Cyber Security for Aviation

British Airways (BA) has appeared in the news recently because data of around 500,000 customers has been stolen from their website and mobile app, and this has led to the Information Commissioner’s Office (ICO) in the UK handing them a potential fine of £183.4million (GBP) under the General Data Protection Regulation (GDPR). This is a fine of approximately 1.5% of their worldwide annual turnover, with the maximum fine being 4% of annual turnover (or around £18million, whichever is greater).

nis Directive WITHIN AVIATION

At the same time as GDPR came into force across the EU, The NIS Directive also came into force (somewhat drowned out by the GDPR noise, unsurprisingly). The NIS Directive requires organisations within Critical National Infrastructure, including transportation networks such as aviation, to embed a particular level of cyber security and incident response planning throughout the entire organisation from engineering operations and IT, through to board level.

In the UK, the National Cyber Security Centre (NCSC) which is the public-facing cyber security division of GCHQ, released the Cyber Assessment Framework (CAF) to address the minimal requirements critical national infrastructure must adhere to in order to be compliant enough for the regulation. It was the CAF that was the initial framework of our Profile software. Audits against the CAF are then checked by the regulators for the different sectors.

For the aviation sector in the UK, the NIS Directive regulation still applies, and the Civil Aviation Authority (CAA) is the organisation charged with ensuring that aviation organisations within the UK are complying with that regulation. They, however, are currently not using the NCSC CAF but are using their own framework entitled “CAP 1574: 26 security controls for regulation.”

It is with pleasure that we announce full support of CAP 1574 in the Profile product by Awen Collective, meaning that we make the whole process of helping aviation organisations within the UK comply with the NIS Directive, enabling them also to track their scores over time and assist them with making improvements.

Within the aviation sector, the regulation and the framework should apply to all organisations that own or operate: aircraft, airlines, airports, airspace management and aviation security. The NIS Directive also states that suppliers to these organisations should also have the same or greater levels of cyber security.

Building Automation and Control within Aviation

Aviation sector organisations have to consider the cyber security of their facilities, including their buildings - both private and public-facing, including airports. These buildings are increasingly being fitted with digital networks and internet-connected devices. These devices are often sensors but in some cases they are controllers and actuators (something that makes a physical change). Examples include Heating, Ventilation, Air Conditioning (HVAC); elevators, escalators and travelators; physical access systems (such as key cards or biometric scanners); bag checking systems; fire alarms and so on.

These systems generally come under the category of Building Automation & Control (BAC), and it is with pleasure that we announce that our product Dot supports protocols for BAC, including BACnet. With our software, organisations within the aviation sector will be able to perform automated asset and vulnerability discovery, leading to a greater understanding of risk and the mitigation of that risk. Dot will not only help to improve safety and security within an aviation organisation, but will also help to save money as budget can be correctly allocated to any security concerns before an incident happens. Dot will also help aviation organisations to achieve various components of the CAP 1574 and the Cyber Assessment Framework, in particular those compliance points related to Asset Management, Risk Management, Secure Configuration, Network Segregation, Security by Design, Vulnerability Monitoring and Knowledge Sharing.

Profile and Dot are available now to the aviation industry, contact us today to book a demonstration and to discuss next steps, by emailing hello@awencollective.com

This is the first in a series of a series of blog posts about the cyber security of Building Automation and Control (BAC) and Building Management Systems (BMS).

The Role of Security in Automation

Prompted by a LinkedIn article written by our good friend James Chappell at Digital Shadows, entitled “The Role of Automation in Security” we thought that it would be a great idea to explore the converse of the concept and write about “The Role of Security in Automation” as this is exactly what we at Awen Collective are addressing.

Automation has almost always been for simplifying repetitive or dangerous tasks (or captivating imagination). This has been the case since the ancient Greek legends of automatons through to the contemporary physical robotics and digital assistants.

Homes, office buildings, factories, airports, national infrastructure, even entire cities are now being connected with systems providing advanced analytics to be able to enhance the efficiency of business and society, and to improve human-safety. However, with the inter-connectivity of physical systems comes the ever increasing ability to attack them. These systems are, for the most part, not IT-based technology (at least not entirely), they are Operational Technologies made with specific control and/or sensory processes in mind. Quite often there is a blend of legacy and contemporary technologies, often with no or limited embedded cyber-security out-of-the-box.

While some organisations are attempting to address this with active monitoring and intrusion detection technologies, they have had limited success due to the requirement of costly network reconfiguration to support these emerging technologies, and a lack of support for the legacy technologies still in use.

