Share this article on:
Following high-profile supply chain attacks that included the SolarWinds compromise of 2020, the joint advisory release aims to set out practical steps for managed service providers and their customers to protect themselves.
The joint advisory from the National Cyber Security Centre (NCSC) – a part of the UK’s GCHQ and its partners sets out a series of practical steps for managed service providers (MSPs) and their customers.
According to NCSC CEO Lindy Cameron, a vital part of the UK’s commitment to further strengthening the country’s cyber resilience involves working with international partners.
“Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk,” Cameron said.
Organisations are being encouraged to consider the advisory, Protecting Against Cyber Threats to Managed Service Providers and their Customers, in conjunction with guidance from the NCSC and others in relation to the heightened tensions as a result of events in Ukraine.
The UK and its international partners have issued advice to IT service providers and their customers this week as part of wider efforts to protect organisations in the wake of Russia’s invasion of Ukraine.
The advisory has been issued alongside the US’ Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).
CISA Director Jen Easterly added that malicious cyber actors continue to target managed service providers, which is why it’s critical that MSPs and their customers take recommended actions to protect their networks.
“I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally.
“We know that MSPs that are vulnerable to exploitation significantly increases downstream risks to the businesses and organisations they support. Securing MSPs are critical to our collective cyber defence, and CISA and our inter-agency and international partners are committed to hardening their security and improving the resilience of our global supply chain,” Easterly said.
The new supply chain guidance is set to be released on the second day of the NCSC’s CYBERUK conference in Wales, which a number of these partners are attending.
Canadian Centre for Cyber Security head Sami Khoury further explained that compromises can result in costly mitigation activities and lengthy downtime for clients.
“We strongly encourage organisations to read this advisory and implement these guidelines as appropriate.
“We’ve seen the damage and impact cyber compromises can have on supply chains, managed service providers, and their customers.”
MSPs provide IT support to their customers in various ways, for example, through software or cyber security services, and in order to do so they are granted privileged access to a customer’s network.
This can create opportunities for attackers, who can gain access to an organisation’s network by compromising their MSPs.
Abigail Bradshaw CSC, head of the Australian Cyber Security Centre, said managed service providers are vital to many businesses and as a result, a major target for malicious cyber actors.
“These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods.
"Effective steps can be taken to harden their own networks and to protect their client information. We encourage all MSPs to review their cyber security practices and implement the mitigation strategies outlined in this advisory.”
According to Lisa Fong, director of NZ NCSC, the supply chain vulnerabilities are among the most significant cyber threats facing organisations today.
“As organisations strengthen their own cyber security, their exposure to cyber threats in their supply chain increasingly becomes their weakest point.
“Organisations need to ensure they are implementing effective controls to mitigate the risk of cyber security vulnerabilities being introduced to their systems via technology suppliers such as managed service providers. They also need to be prepared to effectively respond to when issues arise.”
One of the most significant examples of these supply chain attacks was what was carried out in 2020 against US software company SolarWinds, which impacted customers throughout the world.
A range of steps are set out for MSPs and their customers in the latest advisory, including:
Commenting on the supply chain guidance, Rob Joyce, director NSA, explains that the joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data.
“Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorisation.”
As malicious cyber actors continue to target this vector for entry to threaten networks, businesses, and organisations globally, Bryan Vorndran, cyber division assistant director at FBI, outlined that the joint advisory, the FBI, together with federal and international partners, aim to encourage action.
“These measures and controls should be implemented to ensure hardening of security and minimise potential harm to victims,” Vorndran said.
[Related: Anonymous hacker group warns China against invading Taiwan]