Supply chain security collectionGuidance January 2018

Supply chain security collection | 2

The guidance covers cyber, physical and people security

1 The principles of supply chain security This guidance proposes a series of 12 principles, designed to help you establish effective

control and oversight of your supply chain.

2 I. Understand the risks Thefirstthreeprinciplesdealwiththeinformationgatheringstage.

3 II. Establish control Thissection’sprincipleswillhelpyougainandmaintaincontrolofyoursupplychain.

4 III. Check your arrangements Businesseswillneedtogainconfidenceintheirapproachtoestablishingcontrolovertheir

supply chain.

5 IV. Continuous improvement Asyoursupplychainevolves,you’llneedtocontinueimprovingandmaintainingsecurity.

6 Example supply chain attacks Aselectionofillustrativereal-worldexamplesofsupplychainattacks.

7 Assessing supply chain security Thetablebelowgivesyouaseriesofscenariosagainstwhichtomeasurethesecurity

of your supply chain.

8 Assessing supply chain management practice Itisexpectedthatyourwillalreadybefollowinggoodprocurementandcontracting practice.Thisguidanceoffersadditionalfactorsthatyoumayconsider.

9 Supply chain security: 12 Principles Thetwelveprinciplesinanabbreviated,easytodigest,printableformat

Proposing a series of 12 principles, designed to help you establish effective control and oversight of your supply chain. For the purposes of this paper a supply chain is ‘a network of entities connected by a series of trading relationships’.

Supply chain security collection | 3

1 The principles of supply chain security

This guidance proposes a series of 12 principles, designed to help you establish effective control and oversight of your supply chain.

IntroductionTheguidancewillprovideorganisationswithanimprovedawarenessofsupplychainsecurity,aswellashelpingtoraisethebaselinelevelofcompetencein this regard, through the continued adoption of good practice.Whilstbeneficial,thisguidancehasnotbeenwrittenfororganisationswithnationalsecurity(highassurance),requirements.

Most organisations rely upon suppliers to deliver products,systems,andservices.Youprobablyhaveanumberofsuppliersyourself,it’showwedobusiness.

But,supplychainscanbelargeandcomplex,involvingmanysuppliersdoingmanydifferentthings.Effectivelysecuring the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploitedatanypointinthesupplychain.Avulnerablesupplychaincancausedamageanddisruption.

Despitetheserisks,manycompanieslosesightof their supply chains. In fact, according to the 2016 Security Breaches Survey,veryfewUKbusinesses setminimumsecuritystandardsfortheirsuppliers.

Aseriesofhighprofile,verydamagingattacksoncompanieshasdemonstratedthatattackershaveboththeintentandabilitytoexploitvulnerabilitiesinsupplychainsecurity.Thistrendisrealandgrowing.So,theneed to act is clear.

Supply chain security collection | 4

The principlesThis guidance proposes a series of 12 principles, designed to help you establish effective control and oversight of your supply chain. We have divided these principles, into four sections, each representing a stage in the process.

These are:I. Understand the risksBefore you can do anything to secure your supply chain you needunderstandtherisks(andbenefits)youaretakingonbyengagingsuppliers.

II. Establish controlHowtogaincontrolofyoursupplychain.Thissectionincludesfourcasestudies:1.Protectinginformationthatyousharewithsuppliers.2.Specifyingsecurityrequirementstoasupplierwhoisdeliveringsomethingtoyou.3.Connectingasupplier’ssystemstoyours.4.Nationalsecuritycase-whereastateactormaytargetyou.

III. Check your arrangementsBusinesseswillneedtogainconfidenceintheirapproachtoestablishingcontrolovertheir supply chain.

IV. Continuous improvementAsyoursupplychainevolves,you’llneedtocontinueimprovingand maintainingsecurity.

Additional contentThese example supply chain attacksgivefurthercontext to the principles.

A note on implementationImplementingtheserecommendationswilltaketime,buttheinvestmentwillbeworthwhile.Itwillimproveyouroverallresilience,reducethenumberofbusinessdisruptionsyousufferandthedamagetheycause.ItwillalsohelpyoudemonstratecompliancewithGDPR,thenewDataProtectionAct.Ultimately,thesemeasuresmayhelpyouwinnewcontracts,becauseofthetrustyouhavesoughtinthesecurityofyour supply chain.

Further readingThefollowingsourcesprovideinformationonmanagingsupplychainsecuritythreatsandrisks:

DCPP(MoD)–DCPPisajointMinistryofDefence(MOD)/industryinitiativetoimprovetheprotectionofthedefencesupplychainfromthecyberthreat.

Government supplier framework–Thisframeworkhelpsthegovernmenttomanagesupplierrisk.

IS028000–Specificationforsecuritymanagementsystemsforthesupplychain.

Supply chain security collection | 5

2 I. Understanding the risksThe first three principles deal with the information gathering stage.

Until you have a clear picture of you supply chain, it will be very hard to establish any meaningful control over it. You will need to invest an appropriate amount of effort and resource to achieve this.

1. Understand what needs to be protected and whyYoushouldknow:

• Thesensitivityofthecontractsyouletorwill be letting.

• Thevalueofyourinformationorassetswhichsuppliershold,willhold,haveaccessto,orhandle,aspart of the contract.

Thinkaboutthelevelofprotectionyouneedsupplierstogivetoyourassetsandinformation,aswellastheproductsorservicestheywilldelivertoyouaspartofthe contract.

2. Know who your suppliers are and build an understanding of what their security looks like

Youshouldknow:

• Whoyoursuppliersare.Youwillneedtothinkabouthowfardownyoursupplychainyouneedtogotogainunderstandingandconfidenceinyoursuppliers.

Youmayhavetorelyonyourimmediatesupplierstoprovideinformationaboutsub-contractors,anditmaytakesometimetoascertainthefullextentofyoursupply chain.

Descriptions of four known cyber attacks on supply chains (third party software providers, website builders, third party data stores and watering hole attacks) are also provided here. You should also watch out for routine threat advisories published by NCSC and CPNI.

