NCSC: Time to Rethink Russian Supply Chain Risks

One of the UK’s top security agencies has urged the public sector, critical infrastructures (CNI) and other organizations to reconsider the potential risks associated with any “Russian-controlled” parts of their supply chain.

Ian Levy, technical director of the National Cyber Security Centre (NCSC), said there’s no evidence to suggest that the Russian state is about to force commercial providers to damage UK interests. However, that doesn’t mean it isn’t happening or won’t at some point in the future, he added.

“Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed,” Levy argued.

“The war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them.”

The new NCSC advice applies to: all UK public sector organizations; those providing services to Ukraine; CNI firms; organizations doing work that could be seen as running counter to Russian interests; and high-profile organizations whose compromise would be a PR win for the Kremlin.

Levy argued that organizations more likely to be a target of Russian aggression need to reconsider any reliance on Russian tech or services. Those who use services sourced from inside the country need to think about increased cyber-risk, even if the provider itself is not Russian, he added.

“You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk,” Levy continued.

“Whatever you choose, remember that cybersecurity, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.”

Even those companies which aren’t likely to be a target should remember that global sanctions could impact the availability of any Russian technology services.

There was some good news from the NCSC. Levy said individuals using Kaspersky products could continue to do so relatively safely. He claimed that “massive, global cyber-attacks” are unlikely to be launched due to the conflict.

What’s Hot on Infosecurity Magazine?