The recent WannaCry cyber attack has prompted organisations around the world urgently to review their cyber security. It’s also focused more attention on an important initiative by the UK’s Ministry of Defence (MoD) called DEFCON 658. This new procurement protocol on cyber security requires all suppliers bidding on MoD contracts, which necessitate the transfer of MoD-identifiable in-formation, to comply with new additional regulations.
But it’s not just MoD suppliers who need to take action here. Over the next few years, as demands for better cyber security intensify, these requirements will affect those suppliers’ own supply chains as well.
The move follows the establishment in 2013 of the Defence Cyber Protection Partnership (DCPP), a joint defence and supply chain initiative tasked with improving the protection of the defence supply chain from cyber threats. The DCPP have defined both a cyber-security model and a range of cyber-risk profiles that set out the controls and measures suppliers must meet to demonstrate sufficient mitigation of their cyber risks before they are allowed to start work on an MoD contract.
“The MoD has a long history of ensuring good physical security controls, for example checking people entering and leaving buildings, but it now also needs to ensure the same level of controls for cyber security,” says Dr Alex Tarter, head of cyber consulting at Thales, the global technology leader for the aerospace, transport, defence and security markets, which is also a core member of the DCPP.
“These days, it’s not just about asking whether a company has the right cyber-security controls in place, but how well those controls are man-aged and implemented. DCPP assesses a company’s cyber maturity in this regard.”
Thales, whose cyber-security clients include Williams Formula 1, Jaguar Land Rover and the UK nu-clear sector, offers a consultancy service to help companies to get to grips with the new MoD cyber requirements in the most efficient and cost-effective way.
“According to the UK’s National Cyber Security Strategy, every company has to take responsibility for their own cyber security, just as they currently do with finances and HR,” says Dr Tarter. “In the case of DEFCON 658 this means ensuring the cyber security of their entire supply chain, so there is a challenge in raising everyone up to the new UK defence procurement standards. Not every business is mature enough to implement that level of cyber security. So we’re finding that more companies are coming to us as experts for assistance.”
Dr Tarter compares the previous technology emphasis and the current shift to maturity with building a house. “Focusing on the technology, such as bricks in this case, doesn’t guarantee that you’ll build a solid house – it’s how you put it all together that counts. Instead of worrying about which building blocks or technologies, such as firewall or anti-virus, are used, concentrate on employing a skilled architect and influencing the cyber-safe behaviours of those people who live and work in it,” he says.
As WannaCry and Petya attacks have demonstrated many companies are not resilient to a cyber attack. Common vulnerabilities when exploited are shutting down their operations. Which is why businesses unsure that their cyber-security protections are aligned to their business needs are talking to Thales about their Cyber Vulnerability Investigation (CVI) service.
This service is based on Thales’ experience providing CVIs to the MoD and commercial partners, helping them to identify vulnerable areas that if cyber attacked would prove devastating to their business operations, and how to make themselves more resilient and mature.
Thales understands the important role maturity plays in good security. Dr Tarter says: “We secure the trans-actions of 19 of the world’s 20 largest banks, so we appreciate that good security does not inhibit business, but rather ensures it is more resilient.”
For more information please visit www.thalesgroup.com/en/tcc-uk