• Thematurityandeffectivenessofyoursuppliers’currentsecurityarrangements.ForexampleyoucoulduseCPNI Protective Security Management Checklist to assessthematurityofyoursuppliers’peoplesecurityarrangements.

• Whatsecurityprotectionsyouhaveaskedyourimmediatesupplierstoprovide,andwhatthey,inturn,haveaskedanysub-contractorstodo:

• Determinewhetherornotyoursuppliersandtheirsub-contractorshaveprovidedthesecurityrequirementsaskedofthem.

• Understandwhataccess(physicalandlogical)yoursuppliershavetoyoursystems,premisesandinformationandhowyouwillcontrolit.

• Understandhowyourimmediatesuppliers,controlaccessto,anduseof,yourinformationand/orassets-includingsystemsandpremises,byany sub-contractorstheyemploy.

Youshouldfocusyoureffortsinthisareaonthosepartsofyoursuppliers’businessorsystemsthatareusedtohandleyourcontractinformation,ortodeliverthecontractedproduct or service.

3. Understand the security risk posed by your supply chainAssesstherisksthesearrangementsposetoyourinformationorassets,totheproductsorservicestobedelivered,andtothewidersupplychain.

Sources of riskRiskstoandfromthesupplychaincantakemanyforms.Forexample,asuppliermayfailtoadequatelysecuretheirsystems,mayhaveamaliciousinsider,orasupplier’smembersofstaffmayfailtoproperlyhandleormanageyourinformation.

Itcouldbethatyouhavepoorlycommunicatedyoursecurityneedssothesupplierdoesthewrongthings,orthesuppliermaydeliberatelyseektoundermineyoursystemsthroughmaliciousaction(thismaybeunderstateinfluencefornationalsecurity applications).

Usethebestinformationyoucantounderstandthesesecurityrisks.Forexample:

• Common cyber attacks - reducing the impact• Insider data collection report • Insider risk assessment • CPNI Holistic Management of Employee Risk (HomER).

Supply chain security collection | 6

Supply chain security collection | 7

Getting mitigation rightUnderstandingtheriskassociatedwithyoursupplychainiskeytoensuringsecuritymeasuresandmitigationsareproportionate,effectiveandresponsive.FurtherinformationcanbefoundatRisk Guidance - First Drop and CPNI Operational Requirements.

Usethisunderstandingtodecidetheappropriatelevelsofprotectionyouwillexpectsuppliersacrossyoursupplychaintoprovideforanycontractinformation,andcontracted products or services.

Plan of actionItmaybeusefultogroupdifferentlinesofwork,contractsorsuppliersintodifferentriskprofiles,basedonconsiderationssuchas:theimpactonyouroperationsofanyloss,damageordisruption,thecapabilityoflikelythreats,thenatureoftheservicetheyareproviding,thetypeandsensitivityofinformationtheyareprocessingetc.Eachprofilewillrequireslightlydifferenttreatmentandhandlingtoreflectyourviewoftheassociatedrisks.Thismaymakethingseasiertomanageandcontrol.

Youshoulddocumentthesedecisionsandsharethemwithsuppliers.Forexample,youmaydecidethatcontractswhichprovidebasiccommoditiessuchasstationery, or cleaning services require very different approachestomanagementtothosethatprovidecritical services or products.

Supply chain security collection | 8

3 II. Establish control This section’s principles will help you gain and maintain control of your supply chain.Onceyougainbettercontrolofyoursupplychainyouwillbeabletoanalysestrategicriskstoit.Forexampleto:• Identifyanysupplierswhocontinuallyfailtomeetyoursecurityandperformanceexpectations.

• Identify critical assets and any over-reliance on single suppliers.Thiswillhelpyoutobuildfurtherdiversityand redundancy into your planning.

4. Communicate your view of security needs to your suppliers

Ensurethatyoursuppliersunderstandtheirresponsibility to provide appropriate protection for yourcontractinformationandcontractedproductsandservicesandtheimplicationsoffailingtodoso.

Ensureyoursuppliersadheretotheirsecurityresponsibilities and include any associated security requirementsinanysubcontractstheylet.

Youshoulddecidewhetheryouarewillingtopermityour suppliers to sub-contract and delegate authority to do so appropriately.

Giveyoursuppliersclearguidanceonthecriteriato useforsuchdecisions(e.g.thetypesofcontractthattheycanletwithlittle/norecoursetoyou,andthosewhereyourpriorapprovalandsign-offmustalways be sought).

Supply chain security collection | 9

5. Set and communicate minimum security requirements for your suppliersYoushouldsetminimumsecurityrequirementsforsupplierswhicharejustified,proportionate and achievable.

Ensuretheserequirementsreflectyourassessmentofsecurityrisks,butalsotakeaccountofthematurityofyoursuppliers’securityarrangementsandtheirabilitytodelivertherequirementsyouintendtoset.

Itmayalsobesensibletoidentifycircumstanceswhereitwouldbedisproportionatetoexpectsupplierstomeettheminimumsecurityrequirements.Forexample,thismayonlyberelevantforthosesupplierswhoonlyneedadhoc,oroccasionalaccesstolimitedandspecificdata,and/oraccesstoyourpremises.

Youshoulddocumenttheseconsiderationsandprovideguidanceonthestepsyouintendtotaketomanagetheseengagements.Thisapproachcouldhelpreduceyourworkloadandavoidcreatingadditional,unnecessaryworkfortheseparties.

Case by caseConsidersettingdifferentprotectionrequirementsfordifferenttypesofcontracts,basedontheriskassociatedwiththem-avoidsituationswhereyouforceallyoursupplierstodeliverthesamesetofsecurityrequirementswhenitmaynotbeproportionateorjustifiedtodoso.

Explaintherationalefortheserequirementsto yoursuppliers,sotheyunderstandwhatisrequiredfromthem.

Includeyourminimumsecurityrequirementsinthecontractsyouhavewithsuppliersandinaddition,requirethatyoursupplierspassthesedowntoanysub-contractorstheymighthave.

Setting the minimum - four use case studiesBasedonyourviewandunderstandingofsecurityriskinthecontextofyoursupplychain,whatminimumsecurityrequirementscouldyouset?

