Supply chains can be massive. The DoD supply chain, for example, has a value of over $93 billion and includes over 300,000 contractors. Supply chain vendors connect across multi-cloud infrastructures and communicate using disparate and often uncontrolled endpoints. This complex matrix has not been lost on industry bodies, who offer guidance in protecting the supply chain. One such body is the British Security Industry Association (BSIA). The group recently released a new code of practice for installers responsible for safety and security systems.

What is the BSIA CySPAG code of practice?

BSIA’s Cybersecurity Product Assurance Group (CySPAG) has developed a Code of Practice (CoP) to offer guidance on security as supply chains become increasingly connected. This hyper-connectivity has increased the level of cyber-threats against a supply chain, which means this guidance is a useful document to any organization that is a supply chain vendor or runs a supply chain. The CySPAG CoP remit is to deliver best practice guidance for any entity that installs systems and equipment throughout any part of a supply chain. The CySPAG CoP covers the following aspects:

Design Planning Operation Installation Commissioning Maintenance (of installed devices, applications and systems that could be compromised in a cyber-attack)

However, it is worth noting that the CySPAG code of practice is not about prescribing specific cybersecurity countermeasures. Rather, the CoP looks to develop appropriate contingency planning measures. Ultimately, this helps ensure that clients are offered assurance that connected systems have been designed, installed and maintained, to best practice cybersecurity guidelines.

Core parts of the CySPAG code of practice

The core moving parts of the code of practice are:

Confidentiality

Any documentation that has specifics of the design and implementation of systems should be securely stored.

Competence

Any persons responsible for installation and maintenance should be of a required competence and appropriately trained.

Security policy

An installation organization should have documented security policies. The CySPAG code of practice recognizes that responsibility is a shared endeavor between the manufacturer, the installing organization and the client. The guidelines also refer readers to the UK’s Cyber Essentials guidance from the National Cyber Security Centre.

Important documentation requirements

Documentation is a key component of the code of practice. Documentation is seen as important to produce and maintain across the entire life cycle of installation and maintenance. Documentation that is seen as a “must have” is:

System cybersecurity policy: The baseline document that outlines security strategy Roles and responsibilities register: Related to persons responsible for the ongoing security of the installed system Back-ups: Details on backup and restore processes Passwords: Policies that are based on the guidance from UK Cyber Essentials Updates: Updates and patching policies Communications plan: Event notification process Training record: Documented training records for security roles Nominated person acceptance: Record of acceptance of the installed system Maintenance schedule: Record of maintenance events Design survey for cybersecurity: Survey on design decisions System design: Full documentation on system design, to include network topology, encryption, protocols and so on As fitted records: Detailed documentation on components and configuration settings

Why place any cybersecurity responsibility on installers?

Misconfiguration of security systems is a serious problem that opens doors for cybercriminal activity. McAfee found that, on average, an enterprise has 14 misconfigured IaaS instances resulting in an average of 2,269 misconfiguration incidents per month. Some of the world’s largest data breaches, including the 2018 Capital One breach, were caused by a misconfiguration issue that was then exploited by a hacker. The serious outcomes from, and almost ubiquitous nature of, system and service misconfiguration, has led OWASP to add misconfiguration to their top ten web security issues.

Conclusion

Security is a cross-party responsibility. Each stakeholder in the functioning of a supply chain needs to take a role to ensure secure operations. The BSIA CySPAG code of practice outlines how installers fit into this 360-degree view of securing systems across a supply chain.  Much of the requirements of the code of practice involve policy and documentation. However, this acts as a cross-reference and check to ensure that good security is practiced and maintained throughout the supply chain to a standardized set of requirements. It is also worth noting that while this is a UK initiative, the guidelines are applicable on a global scale, just as cybercrime has a global reach.   

Sources

ISTR 2019: Cyber Criminals Ramp Up Attacks on Trusted Software and Supply Chains, Symantec Enterprise Blogs Installation of safety and security systems: Cybersecurity code of practice, BSIA McAfee Cloud Adoption and Risk Report, McAfee Defense Industrial Base Sector, Cybersecurity & Infrastructure Security Agency