Developing a Cyber Resilient Supplier Ecosystem
Systems are increasingly becoming more sophisticated and complex. These systems, be they information systems or operational technology, rely on interconnected infrastructure and systems. These may be inside organisational boundaries – they are often dependant on a complex mix of service providers. Depending upon the function performed, they are also interacting on a constant basis, vital to the business.
This sophistication can lead to a higher volume of cyber-attacks with a greater potential impact. Challenges to the organisation such as a surge in remote working caused by COVID-19 means a potential increase in opportunities for adversaries to attack mission-critical capabilities. As such, these capabilities need not only a defensive capability but also resilience. They essentially need to be intrusion tolerant and maintain freedom of manoeuvre, albeit in a potentially degraded state.
At different points in the procurement lifecycle, stakeholders will have primary responsibility for establishing and maintaining effective cyber security controls. Robust governance is therefore required to guarantee that the correct stakeholders are responsible at the right time to ensure that best efforts are made in combating any cyber threats. To complement this governance, a culture of collaboration is needed to drive continuous improvement.
The lifecycle
A typical procurement lifecycle contains the following phases:
From a Feasibility perspective, potential cyber risk might include the compromise of initial concepts of operation, supplier details and/or strategic intent. Risks at this stage may enable adversaries to better position themselves to disrupt, influence or steal intellectual property (IP) as it develops during the late concept phases and into the design phase. During this phase the ownership of the development cyber risks is managed by the customer.
In the Design phase, the level of innovation and IP being developed is at its highest. This information is not only vital to the customer, its loss could significantly damage the supplier. Other risks could result from the injection of vulnerabilities while in software development, which may potentially leave the system open to attack during the In-Service phase. This is a concern for the customer but given the contractual boundaries in place with the supplier, their direct influence is limited to assurance processes.
During Manufacturing, the supply chain broadens to include manufacturers and service providers that may not have security at the forefront of their minds. These companies may not provide a route to sensitive information processing or mission critical systems but may still hold sensitive environmental or contract information. In this phase the primary responsibility for addressing the cyber supply chain vulnerabilities lies with the prime supplier, while risk assurance and standards setting remain with the customer.
During the In-Service phase, the platform is subjected to cyber-attacks aiming to impact its ability to perform its role, or even used as a ‘lily pad’ for more extensive attacks on other targets. In this phase, the responsibility for countering the cyber risk has moved from the supplier to the user. The supplier may at this point be a service provider for maintenance and training. They also have a part to play in identifying and helping manage the cyber risks.
In the final phase of any equipment or systems lifecycle, the Disposal processes can pose potential risks. These systems often hold sensitive information, are based on innovative technologies or are subject to export controls. There are a number of practices and processes that need to be adhered to so that information is adequately safeguarded as systems are disposed of. At this phase in the systems lifecycle the responsibilities for managing the cyber risks sit primarily with the customer.
In summary
The supply chain for almost any procurement activity can be the target of cyber-attack; either by attacking the supply chain itself, the products developed, or the systems once integrated. While many of these attacks prove to be benign or are thwarted with simple security controls. The more sophisticated attacks are often left undetected or unreported, giving the potential to be more damaging in the end products. To counter this risk, organisations should drive a ‘secure by design’ philosophy, by:
Governance and Risk
- Driving governance and reporting through the supply chain and embed this in contracts.
- Putting security high on the agenda and instilling it early in the lifecycle.
- Understanding and communicating the role all parties play in managing risk.
- Using standards and putting cyber security risks alongside other business risks.
One Team Approach
- Defining security goals and communicate them. Moving from a cascade approach to a whole team contribution model.
- Mapping the supply chain and understanding how it interacts.
- Defining the target cyber security maturity and regularly assessing it.
Common Standards and Good Practice Design
- Selecting preferred standards and using them as a common language.
- Defining good practice design using openly available approaches such as the NCSC Good Practice Design Guidance.
- Knowing what good looks like – and the opposite.