Minimumsecurityrequirementswillvaryonacasebycasebasis.Tohelpclarifyhowyouwouldgoaboutsettingminimumrequirements,wepresentfourcasestudiestoillustratethedifferentapproachesthatcanbetaken.

Theserequirementsarenotnecessarilycumulative,butthemeasuresyoucanimplementtoaddressoneusecasecanbere-usedforothers.Thecasestudiesalsopresentdifferentapproachestoassurancethatcanbeusedtogainconfidenceinthemanagementofarangeofdifferentrisks.

You must protect the information you share with your suppliers from any unauthorised access, modification or deletion.

Where information is held in a common data environment, whether or not this is cloud-based, it is recommended that this is reviewed using the ‘Common Data Environments guidance available on the CPNI website at:

cpni.gov.uk/digital-built-assets-and-environments

Case A. Protecting information that you share with suppliers.Youmustprotecttheinformationyousharewithyoursuppliersfromanyunauthorisedaccess,modificationordeletion,whichcouldcausedisruptiontoyourorganisation and its business.

ExampleAnITcontractorsoldcomputersstolenfromanaviationcompanywhichcontaineddetailsofcommercialandmilitaryflightplanstopayoffdebts.

Asupplierhasalegacyapplicationthatwasn’tfullypatched,yethostedsomesensitiveinformationfromthecustomer.

You should:• ConsideraskingsupplierstouseCyber Essentials asthebaselinelevelofprotection.Itsignificantlyreducesvulnerabilitiestothemostcommoninternetbasedthreats(hackingandphishing1). All suppliers togovernmentarerequiredtodemonstratehowtheywillachieveitsfivetechnicalcontrols.Wherethislevelofcommitmentisnotrealistic,thenewCyber Security Small Business Guide mayprovideamoreachievablewayforsupplierstobegintoimprovetheirresilience.

• Wheregreaterassuranceisrequiredandyouwantsupplierstobeabletoidentifywithconfidenceanypotentialattackerpresenceontheirsystems,requiresupplierstounderstandtheirsystems,implementsecuritymonitoringanddevelopanincident response capability.

• Toprotectagainstawiderrangeofattacks,requiresupplierstoimplementaholisticapproachtosecurity,following10 Steps to Cyber Security,ISO27001 (orsimilar).

• Where appropriate require personnel, physical and procedural controls to protect against fraud, theft, and insider threats. All staff working on a contract should be screened,followingtheprinciplesoutlinedbytheCabinetOfficeBaselineProtectiveSecurityStandard(BPSS),andadditionalchecks(egfinancialchecks)added as required for the role.

• RequiretheimplementationofICO guidance for protectingandoff-shoringpersonalinformation,wherethepersonalinformationisstored,processedorhandled as part of a contract.

• Where suppliers use cloud-based services, you should understand that it is not possible to transfer completeresponsibilityoraccountabilityforprotectinginformationtotheproviderofthatservice.Thisistrueineverycase.Securityrequirementstoprotectinformation,systemsandservicesshouldbereflectedinthecontractsandserviceagreementsyouhaveinplacewithsuppliers,andshouldinformthechoicestheymakeabouthowthecloudserviceisdeployedanddelivered.ForHMG,theG-Cloud digital market place, provides a range of service offerings that can bematchedagainstyourorganisation’sneeds.Asaminimum,itisrecommendedthatsuppliersfollowNCSC’scloud security principlestoframetheirsecurity needs.

1 NotethattheNCSChaslaunchedanumberofnewservicesundertheActiveCyberDefenceprogrammetoimprovebasiccybersecurity.Forexample,MailCheckencouragestheadoptionofsecureemailprotocolsforthePublicSector.AnyonecanregistertheirDMARC/SPFrecordsandtheyshould.Itmaybeworthwhilerecommendingthesetoyourkeysupplierstoo.

Supply chain security collection | 10

In cases where a supply chain is delivering a project or asset/facilities management using collaborative digital engineering systems such mitigation methods would not be effective, further guidance is available at:

cpni.gov.uk/digital-built-assets-and-environments

Case B. Specifying security requirements to a supplier who is delivering something to you.Youmustensurethatthesecuritypropertiesorrequirementsneededtoprotectaproductorservice,havebeeneffectivelyspecifiedtothesupplier.

ExampleAsupplierisbuildingadigitalserviceforyouthatwillhandleverysensitiveinformation.Youhavepoorlydescribed your security needs and therefore the supplierhasdeliveredsomethingwhichdoesn’tdeliverthe security you need.

Youneedabsoluteclarityaboutyoursecurityandfunctionalneeds.Thesemustbedescribedclearlyandunambiguouslytothesupplier.IfthesupplierisdeliveringanITsystem-thenitmustmeetthesecurityrequirementsthathavebeenspecified.

Forexample,CyberEssentialsoranyotherneedsyouhave set.

In addition, you should consider:• BeawareofanyknowngapsincoverageofschemeslikeCyberEssentials.

• Requiringadditionalcontrolstoprovideassuranceabout the product or service to be delivered. If for example,thecontractrelatestothedevelopmentofnewsoftwaretools,orthemanufacturingofcomponents,youwillneedtospecifythatthesupplierfollowsbestpracticeintheseareas.

• Where a Cloud service is being delivered, you shouldfollowtheguidancedetailedunderUse Case A above.

Supply chain security collection | 12

Case C. Connecting a supplier’s systems to yours.Youmustensurethatanynetworkconnectionsordata-sharingwiththirdpartiesdoesnotintroduceunmanagedvulnerabilitiesthathavethepotentialtoaffectthesecurityofyourbusinesssystems.

This is a critical consideration for all contracts that includeconnectionstoasupplier’ssystem.Youwillneedtodecidehowyouwantthesuppliertoperformtheworkonyourbehalf.Willtheyworkatyourpremisesortheirs?Howmuchaccessandconnectivitytheywillneedtocarrythisout?

