A new Scottish Government cyber assessment tool has been launched to help public sector organisations improve resilience across their supply chains.
The guidance, published by the Safer Communities Directorate, is intended to ensure a “consistent approach” is taken to cyber security across the public sector in Scotland, which includes for the likes of non-departmental public bodies (NDPBs), Non-Ministerial Departments, local authorities, health boards, universities and colleges.
Named the Scottish Cyber Assessment Service, the service is a response to concerns raised by the UK Government’s National Cyber Security Service (NCSC) that a “vulnerable supply chain can cause significant damage and disruption to organisations”. Attack methodologies have previously included third party software providers, website builders, third party data stores and watering hole attacks. A high-profile third party software provider attack has been carried out by the cyber-espionage group Dragonfly (also known as Energetic Bear, Havex, and Crouching Yeti) since 2011, which allegedly has been targeting companies across Europe and North America, mainly in the energy sector.
The Shylock banking trojan was an example of an attack which compromised legitimate websites through website builders used by creative and digital agencies; they employed a redirect script, which sent victims to a malicious domain owned by the Shylock authors. The threat was reduced after a coordinated law enforcement operation in 2014.
The Scottish Government guidance states: “A series of high profile, very damaging attacks has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. There is a clear need for Scottish public sector organisations to understand the cyber threat to supply chain security and to take appropriate, proportionate action to mitigate it.”
Through Scottish Enterprise, the Scottish Government is supporting a voucher scheme up to the value of £1,000 for SMEs and businesses to achieve Cyber Essentials certification, a scheme run by NCSC.
The guidance outlines 12 principles of supply chain security according to four themes – understanding the risks, establishing control, checking arrangements and continuous improvement – and it is recommended that organisations read the guidance in full before carrying out a risk profile assessment, then a supplier assurance questionnaire. It also carries advice about the appropriate wording to be used in procurement processes in order to ensure compliant tendering.
For more information visit the website here.