Awen Collective takes a different approach. With our experience performing digital forensics on these systems we have developed software (and accompanying techniques) which do not require a significant configuration overhaul. In fact, our software is specifically tailored to work on whichever network topology is in place, even if it is legacy, even if it is serial, even if it is messy and distributed. We give critical infrastructure, advanced manufacturers, smart cities and a whole load of other potential stakeholders the ability to understand the vulnerabilities of their operational networks and their cyber-physical systems. This allows them to better understand their cyber-risk and improve their cyber-security efforts, reducing their cyber-risk in a cost-effective manner and improving their compliance to a plethora of cyber-security related regulations & standards.

If you’re an owner or administrator of operational technologies or cyber-physical systems, ranging from industrial control systems (ICS, such as SCADA or IIoT), networked robotics, building control systems (including physical security and HVAC systems); then we are certainly able to help you improve your cyber-security, reduce your cyber-risks, and improve your compliance. We’re even able to assist post-incident with the necessary investigation and the reporting of the attack to relevant authorities.

Just get in touch, we’re always up for an exploratory chat. Email to schedule in a call or a face-to-face: hello@awencollective.com

We hope to hear from you soon.

Daniel - CEO & Cofounder, Awen Collective

Collaboration across EU helps cyber-security of society

wales-belgium.png

Awen Collective has produced a Software-as-a-Service product called Profile which makes it much quicker and easier for Critical National Infrastructure, their partners and their regulators to perform audits to ensure regulatory compliance to the NIS Directive. We are also actively working on other projects for some of our continental partners.

The NIS Directive is a European Union directive that has, as of 2018, been implemented in law in all 28 member states of the EU (including the UK). This regulation provides a much needed prompt to European critical infrastructure providers to improve the cyber-security policies, processes and technologies within their whole organisation – from board member to engineer, from IT to Operational Technologies (OT).

However, it is not the only good thing that the European Union has done or is doing in regards to cyber-security in general and industrial cyber-security in specific. We don’t even need to mention GDPR. This blog post outlines some of the other great initiatives.

Europe-wide Cyber-Security Initiatives & Programmes

European Union Agency for Network and Information Security (ENISA) – is a great organisation (or agency) which contributes to the network & information systems security across Europe, with a particular focus on ensuring the security and safety of European society, commerce and government. It is a very holistic organisation, very much worth checking out if you have not heard of them. ENISA has done so well over the years, that the EU decided to enhance the powers of ENISA through the Cybersecurity Act of December 2018.

The Computer Emergency Response Teams for the EU institutions, agencies and bodies (CERT-EU). It provides threat intelligence and assistance in the prevention, detection, mitigation and response to cyber-attacks by providing a cyber-security information exchange. It works closely with other CERTs in the public & private sectors across Europe.

The European Cyber Crime Centre (EC3) is a division of the EU agency for law enforcement cooperation (EUROPOL). EC3 assists with the law enforcement response to cyber-crime across the EU, with particular focus on strategy, forensics and operations/intelligence. EC3 publishes the Internet Organised Crime Threat Assessment report, which highlights some interesting information.

The European Cybersecurity Industrial, Technology and Research Competence Centre (ECITRCC) is a policy-driven centre focused on the European digital market. It will contribute to the deployment of the latest cyber-security technology, provide financial & technical support to cyber-security start-ups & SMEs, it will support industrial R&D, push high-levels of cyber-security standards and facilitate cooperation between civil & defence spheres in regards to cyber-security. It is too early to say how effective the Centre will be, but it seems to be very promising.

There is also a significant number of funded R&D initiatives across Europe through the Horizon 2020 framework, which require collaboration from different organisations in at least a few member states and typically support a mixture of SMEs, universities, larger organisations and the public sector across Europe.

Plus much much more…

All of the above combine to help everyone living and working in Europe to have a safe and secure society.

What are Awen Collective doing?

Awen Collective have built software to provide solutions to an international problem. One product, Profile, addresses the NIS Directive directly and is naturally a European-focused product. Contact us today to organise a demonstration of Profile. Email: hello@awencollective.com

Meet Awen Collective at InfoSec Europe - 4-6 June 2019

08E57519-45BE-44B4-AF47-CF93FC7F0E3B.JPG

The Awen Collective team will be at Information Security Europe (InfoSec) in London, at the Olympia, from the 4th to the 6th June 2019. You will be able to find out more about us, and talk with us, at the Welsh Government stand at Stand Q75. Tickets for InfoSec 2019 are free prior to the first day of the event, so book in advance. The event buzzes every year, with a passion for cyber-security, it is truly a must-see in the UK..