ExampleCybercriminalsattackedalargecommercialcompanyexploitingunprotectedsupplierconnectionsthatwereusedtomanagethecustomer’senvironmentalcontrolsystems.Thisledtosignificantlossofdata,disruptiontobusinessandsignificantdamagetothecompany’sreputation.

Where a supplier’s systems are connected to yours you should:• Ensurethattheaccessesyouprovidetoyoursystems,services,informationandpremisesislimited,controlledandmonitored.Thisistrueforbothyoursupplier’speopleandtheirsystems.Theseaccessesshouldbereviewedperiodically,andremovedwhennolongerrequired.

• Accesstocontract-relatedinformation,contractedproductsorservicesshouldbelimitedona‘leastprivilege’basis.

• Ifyouintendthatthesupplierwillperformthecontractedworkonyoursystemsandpremises,ensuretheseareappropriatelysegregatedfromtherestofyournetwork.10 Steps to Cyber Security, Network Security showsyouhowtodothis.

• Haveasecuremeanstoexchangehardandsoftcopyinformationwithyoursupplier.ForguidanceonhardcopyexchangesseetheCabinetOffice,GovernmentClassificationSchemeandforguidanceondataintransit/exchangessee10 Steps to Cyber Security, Home and Mobile Working and the Walled Gardens Architectural Pattern.

• Where organisations use operational technology aspartofasystemortodeliverservices,likeothertechnologyitshouldbetreatedas‘untrusted’,andmanagedaccordingly.

Supply chain security collection | 13

Case D. National security case - where a state actor may target you. Youmustbeconfidentthatyoursupplychainsecuritycandealwithattacks,andattemptedsubversionbystateactors-butonlyinthosecircumstanceswhereyourthreatmodelwarrantsit.

ExampleAsecurityguardcontractedtoadefencecompanystole,andattemptedtoselldocumentsthatdetailedtheelectronicwarfaresystemsusedtoprotectUKandNATOships,toaforeignintelligenceservice.

Innationalsecuritycasessuchasthis,youwillneedtoseekprofessionaladvicefromtheNCSCandCPNI,asthis is beyond the scope of the guidance provided.

Matters will likely include:• Adoptionofbespokeapproachestosecurity.• Useofhighassuranceproducts,withimprovedpersonnelandphysicalsecurityarrangements.

• Vulnerabilitiesthatmightariseinmanufacturingorbuild processes.

• Additionalmeasurestoprotecttheprivacyandidentityof contracting partners and their procurementactivities.

Supply chain security collection | 14

6. Build security considerations into your contracting processes and require that your suppliers do the same

Buildsecurityconsiderationsintoyournormalcontractingprocesses.Thiswillhelpyoutomanagesecuritythroughoutthecontract,includingterminationand the transfer of services to another supplier.

EvidenceRequireprospectivesupplierstoprovideevidenceoftheirapproachtosecurityandtheirabilitytomeetthe minimum security requirements you have set at differentstagesofthecontractcompetition.

Providing supportDevelop appropriate supporting guidance, tools and processestoenabletheeffectivemanagementofthesupply chain by you and your suppliers, at all levels.

You should:• Ensurethesecurityconsiderationsyoubuildintoyourcontractsareproportionateandalignwiththevariousstages of the contracting process.

• Requiretheiradoptionincontractsandtrainallpartieson their use.

• Checkthatyoursupportingguidance,toolsandprocessesarebeingusedthroughoutthewholeofyour supply chain.

• Requirecontractstoberenewedatappropriateintervals,andrequirereassessmentofassociatedrisksatthesametime.

• Seekassurancethatyoursuppliersunderstandandsupportyourapproachtosecurityandonlyaskthemtotakeactionorprovideinformationwhereitisnecessarytosupportthemanagementofsupplychainsecurityrisks.

• Ensurethatcontractsclearlysetoutspecificrequirementsforthereturnanddeletionofyourinformationandassetsbyasupplieronterminationortransfer of that contract.

7. Meet your own security responsibilities as a supplier and consumer

Ensurethatyouenforceandmeetanyrequirementsonyou as a supplier.

Provideupwardreportingandpasssecurityrequirementsdowntosub-contractors.

Welcomeanyauditinterventionsyourcustomermightmake,tellthemaboutanyissuesyouareencounteringandworkproactivelywiththemtomakeimprovements.

Challengeyourcustomersifguidancecovering theirsecurityneedsisnotforthcoming,andseekassurancethattheyaretheyhappywiththemeasuresyouaretaking.

Supply chain security collection | 15

Where lessons have been learnt from security incidents, communicate these to all your suppliers, to help them stop becoming victims of ‘known and manageable’ attacks.

8. Raise awareness of security within yoursupply chain

Explainsecurityriskstoyoursuppliersusinglanguagetheycanunderstand.Encouragethemtoensurethatkeystaff(e.g.procurement,security,marketing)aretrainedon,andunderstandtheserisks,aswellastheirresponsibilitiestohelpmanagethem.

Set goalsEstablishsupplychainsecurityawarenessandeducation for appropriate staff. NCSC and CPNI awareness materialsmaybeuseful.

Information sharingPromoteandadoptthesharingofsecurityinformationacross your supply chain to enable better understanding andanticipationofemergingsecurityattacks.The Cyber Security Information Sharing Partnership (CiSP)isagreatexampleofafreecybersecurityinformationsharingservice.

9. Provide support for security incidentsWhilstitisreasonabletoexpectyoursupplierstomanagesecurityrisksinaccordancewiththecontract,you should be prepared to provide support and assistanceifnecessarywheresecurityincidentshavethepotentialtoaffectyourbusinessorthewider supply chain.

Make requirements clearYoushouldclearlysetoutrequirementsformanagingand reporting security incidents in the contract.

Theseshouldclarifysupplier’sresponsibilitiesfor advising you about such incidents - reporting timescales,whotoreporttoetc.Suppliersshouldalsobeclearaboutwhatsupporttheycanexpectfromyouifanincidentoccurs-required‘cleanup’actions,lossesincurred, etc.

GDPRincludesfairlyshorttimescalesfortellingtheInformationCommissioneraboutanyincidents,soyouand your supply chain need to prepare for this.

