their risk of falling victim to ransomware attacks. The cybersecurity vendor surveyed 2,958 IT decision makers across 26 countries in North and South America, Europe, and APAC, with 52% of those polled revealing that their organization has a supply chain partner that has been hit by ransomware.

Whilst the report noted that supply chain security can be improved by increasing transparency around risk, only 47% of the organisations Trend Micro interviewed said they share knowledge about ransomware attacks with their suppliers, with 25% admitting they do not share potentially useful threat information with partners at all.