25 Jan 2024
by David Holman

Nine tips for keeping communications secure within the supply chain

Guest blog by David Holman, Director at Armour Communications #NatSec2024

As cyber-espionage, state-sponsored hacking and identity-based attacks powered by AI and deepfake technology become mainstream, so details of sensitive communications amongst supply chain partners are at particular risk of compromise.

Any organisation that collaborates with others and shares commercially sensitive information needs to take robust action to secure their internal and supply chain communications to avoid becoming victims of malicious attacks that can result in damage to reputation, and financial loss to commercial and brand value.

Keeping your supply chain secure

The NCSC reports that supply chain attacks are on the rise, as increasingly complex technology ecosystems present more opportunities to be exploited. Where organisations cannot directly be compromised, an adversary may target the organisation’s digital supply chain, with just one of many examples demonstrated recently when Swiss Air Force documents were published on the dark web after an attack on one of its suppliers.

Organisations that need to collaborate with others, perhaps because they are working together on major projects, need to be able to communicate securely.

Mass-adoption applications are NOT secure enough

While popular mass-adoption communication applications offer convenience, claiming to be secure, they have not been designed for sharing sensitive commercial information. Using products not specifically designed to address the needs of high assurance organisations introduces unnecessary risk to all organisations within the supply chain.

Advanced Mobile Solutions – 9 Top Tips

The UK’s National Cyber Security Centre (NCSC) has defined a range of cyber security principles which a secure communications system should meet with the aim of delivering more secure devices that are as easy and convenient to use as commercial/consumer devices. With this in mind, here are 9 top tips for setting up secure communications systems that protect sensitive conversations, enabling secure collaboration with trusted partners.

  1. Provide reasonable protections against device compromise

Data should be encrypted at rest, time limited (i.e. automatically deletes after a set amount of time) and can be remotely wiped, if for example, the device, or the user is compromised.  The communications app should not start if the platform, or operating system has been rooted or jailbroken.  

  1. Prevent bulk interception of sensitive data

Data should be encrypted in transit, including Push notifications, and it should be agnostic to being further protected by multiple layers of secondary encryption (for example, VPNs)

  1. Prevent devices being compromised in bulk

Each user is separately Activated, Keyed, and Authenticated throughout use and is instantly Revocable, including the remote wipe of all data held within the app.

  1. Keep sensitive data encrypted in the mobile infrastructure

Apply a ‘walled garden’ approach to network zoning of infrastructure.  User management and key generation is held within the inner zone securely segregated from external-facing services.  Sensitive data passed from inner to outer zones is encrypted and can only be decrypted by the recipient user app.

  1. Monitor the mobile infrastructure to detect attacks

Service providers should deliver logging and data ‘pinch points’ to assist in monitoring.

  1. Make it easy to destroy and recreate the mobile infrastructure

Infrastructure should be containerised for fast refresh or updates.

  1. Protect the core with hardware assured Cross Domain Solution (CDS)

Ensure interoperability with CDS gateways for voice, video, messaging and Inner/Outer infrastructure zone control channels.

  1. Control and monitor the release of data from the core

The infrastructure should only permit the Inner network zone to initiate connections to the Outer zone to prevent external attacks back into the Inner zone.

  1. Engaging and User-friendly 

Any solution must balance security with usability.  Apps need to be as engaging and easy to use as consumer-grade apps, but with significantly more robust security, so that users have no need of workarounds to get the job done.

For more information about protecting supply chain communications, visit: www.armourcomms.com


techUK’s National Security Week 2024 #NatSec2024

The National Security team are delighted to be hosting our annual National Security Week between Monday, 22 January 2024, and Friday, 26 January 2024.

Read all the insights here.

National Security Programme

techUK's National Security programme aims to lead debate on new and emerging technologies which present opportunities to strengthen UK national security, but also expose vulnerabilities which threaten it. Through a variety of market engagement and policy activities, it assesses the capability of these technologies against various national security threats, developing thought-leadership on topics such as procurement, innovation, diversity and skills.

Learn more

National Security updates

Sign-up to get the latest updates and opportunities from our National Security programme.

 

 

 

Authors

David Holman

David Holman

Director, Armour Comms