Propagate lessons learnedWherelessonshavebeenlearntfromsecurityincidents,communicatethesetoallyoursuppliers,tohelpthem stopbecomingvictimsof‘knownandmanageable’attacks.

Supply chain security collection | 16

4 III. Check your arrangements Businesses will need to gain confidence in their approach to establishing control over their supply chain.

10. Build assurance activities into your supply chain management

• Requirethosesupplierswhoarekeytothesecurityofyoursupplychain,viacontracts,toprovideupwardreportingofsecurityperformanceandtoadheretoanyriskmanagementpoliciesandprocesses.

• Buildthe‘righttoaudit’intoallcontractsandexercisethis.Requireyoursupplierstodothesameforanycontracts that they have let that relate to your contract andyourorganisation.(Notethatthismightnotalwaysbepossibleordesirable,particularlywherethis relates to a Cloud service).

• Build,wherejustified,assurancerequirementssuchasCyberEssentialsPlus,penetrationtests,externalauditorformalsecuritycertificationsintoyoursecurity requirements.

• Establishkeyperformanceindicatorstomeasuretheperformanceofyoursupplychainsecuritymanagementpractice.

• Reviewandactonanyfindingsandlessonslearned.• Encouragesupplierstopromotegood security

behaviours.

Supply chain security collection | 17

5 IV. Continuous improvement

As your supply chain evolves, you’ll need to continue improving and maintaining security.

11. Encourage the continuous improvement of security within your supply chain

• Encourageyoursupplierstocontinueimprovingtheirsecurityarrangements,emphasisinghowthismightenablethemtocompeteforandwinfuturecontractswithyou.Thiswillalsohelpyoutogrowyoursupplychain and choice of potential suppliers.

• Adviseandsupportyoursuppliersastheyseektomaketheseimprovements.

• Avoid creating unnecessary barriers to such improvements:acknowledgeandbepreparedtorecogniseanyexistingsecuritypracticesorcertificationstheymighthavethatcoulddemonstratehowtheymeetyourminimum security requirements.

• Allowtimeforyoursupplierstoachievesecurityimprovements,butrequirethemtoprovideyouwithtimescalesandplansthatdemonstratehowtheyintendtoachievethem.

• Listen to and act on any concerns highlighted throughperformancemonitoring,incidents,orupwardreportingfromsuppliersthatmaysuggestthatcurrentapproachesarenotworkingaseffectivelyasplanned.

12. Build trust with suppliers• Seektobuildstrategicpartnershipswithkeysuppliers,sharingissueswiththem,encouragingandvaluingtheirinput.Gaintheirbuy-intoyourapproachtosupplychainsecurity,sothatittakesaccountoftheirneedsaswellasyourown.

• Letthemmanagesub-contractorsforyou,butrequirethemtoprovideyouwithappropriatereportingtoconfirmthestatusoftheserelationships.

• Maintaincontinuousandeffectivecommunicationswithyoursuppliers.

• Lookatsupplychainmanagementasasharedissue.

Supply chain security collection | 18

6 Example supply chain attacks A selection of illustrative real-world examples of supply chain attacks.Outlinedbelowareexamplesofsupplychainattacksthatillustratethechallengesorganisationsface.Attacksare constantly evolving and you should ensure you keepuptodatewiththese.Whilsttheseareprimarilycyberattacksitisimportanttoalsoconsiderthreatssuch as fraud, theft and insiders.

Example 1: Third party software providersSince2011,thecyber-espionagegroupknownasDragonfly(alsoknownasEnergeticBear,Havex,andCrouchingYeti)hasallegedlybeentargetingcompaniesacrossEuropeandNorthAmerica,mainlyintheenergysector.Thisgrouphasahistoryoftargetingcompaniesthrough their supply chains.

Intheirlatestcampaign,Dragonflysuccessfuly“trojanised”legitimateindustrialcontrolsystem(ICS)software.Todoso,theyfirstcompromisedthewebsitesoftheICSsoftwaresuppliersandreplacedlegitimatefilesintheirrepositorieswiththeirownmalware infected versions.

Compromised software is very difficult to detect if it has been altered at the source, since there is no reason for the target company to suspect it was not legitimate.

Subsequently,whentheICSsoftwarewasdownloadedfromthesuppliers’websitesitwouldinstallmalwarealongsidelegitimateICSsoftware.Themalwareincludedadditionalremoteaccessfunctionalitiesthatcouldbeusedtotakecontrolofthesystemsonwhichitwasinstalled.

Compromisedsoftwareisverydifficulttodetectifithasbeen altered at the source, since there is no reason forthetargetcompanytosuspectitwasnotlegitimate.Thisplacesgreatrelianceonthesupplier,asit’snotfeasibletoinspecteverypieceofhardwareorsoftwareinthedepthrequiredtodiscoverthistypeofattack.

MALWARE

TROJANISED SOFT

WAR

E

Cyber-Attacker

Industrial Control System

Third Party SoftwareVendor

Supply chain security collection | 19

Supply chain security collection | 20

Cyber-criminals also target supply chains as a means of reaching the broadest possible audience with their malware.

Example 2: Website buildersCyber-criminalsalsotargetsupplychainsasameansofreachingthebroadestpossibleaudiencewiththeirmalware.Identifyingandcompromisingonestrategicallyimportantelementisanefficientuse ofresourcesandmayresultinasignificantnumber of infections.

TheShylockbankingtrojanisasagoodexample ofthis.Focusedone-bankingintheUK,Italyand theUSA,thethreatfromthegroupbehindthisviruswasreducedbyajointoperationbetweenlawenforcementagenciesandthecyber-securitycommunity,inJuly2014.

TheShylockattackerscompromisedlegitimatewebsitesthroughwebsitebuildersusedbycreativeanddigitalagencies.Theyemployedaredirectscript,whichsentvictimstoamaliciousdomainownedbytheShylockauthors.Fromthere,theShylockmalwarewasdownloadedandinstalledontothesystemsofthosebrowsinglegitimatewebsites.

