What is a cyber security company doing talking about digital transformation? Our proposition is that the first step for effective cyber security is to know what assets you have, ideally in as much detail as possible. The same is with digital transformation; the first step for effective digital transformation is to know what you have got.
AICS 2022 - Bahrain
OT in Your Food and Drink? It's More Likely Than You Think
Annually the American Centre for Disease Control and Prevention (CDC) reports a sixth of Americans suffer from food borne illnesses, causing 3000 deaths a year. To reduce the number of incidents, the US established legislation to limit risk by setting standard methodology in production. The legislation requires the provision of well maintained records throughout the manufacturing process, allowing traceability of a product’s manufacture from farm to table, identifying areas of concern and informing decisions when mitigating problem areas. Similarly, the EU produced the General Food Law Regulation in 2002, requiring standards met with upkeeping records of food they supplied and received. Digitalisation aids these obligations by recording product data and increases productivity by automating processes of highly specialised manufacturing.
Awen's Adventures in Miniature Wonderland
One of many recent additions to Awen Collective's asset discovery tool, Dot, is the ability to parse and analyse network traffic of the Z21 protocol. Chances are you know a thing or two about model trains if "Z21" sounds familiar. Indeed, Z21 is a German organisation that maintains proprietary technologies to monitor and control miniature locomotives.
Dot Now Deployable on Siemens IOT2050
Following the recent annoucement of the partnership between Awen and Siemens, and whilst we work towards various routes to market in collaboration with them, we have also been busy integrating Dot into Siemens’ hardware offerings.
Purdue Model: Intelligently Segregating Your OT Networks
The modern OT threat landscape is growing due to the significant rise of interconnected network devices. OT is particularly vulnerable given the need for high availability and integrity, at the expense of confidentiality (which is at odds with the priorities in an IT environment). Following the Purdue model helps mitigate the risk of compromise by not allowing different types of devices to operate on the same subnet (eg: manufacturing devices and databases). Consequently, it is referenced in key compliance standards such as IEC62443 and OG86 as a practice to be implemented.
OG86 - The Health and Safety Executive's Guidance for Industrial Network Security
OG86 is Operational Guidance issued by the Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) to mitigate the risk of cyber-attacks that could result in health and safety incidents, major accidents and/or the loss of essential services.
Awen accelerate NIS Directive compliance using the Cyber Assessment Framework (CAF)
Many people within the European Critical National Infrastructure (CNI) sectors (electricity, oil & gas, water, rail, aviation, highways etc) will know of the NIS Directive, or to give its full title the “Network and Information Systems Directive on Security” which was implemented across EU member states (including the UK) in 2018. Some inside, and the vast majority outside of CNI, have probably never heard of the NIS Directive especially as it was somewhat overshadowed by the General Data Protection Regulation (GDPR) which was released across the EU at about the same time.
The NIS Directive essentially highlights that across Europe the CNI organisations, labelled as Operators of Essential Services (OES), should have a much higher level of cyber security policies and procedures than they have currently. If those CNI/OES organisations don’t do something about it, then they should suffer the same level of fines that they would face if they were at odds with GDPR laws.
In response to it’s implementation across Europe, the UK’s National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF) to provide a method for analysing a CNI organisation (and their suppliers), in order to check and improve cyber security policies & procedures for the NIS Regulation. The CAF was provided to UK Regulators, some of which have interpreted it in their own way based on the sectors which they serve, but generally the idea is the same: the CAF can be used to check and improve CNI cyber security.
At Awen, we often discuss how our Profile software helps critical infrastructure organisations to adhere to the NIS Directive by providing them with an easy-to-use, efficient and collaborative way to assess and monitor their compliance to the CAF, and submit their audits to their regulators. It’s pretty much a given that Profile is an appropriate tool for the Cyber Assessment Framework and the NIS Directive, not only in the UK but perhaps across Europe too as the CAF can be mapped to other standards and frameworks also. Unlike some other standards/frameworks, the CAF does explicitly apply to both Information Technology (IT) and Operational Technology (OT).
However, perhaps even more importantly, our Dot software leads not only to an increase in situational awareness within an OT environment, but can also help organisations in several areas of the CAF.
Dot’s Asset Discovery and Management within OT has particular applicability with several sections within the NCSC CAF:
✅ A3.a - Asset Management
✅ B4.a - Secure by Design
✅ B4.b - Secure Configuration
✅ B4.d - Vulnerability Management
✅ C1.c - Generating Alerts
Dot’s Vulnerability Discovery and Management within OT has particular applicability with a couple more sections within the NCSC CAF:
✅ A2.a - Risk Management Process
✅ D2.a - Incident Root Cause Analysis
One key thing to note is that Dot is not an Industrial Intrusion Detection System (IDS). Dot can be used for the preparation of deployment of an IDS, and to cover areas of a network (and the legacy equipment) that an IDS cannot reach. In particular we see it providing a lot of value as part of cyber risk assessments, compliance processes, change management processes and incident response planning. An IDS would typically be more useful for Objective C of the CAF, which is all about detecting cyber security events.
Here is a visualisation of where Dot, Profile and Intrusion Detection Systems fall within the CAF:
If Dot, as an Asset and Vulnerability Discovery software product built for Operational Technology, sounds interesting and you would like to learn more, then please do get in contact today.
Likewise, if Profile, as a Cyber Assessment Framework (CAF) assessment and improvement system, sounds like it could help you out, then also do get in touch. We would love to hear from you.
This post was written by Daniel Lewis, CEO & Cofounder of Awen Collective.