ENISA Report - Good Practices for Supply Chain Cybersecurity

Directive (EU) 2022/2555 (the NIS2 directive) 1 requires Member States to ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems, which those entities use in the provision of their services. Supply chain cybersecurity is considered an integral part of the cybersecurity risk management measures under Article 21(2) of the NIS2 directive.

This new ENISA report provides an overview of the current supply chain cybersecurity practices followed by essential and important entities in the EU, based on the results of a 2022 ENISA study which focused on investments of cybersecurity budgets among organisations in the EU.

Among the findings the following points are observed:
• 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
• 47 % allocate budget for ICT/OT supply chain cybersecurity.
• 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
• 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
• 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.

The report also gathers good practices on supply chain cybersecurity derived from European and international standards. It focuses primarily on the supply chains of ICT or OT. Good practices are provided and can be implemented by customers (such as organisations identified as essential and important entities under the NIS2 directive) or their respective suppliers and providers. The good practices cover five areas, namely:
• strategic corporate approach;
• supply chain risk management;
• supplier relationship management;
• vulnerability handling;
• quality of products and practices for suppliers and service providers.

Finally, the report concludes the following.
• There is confusion with respect to terminology around the ICT/OT supply chain.
• Organisations should establish a corporate-wide supply chain management system based on third party risk management (TRM) and covering risk assessment, supplier relationship management, vulnerability management and quality of products.
• Good practices should cover all various entities which play a role in the supply chain of ICT/OT products and services, from production to consumption.
• Not all sectors demonstrate the same capabilities concerning ICT/OT supply chain management.
• The interplay between the NIS2 directive and the proposal for a cyber resilience act or other legislation, sectorial or not, which provides cybersecurity requirements for products and services, should be further examined.

CISA Urges Organizations to Incorporate the FCC Covered List Into Risk Management Plans

The Federal Communications Commission (FCC) maintains a Covered List of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons to national security pursuant to the Secure and Trusted Communications Networks Act of 2019.

As the 6th annual National Supply Chain Integrity Month concludes, CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation’s most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts, in addition to adopting recommendations listed in Defending Against Software Supply Chain Attacks—a joint CISA and NIST resource that provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework to identify, assess, and mitigate risks. All critical infrastructure organizations are also urged to enroll in CISA’s free Vulnerability Scanning service for assistance in identifying vulnerable or otherwise high-risk devices such as those on FCC’s Covered List.

To learn more about CISA’s supply chain efforts and to view resources, visit CISA.gov/supply-chain-integrity-month.

UK joins international cyber agency partners to release supply chain guidance

THE UK and its international partners have today (Wednesday) issued advice to IT service providers and their customers as part of wider efforts to protect organisations in the wake of Russia’s invasion of Ukraine.

The joint advisory from the National Cyber Security Centre (NCSC) – a part of GCHQ – and its partners sets out a series of practical steps for managed service providers (MSPs) and their customers.

The advisory has been issued alongside the US’s Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).

It is being released on the second day of the NCSC’s CYBERUK conference in Wales, which a number of these partners are attending.

MSPs provide IT support to their customers in various ways, for example through software or cyber security services, and in order to do so they are granted privileged access to a customer’s network.

This can create opportunities for attackers, who can gain access to an organisation’s network by compromising their MSPs.

One of the most significant examples of these supply chain attacks was that carried out in 2020 against US software company Solarwinds, which impacted customers throughout the world.

Organisations are being encouraged to consider the advisory, Protecting Against Cyber Threats to Managed Service Providers and their Customers, in conjunction with guidance from the NCSC and others in relation to the heightened tensions as a result of events in Ukraine.

NCSC CEO Lindy Cameron said:

“We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that.

“Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.”

CISA Director Jen Easterly said:

“I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally.

“As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it’s critical that MSPs and their customers take recommended actions to protect their networks.

“We know that MSPs that are vulnerable to exploitation significantly increases downstream risks to the businesses and organisations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre, said:

“Managed Service Providers are vital to many businesses and as a result, a major target for malicious cyber actors.

“These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods. Effective steps can be taken to harden their own networks and to protect their client information. We encourage all MSPs to review their cyber security practices and implement the mitigation strategies outlined in this Advisory.”

Sami Khoury, Head, Canadian Centre for Cyber Security, said:

“We’ve seen the damage and impact cyber compromises can have on supply chains, managed service providers, and their customers.

“These compromises can result in costly mitigation activities and lengthy downtime for clients. We strongly encourage organizations to read this advisory and implement these guidelines as appropriate.”

Lisa Fong, Director of NZ NCSC, said:

“Supply chain vulnerabilities are amongst the most significant cyber threats facing organisations today.

“As organisations strengthen their own cyber security, their exposure to cyber threats in their supply chain increasingly becomes their weakest point. Organisations need to ensure they are implementing effective controls to mitigate the risk of cyber security vulnerabilities being introduced to their systems via technology suppliers such as managed service providers. They also need to be prepared to effectively respond to when issues arise.”