Theeconomyofeffortmakesthisaverysuccessfulendeavour.Byintegratingamultitudeofdifferentfeaturesadoptedfromothermalware,Shylockwascapableofperformingcustomisable‘man-in-the-browser’attacks,avoidingdetectionandprotectingitselffromanalysis.

Ratherthancompromisinganumberoflegitimatesitesindividually,theattacktargetedthecorescriptofawebsitetemplatedesignedbyaUK-basedcreative,digital agency.

www

REDIRECT SCRIPT

REDITRECT SCRI

PT

Cyber-Attacker

LegitimateBusiness Websites

Creative & Digital

Agency

Such sensitive data is not necessarily just about customers, but could also cover business structure, financial health, strategy, and exposure to risk.

Example 3: Third party data storesManymodernbusinessesoutsourcetheirdatatothirdpartycompanieswhichaggregate,store,process,andbrokertheinformation,sometimesonbehalfofclientsindirectcompetitionwithoneanother.

Suchsensitivedataisnotnecessarilyjustaboutcustomers,butcouldalsocoverbusinessstructure,financialhealth,strategy,andexposuretorisk.Inthepast,firmsdealingwithhighprofilemergersandacquisitionshavebeentargeted.InSeptember2013,anumberofnetworksbelongingtolargedataaggregatorswerereportedashavingbeencompromised.

Asmallbotnetwasobservedexfiltratinginformationfromtheinternalsystemsofnumerousdatastores,through an encrypted channel, to a botnet controller on thepublicInternet.Themosthighprofilevictimwasadataaggregatorthatlicensesinformationonbusinessesand corporations for use in credit decisions, business-to-businessmarketingandsupplychainmanagement.Whiletheattackersmayhavebeenafterconsumerandbusinessdata,fraudexpertssuggestedthatinformationonconsumerandbusinesshabitsandpracticeswasthemostvaluable.

Thevictimwasacreditbureaufornumerousbusinesses,providing“knowledge-basedauthentication”forfinancialtransactionrequests.Thissupplychaincompromiseenabledattackerstoaccessvaluableinformationstoredviaathirdpartyandpotentiallycommitlargescalefraud.

BACKDOOR ACCESSREDIRECT S

CRIPT

Cyber-Attacker

Client Data Flow

Third Party SoftwareVendor

Supply chain security collection | 21

Supply chain security collection | 22

Attackers are increasingly exploiting ‘watering hole’ sites to conduct espionage attacks against a host of targets, across a variety of industries.

Example 4: Watering hole attacksAwateringholeattackworksbyidentifyingawebsitethat’sfrequentedbyuserswithinatargetedorganisation, or even an entire sector, such as defence, governmentorhealthcare.Thatwebsiteisthencompromisedtoenablethedistributionofmalware.

Theattackeridentifiesweaknessesinthemaintarget’scyber-security,thenmanipulatesthewateringholesitetodelivermalwarethatwillexploittheseweaknesses.

Themalwaremaybedeliveredandinstalledwithoutthetargetrealising(calleda‘driveby’attack),butgiventhetrustthetargetislikelytohaveinthewateringholesite,itcanalsobeafilethatauserwillconsciouslydownloadwithoutrealisingwhatitreallycontains.Typically,themalwarewillbeaRemoteAccessTrojan(RAT),enablingtheattackertogainremoteaccesstothetarget’ssystem.

Attackersareincreasinglyexploiting‘wateringhole’sitestoconductespionageattacksagainstahostoftargets,acrossavarietyofindustries.TheVOHOcampaignisagoodexampleofthis.

References

Pharmaceuticals, Not Energy, May Have Been True Target Of Dragonfly, Energetic Bear

‘Shylock’ malware hit by authorities

Intro to watering holes

Hacking The Street? Fin4 Likely Playing The Market

Data Broker Giants Hacked by ID Theft Service

Espionage Hackers Target ‘Watering Hole’

REDIRECT SCRIPT

REDITRECT SCRI

PT

Cyber-Attacker

Compromised Website

Compromised server

Supply chain security collection | 23

The table below gives you a series of scenarios against which to measure the security of your supply chain.Theideaistogiveyousomeconcreteexamplesofgood and bad supply chain security, to help you begin theprocessofunderstandingyourownsituation.

7 Assessing supply chain security

Supply chain security collection | 24

Good Bad

Youunderstand the risks suppliersmayposetoyou,yourwidersupplychainandtheproductsandservicesyouoffers.Knowthesensitivityofinformationyoursuppliersholdandvalueofprojectstheyaresupporting.

Youhaveapoorunderstandingoftherisksthatsuppliersmayposetoyou,yourwidersupplychainandtheproductsandservicesitoffers.Youdonotknowwhatdatatheyhold,northevalueofprojectstheyaresupporting.

Knowthefullextentofyoursupplychain,includingsub-contractors. Onlyknowyourimmediatesuppliers,buthavelimited/noknowledgeofany sub-contractors.

Knowthesecurityarrangementsofyoursuppliersandroutinelyengagewiththemtoconfirmtheyarecontinuingtomanageriskstoyourcontracteffectively.

Havenorealideaaboutthesecuritystatusofyoursupplychain,butthinktheymightbeokay.Failtoreviewthisstatus.

Exercisecontroloveryoursupplychain,exerciseyourrighttoauditand/orrequireupwardreportingbyyoursupplierstoprovidesecurityassurancethatallisworkingwell.Anauditrequestwouldnotbeyourfirstinteractionwiththesupplier.

Exerciseweakcontroloveryoursupplychain,losesightofsub-contracting,failtoexerciseauditrights,donotseekupwardreporting.Often,thefirstengagementofyoursecurityteamwiththesupplierwillbeforanauditfollowinganincident.

Basedonyourassessmentofrisksandtheprotectionsyoudeemarenecessary,set minimum security requirements for suppliers,tellingthemwhatisexpected in contracts.

Failtosetminimumsecurityrequirements,leavingituptosupplierstodotheirownthing,eventhoughtheymightnothavethesecurityawarenesstounderstandwhatisneeded,orknowhowtodothiseffectively.Orsetminimumsecurityrequirements,butfailtomatchthesetoyourassessmentoftherisk-potentiallymakingsecurityunachievableformanyofyoursuppliers.

