Most organisations rely upon suppliers to deliver products, systems and services. But supply chains can be large and complex. Effectively securing the supply chain can be hard because vulnerabilities are inherent, or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption.
Attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is growing. Physical, personnel and cyber security risks needs to be considered within any risk assessment.
As part of the supply chain, data centre services you procure may be outsourced by your provider (if you are using a managed hosting data centre option, for example). If so, it is important to:
- Understand the impact outsourcing can have on your data centre requirements.
- Undertake a risk assessment identifying critical assets (i.e. your servers, racks and any associated security arrangements that you directly manage) and articulate what risks a supplier poses to those assets.
Data centre software and systems
- Software and software updates downloaded from suppliers’ websites provide opportunities for malware to be installed alongside legitimate products. The malware can include additional remote access functionality that could be used to take control of systems on which it is installed.
- Compromised software is very difficult to detect if it has been altered at the source, since there is no reason for the target company to suspect it was not legitimate. This places great reliance on suppliers, as it is not feasible to inspect every piece of hardware or software in the depth required to discover this type of attack.
- All software and systems supplied throughout a data centre (such as servers, networking systems, building management/automation systems, CCTV networks, enterprise IT, and so on) should be updated throughout their lifecycle with the latest firmware versions and security patches to minimise the risk of cyber-attack.
- The NCSC guidance on patching and vulnerability management provides more detail on this.
The NCSC and CPNI have developed 12 principles to help you establish effective control and oversight of your supply chain. Our guidance covers cyber, physical and people security.
An infographic of the principles is also available.