Our CEO & CTO will be around for meetings on the afternoon and evening of the 4th June, and the rest of the team will be able to answer any general questions on the 5th and 6th June. To set up a meeting in advance, please email hello@awencollective.com with the subject line InfoSec 2019 and we will confirm as soon as we can.

Cyber Attacks on OT on the rise, and why we should be concerned

Last week, cyber security experts Fortinet published a report on security trends within Operational Technology, again putting the spotlight on these highly vulnerable and increasingly attacked systems, many of which are responsible for providing critical services to society worldwide.

There was an indication that bespoke OT cyber attacks are on the increase, targeting specific vulnerabilities within SCADA and ICS systems. Whilst this is certainly a serious concern, almost more shocking is that the majority of attacks on OT systems are via IT-based legacy attacks which would no longer be effective on modern IT systems. These OT systems are comprised of aging hardware, running unpatched software, and leaving them highly vulnerable to even basic IT-based cyber attacks. This leads to an ability for bad-actors to be able to effectively disable an OT environment with no specialist or prior knowledge of the specific systems involved - leaving no specific ICS/SCADA devices secure, regardless of vendor, software or hardware involved.

There also seems to be continued ongoing neglect of basic cyber-hygiene within ICS and SCADA environments, with almost a third of OT devices directly connected to the internet, and another third accessible from the internet via the IT enterprise. Whilst there is an acknowledgement that there are many benefits from connecting the OT environment to the IT network to increase efficiencies and visibility, leading to optimisations and significant cost savings, these are in direct opposition to the increased security risk. These findings seem to point towards a scenario where potential cost savings are considered above the cyber-risk by the decision makers within these organisations, leading to the highly vulnerable situation that Fortinet are now reporting on.

To add to this, it is reported that more than 8 in 10 respondents to a survey stated that they are unable to identify all the devices connected to their OT and IT networks. How can OT operators begin to mitigate the cyber risk within their environments when they don’t even have the visibility into the devices they need to protect? This is something we are keenly aware of at Awen Collective, and we’re here to help. Our asset and risk discovery software, Dot, exists to provide a deep level of understanding of an OT environment, highlighting key concerns and helping cyber security, OT engineering and corporate compliance teams to manage their responsibilities with the best information available to them.

What the report doesn’t focus upon is the environments where these systems are operating, and the potential affects on the operators and their clients. Whilst many these systems exist within manufacturing facilities, and naturally there are huge costs associated with attacks within the manufacturing sector, there is more at play here than just monetary loss by large-scale manufacturers. ICS and SCADA systems are a key part of how providers of critical national infrastructure deliver their services to society. This includes the provision of electricity, water, sewerage, transportation and healthcare. If any of these services were interrupted or disabled due to a cyber attack, there’s a strong likelihood of widespread disruption, potentially leading to societal destabilisation and loss of life.

There has been an effort by EU legislators to address this concern, introducing the NIS Directive and ensuring that all EU states bring into law that critical national infrastructure operators are considering their cyber security across their entire IT and OT estates, and embedding good cyber security practice at all levels of their organisations. Based on this report, there should be some significant hurdles for CNI operators to overcome to get themselves entirely compliant with the directive. With fines of £17 million or 4% of annual turnover due to be levied against operators not found to be compliant, it should be a strong wake-up call for business decision-makers across CNI organisations. To help, Awen Collective offers Profile – a compliance checking tool for the NIS Directive, allowing a CNI organisation to easily and quickly determine their current compliance level, identify weaknesses to overcome and get advice on next steps.

We’re thankful to Fortinet for their report, and we’re looking forward to continuing to help ICS and SCADA operators solve the cyber security issues they have. If you’re looking for cyber security solutions for your OT environment, reach out to us at hello@awencollective.com.

Industrial communications at risk of cyber-attacks

There are 3 million companies using the WhatsApp Business app across the globe, and 1.5 billion individuals using the original WhatsApp app for a mixture of business and personal use [1]. Its ease of use combined with its advertised end-to end encryption and the fact that it is a subsidiary of Facebook mean that people trust it for their daily communication.