Differentiatethelevelsofprotectionrequiredtomatchtheassessedriskstothespecificcontract.Ensuringtheseprotectionsarejustified,proportionateandachievable.

Setadisproportionate‘onesizefitsall’approachforallsuppliers,regardlessofthecontractandassessedrisks.Failtoensurethesecontrolsarejustifiedandachievable-potentiallycausingsuppliersnottocompeteforcontractswithyou.

Requirethattheprotectionsyouhavedeemednecessaryineachcasearepasseddownthroughoutyoursupplychain.Checktoensureitishappening.

Leavesecuritytoimmediatesupplierstomanage,butfailtomandateand/orcheckit is happening.

Meetyourownresponsibilitiesasasupplier(andchallengeyourcustomersforguidancewhereitislacking).Passyourcustomer’srequirementsdownandprovideupwardreporting.

Neglectyourresponsibilitiesasasupplier,orignoreanyabsenceofcustomerguidance.Failtopassrequirementsdown,and/orfailtoprovideupwardreporting.

Providesomeguidanceandsupporttosuppliersrespondingtoincidents.Communicatelessonslearnedsoothersinyoursupplychainavoid ‘knownproblems’.

Offernoincidentsupporttoyoursuppliers,.Failtoactorspotwhere‘knownissues’mightimpactothersinyoursupplychain,nortowarnothersabout theseissues-potentiallyleadingtogreaterdisruption:withknownissues hittingmanysuppliers.

Supply chain security collection | 25

Good Bad

Promoteimprovementstothecyberawarenessofyoursuppliers.Activelysharebestpracticetoraisestandards.EncouragesupplierstosubscribetothefreeCISPthreat intelligence service so they can better understand potential threats.

Expectsupplierstoanticipatedevelopingcyberattacksofferinglittleornosupportoradvice,regardlessoftheirsecurityawarenessandcapabilities.

Buildassurancemeasuresintoyourminimum security requirements(suchas Cyber Essentials Plus, audits and penetration tests). These provide an independentviewoftheeffectivenessofyoursupplierssecurity.

Failtoincludeassurancemeasuresintoyoursecurityrequirements,trustingthatyoursupplierswilldotherightthing-regardlessofwhethertheyhaveenoughknowledgeorexperiencetoknowwhatisexpectedofthem.

Monitortheeffectivenessofthesecuritymeasuresthatareinplace.Basedonlessonslearnedfromincidents,feedbackfromassuranceactivities,orfromsuppliersaboutissues,bepreparedtoreviseorremovecontrolsthatare proving ineffective.

Failtomonitortheeffectivenessofsecuritymeasures.Failtolistentofeedback.Beunwillingtomakechanges,evenwhentheevidenceinfavourofdoingso isoverwhelming.

Supply chain security collection | 26

It is expected that your will already be following good procurement and contracting practice. This guidance offers additional factors that you mayconsider.

8 Assessing supply chain management practice

Supply chain security collection | 27

Good Bad

Developpartnershipswithyoursuppliers.Ifyoursuppliersadoptyourapproachtosupplychainsecurityastheirown,there'smuchgreaterpotentialforsuccessthanifyousimplymandatecompliance.

Dictaterequirementswithoutconsultation.

Getsuppliersthinkingaboutsecurityfromtheoutsetbystartingthediscussionaboutsecurityearlierthanyouwouldduringtraditionalproductassuranceengagements.

Justconsidersecuritytobeaproductassuranceissue.

Explainbenefitsofachievingtherequiredsecurityimprovementstosuppliers:i.e.thatthesewillmeetcompliancerequirements,orofferthepotentialforthesuppliertowinothercontracts.

Justtellyoursupplierswhattodo,butoffernoexplanationofbenefits:somesuppliersmayconsequentlybereluctanttobidforcontracts.

Considerhowyouwillenablesupplierswhomayrequirelegitimatebutadhoc/occasionaland/orlimitedaccesstoyourbusinesstodosowithouthavingtocomplywithyourminimum security requirements for suppliers.Documenttheproceduresfortheseengagementsandtrainallpartiesontheiruse.

Makenoprovisionsforsuchcircumstances,andeitherrequirethemtomeetyoursecurityrequirements(eventhoughtheirislittlejustificationforthis),orignoreitandletpeoplemaketheirownarrangements(hopingitwillbeokay).

Whererequired,developcommoncontractartefacts(i.e.riskassessmentandself-assessmentsecurityquestionnaire)tosupportthecontractingprocessandtoenableyoursupplierstopassthesedowntosub-contractors.Sharethesewithyoursuppliers and train all staff on their use.

Offerlittle/noadviceonthecontractingprocess,allowingsupplierstodotheirownthing-andfailtounderstandtheimplicationsofthisintermsofassurancesaboutoverall supply chain security.

Requiretheseartefactstobereviewedatappropriateintervals,suchasatcontractrenewal,whentherearesignificantchanges,orinresponsetomajorincidents.

Worryabouttheinitialcontract,buttakelittle/nointerestinsubsequentcontractrenewals:failtospotchanges/problemsthatmayhavearisen.

Ensurethatsecurityconsiderationsareanintegralpartofthecontractcompetitionprocessandthatitinfluencesthechoiceofsupplier.

Onlyworryaboutsecurityattheendofthecontractingprocess-theseconsiderationshavelittleinfluenceonyourchoiceofsupplier.

Requiresupplierstoprovideappropriateevidenceoftheirsecuritystatusandabilitytomeetyourminimumsecurityrequirementsthroughoutthevariousstagesofthecontractcompetition:perhapsseekingbasicassurancesofyoursupplier'sabilitytomeetlegalandregulatoryrequirements,asafirstgate,atinitialcontractadvertisement,butrequiringgreaterdetailasthecompetitionnarrowstoachoiceofafewpreferredbidders.

Askformoreinformationthanyouneed,canhandle,orwilluse:potentiallycreatingunnecessaryworkloadsonpotentialsupplierswhentheyhavelittlechanceofwinningthecontract.Besurprisedwhensuppliersdonotcompeteforcontractsonthese grounds.

