Five Eyes Nations Issue New Supply Chain Security Advisory

Organizations have been urged to take action to secure their supply chains following Russia’s invasion of Ukraine in a joint advisory by the Five Eyes nations.

The document, ‘Protecting Against Cyber Threats to Managed Service Providers and their Customers,’ has been issued jointly by relevant government agencies from the Five Eyes security alliance. These are the UK’s National Cyber Security Centre (NCSC), the US’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS) and the New Zealand National Cyber Security Centre (NZ NCSC).

The advisory sets out practical steps managed service providers (MSPs) and their customers can take to avoid falling victim to a cyber intrusion. This is designed to enable transparent discussions between MSPs and their customers on securing sensitive data; for example, encouraging customers to ensure their contractual arrangement specifies that their MSP implements these measures and controls. Among the practical measures outlined are:

  • Implementing tools to prevent initial access methods such as phishing
  • Enabling/improving monitoring and logging processes
  • Enforcing multi-factor authentication (MFA)
  • Managing internal architecture and segregating internal networks
  • Applying the principle of least privilege

The new advisory comes amid growing concerns cyber threat actors are increasingly targeting MSPs to gain access to the networks of multiple organizations. One high-profile example was the SolarWinds incident in 2020, which impacted customers worldwide. This is believed to have been conducted by Russian-state-backed operatives for espionage purposes.

Organizations are being encouraged to consider the advisory in conjunction with other guidance from organizations like the NCSC and CISA in relation to heightened geopolitical tensions resulting from the Russia-Ukraine conflict.

NCSC CEO Lindy Cameron commented: “We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that.

“Our joint advisory with international partners is aimed at raising organizations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.”

CISA Director Jen Easterly added: “I strongly encourage both MSPs and their customers to follow this and our wider guidance – ultimately, this will help protect not only them but organizations globally.

“As this advisory makes clear, malicious cyber actors continue to target MSPs, which is why it’s critical that MSPs and their customers take recommended actions to protect their networks.

“We know that MSPs that are vulnerable to exploitation significantly increases downstream risks to the businesses and organizations they support. Securing MSPs is critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

The announcement was made on Day 2 of the CYBERUK conference 2022, taking place in Wales, UK.

In March, Ian Levy, technical director of the NCSC, urged the public sector, critical infrastructures (CNI) and other organizations to reconsider the potential risks associated with any “Russian-controlled” parts of their supply chain.

What’s Hot on Infosecurity Magazine?