James Steidl - Fotolia
Ensuring that all suppliers to the Ministry of Defence (MoD) meet the appropriate cyber security standards is a key requirement of the National Cyber Security Strategy, which shows it has top-level buy-in, said Phil Blunden, who is part of the MoD’s Defence Cyber Protection Partnership (DCPP), which was set up in 2013.
“The MoD’s supply chain includes a wide range of organisations such as materials manufacturers, infrastructure providers and product manufacturers, but the cyber threats to the supply chain are real and the National Cyber Security Strategy recognises that,” he told the 2018 Public Sector ICT Summit.
DCPP members include top defence suppliers; the ADS trade organisation that represents small to medium-sized enterprises (SMEs) in defence; the National Cyber Security Centre (NCSC); the Department of Culture, Media and Sport (DCMS); and MoD’s commercial and defence equipment and support organisations.
The importance of supply chain cyber security has been underlined a number of times, said Blunden, through breaches at high-profile organisations, such as the US retail chain Target.
During the 2013 Target breach, attackers compromised a heating, ventilation and air conditioning (HVAC) contractor in Pittsburgh that was connected to Target’s systems to provide electronic billing services, contract submissions and project management services.
As part of the partnership with industry, the MoD has identified a number of cyber security standards that have to be met to contract with MoD, which are outlined in the Cyber Security Model (CSM) of risk-based controls aimed at protecting the supply chain.
The CSM is built on the government’s Cyber Essentials Scheme that is aimed at ensuring basic cyber hygiene through firewalls, malware protection, patch management, user access control and secure configuration.
This means that any organisation bidding for MoD contracts that complies with Cyber Essentials or other industry standards such as ISO27001 will have to do relatively little work to meet the CSM supply chain security standards.
Read more about supply chain security
- Business is increasingly recognising the importance of information security, but security within supply chains is still widely overlooked.
- A comprehensive security strategy must include the supply chain.
- The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essentials Scheme.
- A new mobile Trojan dubbed DeathRing is being pre-loaded onto smartphones somewhere in the supply chain, warn researchers.
“What we are asking for is equivalent controls to avoid defence contractors having to comply with 30 different standards that are effectively doing the same thing,” said Blunden.
The aim is to ensure that all suppliers understand their cyber risks, implement appropriate cyber defences, meet minimum cyber security standards without hindering business, and share best practice.
While suppliers assessed to have no or very low risk are required to comply with the basic Cyber Essentials requirements, low-risk suppliers must comply with Cyber Essentials Plus and some additional controls, while moderate and high-risk organisations must comply with even more additional controls.
More than half of MoD contracts fall into the no or very low risk category, 33% are assessed as low risk, while only 7% are assessed as moderate risk and 4% high risk.
“The CSM essentially outlines to suppliers how the MoD wants them to look after any MoD-identifying information, and we offer a supplier assurance questionnaire to enable suppliers to assess whether they meet the requirements and identify any potential gaps,” said Blunden, adding that organisations are free to go through the process even if they are not bidding for an MoD contract.
The requirements were initially introduced for MoD suppliers from 1 October 2014, but the requirement was widened in October 2017 to include all other organisations in the supply chain, including all sub-contractors and their sub-contractors, regardless of location or nationality.
“For the first time we are able to map the supply chain and see where the different levels of risk are and what risks have been accepted in relation to that,” said Blunden.
Read more about Cyber Essentials
To ensure transparency in the process and to bring up the level of cyber security across the defence industry, he said the MoD publishes online the risk profile of all contracts that suppliers can bid for, along with all the cyber controls and supporting documentation required, to help companies – especially SMEs – to identify and fill in any potential gaps.
Looking ahead, Blunden said the DCPP plans to increase its engagement with SMEs, but he said this is challenging because of the sheer number of SMEs that are potential suppliers to the MoD, right down to the “widget makers”.
“At the very least, I am trying to get SME buy-in by demonstrating that good cyber hygiene helps keep them competitive so that no-one has access to their bids, helps protect their intellectual property, and helps ensure that their critical suppliers are not disrupted by cyber criminal activity,” he said.
To achieve ever-greater engagement with SMEs, Bluden said he is working to deepen relationships with the ADS trade organisation and special interest group, technology industry association TechUK, the Defense Information Systems Agency (Disa) in the US, the Institute of Directors (IoD), the Federation of Small Businesses (FSB), and various non-profit organisations.