Supply chain security collection | 28

Good Bad

Ensurethesedonotimposeunnecessaryworkloadsonprospectivesuppliers-particularlyintheearlystagesofcontractingwhentherearemanyapplicantsforthe contract.

JustdustoffanexistingISO27001basedquestionnairethatyouthinkmightdoandgetsupplierstocompletethat:evenifthishasnoresemblancetotheminimumsecuritycontrolsyouhaveused(i.e.CyberEssentialsor10StepstoCyberSecurity).

Whenusingaself-assessmentsecurityquestionnairetoaidthecontractingprocess,ensurethismatchestheminimumsecurityrequirementsyouhaveset-andreducesworkloadsonsupplierstoanecessaryminimum.Onlyrequiresmoredetailedinformationwhenthesupplierhasprogressedtothelatercontractingstagesandisoneofaverysmallnumberbeingconsideredforthecontract.

Failtotakeaccountoftheworkloadsthiswillcreateforsuppliers,norseektomatchyourrequirementstothestageofthecontractcompetition.

Allowsupplierstimetoachievedesiredsecurityimprovements:developriskcriteriatomanagethistransition(i.e.requiresupplierstoprovideasecurityimprovementplansettingouthowprogresswillbemade)andstipulatewhenchecksagainstprogresshavebeenmadeandshouldbeperformed.

Setunrealisticdeadlines,orhavenoclearorconsistentriskcriteriatoinformdecisionsaboutsupplierswhoareunabletomaketheseimprovementswithinagreedtimeframes.Thismaymeanyouareunabletoworkwithsuchsuppliers–potentiallyleadingtoadamagingfallincapabilityandreducedchoiceofsuppliers.

Acknowledgeanyexistingsecuritycertificationsorprior/existingcontractapprovalsthatsuppliersmayhave,andallowthemtore-usesuchevidencetodemonstratehowthismightmeetsomeofyourminimumsecurityrequirements.Butprobeappropriatelytoconfirmthisisthecase.

Ignoreanyexistingsecuritycertifications,orcontractapprovals,requiringsupplierstoachievecompliancewithyourminimum security requirements regardless. This couldcreateunnecessaryworkandcostforsuppliers,harmingtheserelationships.

ExpectallsupplierstoachieveCyber Essentials.Butunderstandthatsomesuppliers-eventhosewhohaveexistingsecuritycertificationslikeISO27001,mayfinditdifficulttomeettheletterofthescheme.However,wheretheletteroftheschemecannotbemetforwhateverreason,youshouldseektounderstandwhatstepsthesupplieristakingtomanagetheserisksthroughforexamplealternativebusinessprocessesorcompensatingsecuritycontrols.Youshouldchecktoconfirmthese are suitable.

ExpectallsupplierstoachieveCyber Essentials,butadoptablackandwhiteapproachtakingnoaccountofspecialcircumstances.DonotacknowledgeanydifficultiesandrefusetoawardcontractstosupplierswhofindCyberEssentialscertificationdifficulttoachieve,furtherunderminingyourowncapabilityandchoiceof suppliers.

Providesomemappingoftheminimum security requirements you have chosen to commoncommercialsecurityschemestohelpsuppliersre-useevidence,andothercustomerstoassessequivalences.Thiswillalsohelpsuppliersdemonstratehowtheyalignwithinternationalschemes.

Providesnosupport,expectsupplierstodothismappingthemselves:potentiallyincreasingworkloadsandleadingtoinconsistencies-potentiallyunderminingcustomerstrustintheevidencetheyprovide.

Monitorandcontinuallyimprovetheprocess,discontinuingorrefiningprocessesthataredisproportionate,ineffectiveorunjustified.

Allowdisproportionate,ineffectiveorunjustifiedprocessestoremainunchanged.Failtolistentoconsistent,justifiedcallsforrefinement.

Principals of supply chain security

How to gain and maintain control of your supply chainThe principals are divided into four stages representing the process of securing your supply chain.

Tofindoutmorevisit:www.ncss.gov.uk/guidance/supply-chain-security

i. Understand the risks• Understandwhatneedstobeprotectedandwhy• Knowwhoyoursuppliersareandbuildanunderstandingofwhattheirsecuritylookslike

• Understandthesecurityriskposedbyyoursupplychain

ii. Establish control• Communicateyourviewofsecurityneedstoyoursuppliers• Setandcommunicateminimumsecurityrequirementsforyoursuppliers• Build security considerations into your contracting processes and require that your suppliersdothesame

• Meetyourownsecurityresponsibilitiesasasupplierandconsumer• Raiseawarenessofsecuritywithinyoursupplychain• Provide support for security incidents

iii. Check your arrangements• Buildassuranceactivitiesintoyourapproachtomanagingyoursupplychain

iv. Continuous improvement• Encouragethecontinuousimprovementofsecuritywithinyoursupplychain• Buildtrustwithsuppliers

9 Supply chain security: 12 principles

Supply chain security collection | 29

Disclaimer

Referencetoanyspecificcommercialproduct,processorservicebytradename,trademark,manufacturer,orotherwise,doesnotconstituteorimplyitsendorsement,recommendationorfavourbyCPNI.Theviewsandopinionsofauthorsexpressedwithinthisdocumentshallnotbeusedforadvertisingorproductendorsementpurposes.Tothefullestextentpermittedbylaw,CPNIacceptsnoliabilityforanylossordamage(whetherdirect,indirectorconsequential,andincludingbutnotlimitedto,lossofprofitsoranticipatedprofits,lossofdata,businessorgoodwill)incurredbyanypersonandhowsoevercausedarisingfromorconnectedwithanyerrororomissioninthisdocumentorfromanypersonacting,omittingtoactorrefrainingfromactingupon,orotherwiseusingtheinformationcontainedinthisdocumentoritsreferences. Youshouldmakeyourownjudgmentasregardsuseofthisdocumentandseekindependentprofessionaladviceonyourparticularcircumstances.©CrownCopyright2018