UK defence industry to fast-track supply chain security

The UK’s Defence Cyber Protection Partnership seeks to implement controls to quickly increase supply chain security

The UK’s newly established Defence Cyber Protection Partnership (DCPP) has adopted an ambitious schedule as it seeks to implement controls to increase supply chain security as quickly as possible.

The Ministry of Defence (MoD) is working with nine defence firms and telecoms providers, which will define and apply new standards that will eventually apply to the whole defence industry and beyond.

In addition to the MoD, the DCPP is made up of the Centre for the Protection of National Infrastructure (CPNI), government intelligence agency GCHQ, BAE Systems, BT, Cassidian, CGI, Hewlett-Packard, Lockheed Martin, Rolls-Royce, Selex ES and Thales UK.

Members of the DCPP are aiming to get the controls defined, agreed and implemented in their own organisations by the end of the year.

Once that is achieved, the DCPP members will begin work on extending the controls throughout their supply chains down to small and medium sized enterprises (SMEs) and widen membership through 2014.  

The output of the DCPP will be simple assessment frameworks for defence suppliers that are based on the type of organisation, the work it does, and the maturity of the organisation in terms of security.

The frameworks will help suppliers assess their current security levels to identify what they need to do to get to where they need to be.

The aim is to have the assessment frameworks endorsed by GCHQ by September 2013.

Read more about supply chain security

Committed to closing supply chain security gaps

Although this is an aggressive timetable, there is a lot of commitment to getting the job done as quickly as possible, according to Peter Armstrong, Thales UK director of cyber security and DCPP representative.

The DCPP is not trying to reinvent the wheel, but augment, refine and accelerate controls, security frameworks and initiatives that already exist to close any gaps highlighted by the new supply chain security standards, he told Computer Weekly.

Most large defence industry organisations already comply with standards such as ISO27001, which means these organisations will have to do relatively little work to meet the new supply chain security standards.

In this way, the DCPP standards aim to preserve the investments that organisations have already made in security, allowing them to focus on priorities to close any gaps that exist.

While existing security frameworks typically focus on individual risks, the new standards will aim to eliminate the effect of aggregated low-level risk that DCPP members believe is currently overlooked.

Increasing security standards in firms large and small

In particular, the DCPP will look at ways of eliminating the effects of aggregated low-level risk to intellectual property (IP).

“Each member will work with their suppliers to take them on the same security improvement journey that they have been on themselves,” said Armstrong.

The DCPP members will help establish and implement higher security standards for smaller companies, with the aim of improving supply chain security in the defence industry as well as other sectors.

Raising awareness will be a key element. “Businesses need to understand that any company of any size can be in an attack chain,” said Armstrong.

He cites an example of how the IP of a lens manufacturer was compromised by the lax security practices of a sandpaper firm in its supply chain. State-sponsored attackers were able to compromise the email systems of the sandpaper supplier and gradually work their way into the systems of the lens manufacturer to steal company IP.

Business benefits of better security

The MoD believes that by acting collectively, top defence suppliers can exert much more influence on the defence and other sectors than if they attempted to act individually.

For Thales, doing the “right thing” is very much part of corporate culture, but supply chain security also makes good business sense, said Armstrong.

Businesses need to understand that any company of any size can be in an attack chain

Peter Armstrong, Thales UK

Adherence to high levels of security not only provides competitive advantage, but can put cash back in the business by reducing the required levels of contingency reserves.

By mitigating risks, the amount of money that companies put aside to offset those risks will be significantly lower, meaning more cash is available to the business for things like innovation, said Armstrong.

“In my view, security initiatives should be articulated in terms of money in to the business instead of money out,” he said.

However, Armstrong admits this is easier to do with big suppliers to the nuclear industry, for example, where contingency reserves can be £600m, than with an SME.

For SMEs broadly, he said there is still the incentive of meeting the required standards to do business in the defence industry, but there is no clear answer when it comes to micro SMEs.

But the DCPP is starting its journey on the assumption that adopting better practices in the defence supply chain will have a positive knock-on effect to related industries, and eventually all other industries.

The aim is to improve the way things are done quickly through concerted industry collaboration rather than through any legislative process, said Armstrong.

Read more on Hackers and cybercrime prevention