Unfortunately, an exploit was found in WhatsApp which led to a cyber-attack on a UK-based attorney on the 12th May 2019 [2]. The vulnerability allows malicious code to be deployed on the receiving device, which could lead to further exploitation, in this case spyware which allows read-write access to the device. The vulnerability was patched, and updates released on various mobile operating systems by Monday 14th May 2019. Always ensure that you regularly check updates to your mobile applications.

While WhatsApp is probably not being used for operational communication within Advanced Manufacturing & Critical Infrastructure, the culture of Bring Your Own Device (BYOD) is increasing. These devices may be used for a mixture of personal and business communications, which in some cases may lead to a conflict with GDPR [3]. They may or may not be connected to the business WiFi, which in may mean that vulnerabilities and exploitations are present within the corporate networks. We urge organisations, especially those who use highly connected devices, such as automation devices, to look at their cyber-threat risks, and to mitigate them – not necessarily by banning devices, but by ensuring adequate education of staff and contractors.

Another option, of course, may be to avoid the use of WhatsApp within business altogether, perhaps using well-supported secure communications software such as Novastone [4], who are our fellows of the first cohort of the Tech Nation Cyber programme [5], or by promoting the use of an alternative secure communications system such as the open-source Signal [6]. Whichever communication technology is used, risks must always be considered, especially attempting to mitigate unknown-unknown vulnerabilities.

At Awen Collective we have developed our Dot software to specifically look for devices on an operational network within industrial control networks or building control networks. We use specially developed safety-critical techniques to automatically discover devices on the network, and assess their vulnerabilities. Find out more about Dot and contact us today.

Sources & Links – all last accessed 16th May 2019

[1] https://99firms.com/blog/whatsapp-statistics/  

[2] https://www.cityam.com/277567/whatsapp-hack-tech-giant-urges-15bn-users-update-app-after

[3] https://www.thebci.org/news/are-whatsapp-and-gdpr-on-a-collision-course.html

[4] https://www.novastonemedia.com/

[5] https://technation.io/programmes/cyber-security/

[6] https://signal.org/

[7] Official CVE from Facebook/WhatsApp: https://www.facebook.com/security/advisories/cve-2019-3568

Awen Collective wins a place on the Tech Nation Cyber programme

The 1st Cohort for the Tech Nation Cyber programme has been announced and consists of the 20 leading Cyber-Security companies across the United Kingdom. We have the pleasure to announce that Awen Collective is in this wonderful scale-up programme.

We are very excited about this opportunity, which will help us to build on the fantastic work that our team at Awen Collective have done so far, and to assist with scaling and growth, marketing and international expansion. This programme will help us to address Digital Forensics & Incident Response within Critical Infrastructure & Manufacturing, not just within the UK and EU, but across the whole world.

We are looking forward to the launch event in the Cotswolds at the beginning of May, where we will connect and re-connect with the other companies in this inaugural cohort, as well as the cyber-security leaders who will be assisting with the workshops and events.

We are looking forward to working with all of the cohort members, which include our fellow South Wales Cyber Cluster member Fortium Technologies, and the company that won the NCSC/DCMS Cyber Dragons Den the year before we did iProov.

The announcement has been made on the Tech Nation blog, and has also been published on Information Age. Plus you can follow the news on Twitter with the hashtag #TechNationCyber.

To learn more about the products and services at Awen Collective please visit the rest of our website. Or contact us directly by emailing hello@awencollective.com , we would love to hear from you.

“We are delighted to have been chosen for the first cohort of the Tech Nation Cyber programme. We are excited to get started and continue to grow with the support from this wonderful programme and we look forward to establishing new business alongside our fellow cohort members.”
— Daniel Lewis, CEO and Cofounder, Awen Collective
“Cyber security represents an increasingly important part of our daily lives, and Wales already plays a leading role in keeping our data and systems safe while training up the next generation of experts. This programme will initially support two Welsh companies in Caerphilly and Cardiff in developing their potential and I look forward to seeing other companies from across Wales getting involved in the future.”
— Kevin Foster MP, UK Government Minister for Wales
“In recent years the success for a handful of UK Cyber Security innovators is more than could be imagined. They have enhanced the nation’s reputation for producing world-class technology, while also helping to pave the way for many more startups hoping to follow suit. Concurrently the market for cyber security is continuing to grow at a rapid pace and this conspires to make our cohort of scaleups exciting ones to watch.”
— Ollie Bone, Cyber Programme Lead at Tech Nation
Follow the news about the programme on Twitter through #TechNationCyber

Follow the news about the programme on Twitter through #TechNationCyber