The UK’s newly established Defence Cyber Protection Partnership (DCPP) has adopted an ambitious schedule as it seeks to implement controls to increase supply chain security as quickly as possible.
The Ministry of Defence (MoD) is working with nine defence firms and telecoms providers, which will define and apply new standards that will eventually apply to the whole defence industry and beyond.
In addition to the MoD, the DCPP is made up of the Centre for the Protection of National Infrastructure (CPNI), government intelligence agency GCHQ, BAE Systems, BT, Cassidian, CGI, Hewlett-Packard, Lockheed Martin, Rolls-Royce, Selex ES and Thales UK.
Members of the DCPP are aiming to get the controls defined, agreed and implemented in their own organisations by the end of the year.
Once that is achieved, the DCPP members will begin work on extending the controls throughout their supply chains down to small and medium sized enterprises (SMEs) and widen membership through 2014.
The output of the DCPP will be simple assessment frameworks for defence suppliers that are based on the type of organisation, the work it does, and the maturity of the organisation in terms of security.
The frameworks will help suppliers assess their current security levels to identify what they need to do to get to where they need to be.
The aim is to have the assessment frameworks endorsed by GCHQ by September 2013.
Read more about supply chain security
- Supply chain key to comprehensive security, says Cisco
- IT manufacturers fight cyber espionage risks in the supply chain
- RSA Europe: Security concerns whole supply chain, says Misha Glenny
- Report highlights supply chain insecurities, downplays mobile threats
- Security Think Tank: Measuring security maturity in the supply chain
- Deploying supply chain management software hinges on breadth, depth, integration
- Opinion: Supply chain security should be top goal in 2012, says ISF
- Security researcher calls for greater focus on supply chain assurance
- Supply chain security means keeping your data close and your people closer
Committed to closing supply chain security gaps
Although this is an aggressive timetable, there is a lot of commitment to getting the job done as quickly as possible, according to Peter Armstrong, Thales UK director of cyber security and DCPP representative.
The DCPP is not trying to reinvent the wheel, but augment, refine and accelerate controls, security frameworks and initiatives that already exist to close any gaps highlighted by the new supply chain security standards, he told Computer Weekly.
Most large defence industry organisations already comply with standards such as ISO27001, which means these organisations will have to do relatively little work to meet the new supply chain security standards.
In this way, the DCPP standards aim to preserve the investments that organisations have already made in security, allowing them to focus on priorities to close any gaps that exist.
While existing security frameworks typically focus on individual risks, the new standards will aim to eliminate the effect of aggregated low-level risk that DCPP members believe is currently overlooked.
Increasing security standards in firms large and small
In particular, the DCPP will look at ways of eliminating the effects of aggregated low-level risk to intellectual property (IP).
“Each member will work with their suppliers to take them on the same security improvement journey that they have been on themselves,” said Armstrong.
The DCPP members will help establish and implement higher security standards for smaller companies, with the aim of improving supply chain security in the defence industry as well as other sectors.
Raising awareness will be a key element. “Businesses need to understand that any company of any size can be in an attack chain,” said Armstrong.
He cites an example of how the IP of a lens manufacturer was compromised by the lax security practices of a sandpaper firm in its supply chain. State-sponsored attackers were able to compromise the email systems of the sandpaper supplier and gradually work their way into the systems of the lens manufacturer to steal company IP.
Business benefits of better security
The MoD believes that by acting collectively, top defence suppliers can exert much more influence on the defence and other sectors than if they attempted to act individually.
For Thales, doing the “right thing” is very much part of corporate culture, but supply chain security also makes good business sense, said Armstrong.
Businesses need to understand that any company of any size can be in an attack chain
Peter Armstrong, Thales UK
Adherence to high levels of security not only provides competitive advantage, but can put cash back in the business by reducing the required levels of contingency reserves.
By mitigating risks, the amount of money that companies put aside to offset those risks will be significantly lower, meaning more cash is available to the business for things like innovation, said Armstrong.
“In my view, security initiatives should be articulated in terms of money in to the business instead of money out,” he said.
However, Armstrong admits this is easier to do with big suppliers to the nuclear industry, for example, where contingency reserves can be £600m, than with an SME.
For SMEs broadly, he said there is still the incentive of meeting the required standards to do business in the defence industry, but there is no clear answer when it comes to micro SMEs.
But the DCPP is starting its journey on the assumption that adopting better practices in the defence supply chain will have a positive knock-on effect to related industries, and eventually all other industries.
The aim is to improve the way things are done quickly through concerted industry collaboration rather than through any legislative process, said Armstrong.