Before you can do anything to secure your supply chain you need to understand the risks (and benefits) you are taking on by engaging suppliers.
Most organisations rely upon suppliers to deliver products, systems, and services. But supply chains can be large and complex, involving many suppliers doing many things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption.
Attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. So, the need to act is clear. Physical, personnel and cyber security risks and needs to be considered fully within any risk assessment.
It is important to:
- Protect information you share with suppliers.
- Specify security requirements to a supplier delivering something to you.
- Gain confidence in your approach to establishing control over the supply chain.
- Continue improving and maintaining security.
You should understand the sensitivity of contracts you are awarding, and the value of the information or assets suppliers hold, will hold, have access to, or handle, as part of the contract. Think about the level of protection you need suppliers to give your assets and information, as well as the products or services they will deliver to you as part of the contract.
Data centre software and systems
- Software and software updates downloaded from suppliers’ websites provide opportunities for malware to be installed alongside legitimate products. The malware can include additional remote access functionalities that could be used to take control of the systems on which it was installed.
- Compromised software is very difficult to detect if it has been altered at the source, since there is no reason for the target company to suspect it was not legitimate. This places great reliance on the supplier, as it is not feasible to inspect every piece of hardware or software in the depth required to discover this type of attack.
- All software and systems supplied throughout a data centre (such as servers, networking systems, building management/automation systems, CCTV networks, enterprise IT, and so on) should be updated throughout their lifecycle with the latest firmware versions and security patches to minimise the risk of cyber-attack.
- The NCSC guidance on patching and vulnerability management provides more detail on this area.
NPSA have developed a suite of Protective Procurement guidance to help you defend your organisation from supply chain threats.
An infographic of the principles is also available.