Rob Joyce, Director NSA, said:

“This joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data.

“Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorization.”

Bryan Vorndran, Cyber Division Assistant Director FBI, said:

“Through this joint advisory, the FBI, together with our federal and international partners, aims to encourage action by MSPs and their customers, as malicious cyber actors continue to target this vector for entry to threaten networks, businesses, and organisations globally.

“These measures and controls should be implemented to ensure hardening of security and minimise potential harm to victims.”

A range of steps are set out for MSPs and their customers in the latest advisory, including:

Organisations should store their most important logs for at least six months, given incidents can take months to detect.
MSPs should recommend the adoption of multi-factor authentication (MFA) across all customer services and products, while customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive.
Organisations should update software, including operating systems, applications, and firmware, and prioritise the patching of known exploited vulnerabilities.

The advisory makes clear that organisations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations.

Understanding the increase in Supply Chain Security Attacks

The European Union Agency for Cybersecurity mapping on emerging supply chain attacks finds 66% of attacks focus on the supplier’s code.
Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Malware is the attack technique that attackers resort to in 62% of attacks.
According to the new ENISA report - Threat Landscape for Supply Chain Attacks, which analysed 24 recent attacks, strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers.
This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.
Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year. Such new trend stresses the need for policymakers and the cybersecurity community to act now. This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently.
Why is a good level of cybersecurity not good enough?
Composed of an attack on one or more suppliers with a later attack on the final target, namely the customer, supply chain attacks may take months to succeed. In many instances, such an attack may even go undetected for a long time. Similarly to Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance. All such aspects reveal the degree of sophistication of the adversaries and the persistence in seeking to succeed.
The report reveals that an organisation could be vulnerable to a supply chain attack even when its own defences are quite good. The attackers explore new potential highways to infiltrate organisations by targeting their suppliers. Moreover, with the almost limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common.
In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.
For about 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.
For 66% of the supply chain attacks analysed, suppliers did not know, or failed to report on how they were compromised. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users.

CISA Releases ICT Supply Chain Risk Management Task Force Year 2 Report

The Cybersecurity and Infrastructure Security Agency (CISA) and government and industry members of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force released an annual report on its progress to advance meaningful partnerships and analysis around supply chain security and resilience.
The ICT SCRM Task Force Year 2 Report builds upon previous work completed in year one of the ICT SCRM Task Force. It showcases the collective ongoing efforts of four working within the Task Force to address challenges to information sharing, threat analysis, qualified bidder and qualified manufacturer lists, and vendor assurance. It also reflects a new working group, Working Group 5, which recently released an analysis report on the impacts of the COVID-19 pandemic on ICT supply chains.
Developed through the expertise and contributions of government and industry, the ICT SCRM Task Force Year 2 Report addresses the lifecycle of supply chain risk management, including how stakeholders identify and understand risk, communicate about and work together to address risk, grow their structural operations for addressing risks, and improve their understanding and self-assessment of their risk posture.
“Government can’t act in a silo,” said Bob Kolasky, CISA Assistant Director and ICT SCRM Task Force Co-Chair. “We must work in partnership with public and private industry. The Task Force has and will continue to serve as a model of excellence in helping to improve the Nation’s collective ability to assess and mitigate threats to the ICT supply chain.”
“As we were reminded this week, supply chain security is a matter of urgency and consequence, and the best way to increase our defenses is through substantial coordination and cooperation between government and industry,” said Robert Mayer, Senior Vice President of Cybersecurity and Innovation at USTelecom and ICT SCRM Task Force Co-Chair. “That is the mission of our task force. Through this partnership with DHS and more than a dozen agencies, the Information Technology and Communications sectors has tackled tough issues like information sharing, threat assessment, qualified bidders and manufacturer lists, and security issues presented by the pandemic. This is a partnership that will expand in 2021 and further strengthen the security and resiliency of our supply chain.”
“For the past two years, the Information Technology and Communications sectors have worked hand-in-glove with CISA and other federal government partners to establish the Task Force as the preeminent public-private partnership tackling the critical issue of global ICT supply chain security,” said John Miller, Senior Vice President of Policy and Senior Counsel at Information Technology Industry Council (ITI) and ICT SCRM Task Force Co-Chair. “The Year 2 Report represents a significant milestone, delivering actionable recommendations to help public and private sector organizations better assess and manage supply chain risks, including by creating tools to address supply chain threat information sharing, threat analysis, and vendor assurance and trust. The Task Force looks forward to working with our federal partners in 2021 and beyond to operationalize the policy recommendations in this report to better manage today’s all-too-real supply chain threats and to develop future work products that will address other dimensions of this important national security issue.”
The Task Force plans to release working group reports described in the Year 2 Report in the coming weeks. Members will continue to explore means for building partnerships with international partners, new sectors, and stakeholders who can help grow the applicability and utilization of Task Force products.