OG86 is Operational Guidance issued by the Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) to mitigate the risk of cyber-attacks that could result in health and safety incidents, major accidents and/or the loss of essential services.
Why should you care about the NIS Directive?
On our website we have a growing amount of information defining the Network and Information Systems Directive on Security, showing how the NIS Directive relates to what we do, and talking about the various sectors that it applies to - such as energy, water and transportation. In this blog post we go a little deeper, and discuss why you should care about the NIS D, and how might it improve your cyber security levels.
First of all, the NIS Directive is a European Union established directive of 2018, which is applied across the EU member states. As this was 2018, this means that the UK has also ratified the directive into law as the NIS Regulation. Different states have implemented it slightly differently, but the goal is the same, and that goal is to essentially reduce disruption to everyday life by making improvements to the cyber security of critical infrastructure operators of essential services (OES) and other critical digital service providers (DSPs) such as search engines and digital markets.
Non-compliance with the implementation of the directive comes with fairly hefty fines, however the primary actions of each nation state is to essentially help operators and service providers improve prior to enacting the full force of fees. Carrots are being offered before the sticks are “thwacked.”
As we mentioned above, different countries are implementing the directive in different ways. In the UK, the National Cyber Security Centre (NCSC) has developed the Cyber Assessment Framework (CAF) which is a framework of best practices within cyber security. It’s a general framework applicable to all kinds of sectors, but it was developed specifically with critical national infrastructure sectors in mind. The energy, water, transportation and a variety of other critical sectors are therefore recommended to work towards full compliance against the CAF, with the regulators in each sector assisting with initial checks, monitoring progression, suggesting recommendations and auditing - with the eventuality of fines in the cases of non-compliance to those recommendations.
However, it should be noted that there is a lot of marketing spiel from the cyber security community saying that compliance is not equal to cyber security. This is certainly true, but only because compliance is the minimum that we should be doing in order to reduce the very real threat of a cyber attack on critical infrastructure. Unfortunately it is the case that many organisations are not yet compliant with the CAF.
Why do Awen care?
Awen cares because compliance to the regulation, and especially using the CAF, leads to a safer society. Imagine, for a second, that the drinking water supply was contaminated because the filtration systems were switched off by a cyber attack. That filtration system was being monitored by an efficiency & predictive maintenance monitoring system directly connected to the filtration controllers. If that water company had followed the CAF as a baseline, then they would have been prompted to ensure that (for example) appropriate authentication was installed on the IT systems, that OT systems were patched, and that the onsite engineers had cyber awareness. Thereby reducing the cyber risk, and ultimately reducing the chance of the water supply of the community being polluted.
This is the raison d’être for Awen. We exist to make society safer by reducing the cyber risks in critical national infrastructure and manufacturing. Our product Profile helps to ensure that organisations progressively improve their adherence to the Cyber Assessment Framework (CAF), leading to NIS Directive compliance. Our other product Dot, then goes one step further and begins to help organisations reduce the vulnerabilities on their operational technologies. Not through any fancy artificial intelligence system, but through actionable intelligence working in collaboration with engineering and business processes.
p.s. You can now buy Profile through our website using a credit or debit card, with options for monthly or annual agreements! To celebrate we’ve also applied a discount. Plus, don’t forget that if you are a healthcare organisation, or are manufacturing face masks, hand sanitiser, other PPE, ventilators, vaccines or treatment for COVID-19 then you can get Profile from us for no charge for the remainder of 2020.
Cyber Attacks on OT on the rise, and why we should be concerned
Last week, cyber security experts Fortinet published a report on security trends within Operational Technology, again putting the spotlight on these highly vulnerable and increasingly attacked systems, many of which are responsible for providing critical services to society worldwide.
There was an indication that bespoke OT cyber attacks are on the increase, targeting specific vulnerabilities within SCADA and ICS systems. Whilst this is certainly a serious concern, almost more shocking is that the majority of attacks on OT systems are via IT-based legacy attacks which would no longer be effective on modern IT systems. These OT systems are comprised of aging hardware, running unpatched software, and leaving them highly vulnerable to even basic IT-based cyber attacks. This leads to an ability for bad-actors to be able to effectively disable an OT environment with no specialist or prior knowledge of the specific systems involved - leaving no specific ICS/SCADA devices secure, regardless of vendor, software or hardware involved.
There also seems to be continued ongoing neglect of basic cyber-hygiene within ICS and SCADA environments, with almost a third of OT devices directly connected to the internet, and another third accessible from the internet via the IT enterprise. Whilst there is an acknowledgement that there are many benefits from connecting the OT environment to the IT network to increase efficiencies and visibility, leading to optimisations and significant cost savings, these are in direct opposition to the increased security risk. These findings seem to point towards a scenario where potential cost savings are considered above the cyber-risk by the decision makers within these organisations, leading to the highly vulnerable situation that Fortinet are now reporting on.
To add to this, it is reported that more than 8 in 10 respondents to a survey stated that they are unable to identify all the devices connected to their OT and IT networks. How can OT operators begin to mitigate the cyber risk within their environments when they don’t even have the visibility into the devices they need to protect? This is something we are keenly aware of at Awen Collective, and we’re here to help. Our asset and risk discovery software, Dot, exists to provide a deep level of understanding of an OT environment, highlighting key concerns and helping cyber security, OT engineering and corporate compliance teams to manage their responsibilities with the best information available to them.
What the report doesn’t focus upon is the environments where these systems are operating, and the potential affects on the operators and their clients. Whilst many these systems exist within manufacturing facilities, and naturally there are huge costs associated with attacks within the manufacturing sector, there is more at play here than just monetary loss by large-scale manufacturers. ICS and SCADA systems are a key part of how providers of critical national infrastructure deliver their services to society. This includes the provision of electricity, water, sewerage, transportation and healthcare. If any of these services were interrupted or disabled due to a cyber attack, there’s a strong likelihood of widespread disruption, potentially leading to societal destabilisation and loss of life.
There has been an effort by EU legislators to address this concern, introducing the NIS Directive and ensuring that all EU states bring into law that critical national infrastructure operators are considering their cyber security across their entire IT and OT estates, and embedding good cyber security practice at all levels of their organisations. Based on this report, there should be some significant hurdles for CNI operators to overcome to get themselves entirely compliant with the directive. With fines of £17 million or 4% of annual turnover due to be levied against operators not found to be compliant, it should be a strong wake-up call for business decision-makers across CNI organisations. To help, Awen Collective offers Profile – a compliance checking tool for the NIS Directive, allowing a CNI organisation to easily and quickly determine their current compliance level, identify weaknesses to overcome and get advice on next steps.
We’re thankful to Fortinet for their report, and we’re looking forward to continuing to help ICS and SCADA operators solve the cyber security issues they have. If you’re looking for cyber security solutions for your OT environment, reach out to us at hello@awencollective.com.