Norwegian cyber command warning against supply chain exploitation for F35 project

The Norwegian general Inge Kampenes (chief of the Norwegian CYFOR, the cyber branch of the Norwegian armed forces) gave a speech on the evening of Monday 20.02.2017 to Oslo militære samfund, where he warned against supply chain threats to large investments in the military. He brought the F35 program forward, and stressed that threat actors may choose to target civillian and military organizations further back in the supply chain in order to threaten the integrity and confidentiality of the project. The military must therefore keep the entire value chain in mind as it is assessing the cyber threats related to procurement.


Aerial refueling of F-35 Lightning II Joint Strike Fighters at Eglin AFB, Fla.
F35 figher jets require a large number of systems on the ground, ranging from military equipment in the field to administrative IT systems. Breaches in the supply chains to these supporting systems may degrade the performance of the organizations and system supporting F35 operations. Photo by Mstr. Sgt. Donald R. Allen, US Air Force (public domain).


This follows several recent media accounts of poor sourcing decisions leading to significantly reduced security for important functions in Norway. One was the Statoil case from 2014 where Indian consultants had access to the production IT systems of a refinery and managed to shut down the production of the refinery by an error. Another story that recently broke in media was that the administration of the Norwegian emergency communications network for emergency response units (police, fire departments, ambulances and the authorities) had been contracted to another Indian IT operator – with no form of background checks or security clearance checks – in breach of Norwegian security laws.

The general is obviously right to be worried about supply chain risks. The suppliers are outside of your direct management control, and this is in particular true for large and complex value chains; the deeper you go in the web of suppliers and subsuppliers, the less influence and control you have over their practices. This has to be handled through contract requirements, auditing and a common understanding of priorities. Understanding the risk context is key to prioritizing the right controls – and this is at the core of supply chain threat management.

Key points the general should preach to his colleagues:

  • The project needs a procurement policy covering all purchases, and also how suppliers again shall handle their own suppliers, and this policy should be made mandatory for the entire project organization: the project owner must be the one calling the shots.
  • The project needs a competence management plan for information security – that covers both internal and external interfaces
  • The project needs a risk and vulnerability study that covers supply chain effects: the suppliers may be targeted due to activity in other risk contexts, thereby damaging the project’s security by collateral damage
  • The project should plan for coordinated security monitoring in the operations phase where applicable, and plan response accordingly. Patch management should be part of the delivery plan.

2 thoughts on “Norwegian cyber command warning against supply chain exploitation for F35 project

  1. The United States is in the process of implementing these types of regulations for defense and government subcontractors. If you’re interested; the cybersecurity standard written for it is called NIST SP800-171.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s