OG86 is Operational Guidance issued by the Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) to mitigate the risk of cyber-attacks that could result in health and safety incidents, major accidents and/or the loss of essential services.
The Cyber Assessment Framework - What is it and What Does it Mean for You?
The Cyber Assessment Framework (CAF) is a collection of 14 guidelines produced by the United Kingdom National Cyber Security Centre (UK NCSC) aimed to support organisations in developing their cyber security systems. This is used in conjunction with the UK implementation of the EU Network and Information Systems Directive (NIS-D) to further protect Critical National Infrastructure (CNI); however the framework is designed in such a way that it can be applied to a wider range of organisations.
Secure Supply Chains
This blog post is written by Awen Collective Founder & CEO, Daniel Lewis.
Let’s talk about “Secure Supply Chains,” or “Supply Chain Security.” Every single organisation, whether that is private or public sector, is very much reliant on the services and products that are supplied and maintained by third parties. It therefore makes sense that there is a direct relationship between the operational resiliency of a business, and the resiliency of the supply chain.
This is particularly clear at the moment. We, as members of society, go to various shops (or get deliveries) for our daily and weekly food needs. However, right now, here in the UK at least, we see patches of empty shelves in supermarkets and random things not available on our favoured online supermarket. This is due to the supply of those products to the shop. Various factors could be causing this in the UK – most likely it is related to the COVID pandemic, or it could be as lingering after-effects of Brexit, or it could be a combination of both. The supply chain for food products to the consumer shops is long, and most likely more like a complex network than a simple series. You think about packaged bread – you’ve got the packaging, and you’ve got the bread itself. In the supply chain, the bread will include all the ingredients: yeast, water and even the flour. These individual ingredients will all have their own chain. All of those elements may be produced, supplied and distributed by different organisations. If one of those points gets disrupted, then the rest of the chain could also get disrupted.
Supply chain security is about doing what we can to decrease the risk of disruption to the supply of products and services along a chain (or in a network). This not only includes the obvious manufactured produce that we think about in shops, but also includes things like energy, water, transportation, our local councils and governments, our defence and police services, and our health care. It also includes the economy built upon finance and digital technologies.
It's very true that the world has been through quite significant transformation over the last 30, 50 and 100 years. Digital transformation is increasingly a part of that. Digital technologies now make the supply of goods and services a lot quicker, cheaper and more varied. However, it also opens up the supply chain to new vulnerabilities - cyber vulnerabilities. Cyber security within supply chains is now crucial. So much so that many governments, including the UK, have undergone open calls for views on supply chain cyber security (e.g. Call for views on cyber security in supply chains and managed service providers, published 17 May 2021).
So the question stands, what can an organisation do to ensure the cyber resiliency of the supply chain? Here are some thoughts on how we can collectively do our bit to increase the resiliency of the network, in some kind of order:
Cyber Essentials
Here in the UK we have something called CyberEssentials, this is a very good and not particularly expensive checklist of simple cyber security things for an organisation to have in place. It is worth spending a little more to be independently audited, and you will be awarded with a CyberEssentials+ certificate. This will give some assurance that you have achieved at least a baseline of cyber security, and should give some assurance to the people or organisations to which you provide.
Standards for partners
Next, promote and perhaps even require that your suppliers have at least CyberEssentials+. This could be incorporated into procurement processes as part of other required criteria.
International standard ISO 27001
Next, we would recommend that organisations look at an international standard called ISO 27001. An organisation which is audited against this standard has, in place, an “Information Security Management System.” It is, once again, a baseline and we should never confuse compliance-driven cyber security with real ongoing cyber security management and maintenance! Please note that ISO 27001 is not simple to put together, and it is a real achievement to establish it and keep it going. Once achieved, I would then promote ISO 27001 to my suppliers, and perhaps favour those who have it.
Cyber Assessment Framework (CAF)
Next, for those in the UK industrial sectors and perhaps also worldwide, to look at the Cyber Assessment Framework (CAF) which was created by the UK National Cyber Security Centre (NCSC). This is a framework of good practice that every critical national infrastructure organisation (and their suppliers!) should be checking themselves against, and improving upon. It was made specifically in response to the implementation of the UK & EU wide NIS Directive.
Operational Technologies and IEC 62443
Next, for those in the industrial sectors, worldwide, I would thoroughly recommend turning your attention to your Operational Technologies (OT). This includes Industrial Automation & Control Systems (ICS/IACS), SCADA and Industrial IoT (IIoT) systems. An up-and-coming cyber security standard for this is called IEC 62443. Once again, it’s a fairly big standard with different options for different types of organisation. Once achieved, I would then promote IEC 62443 to my suppliers, and favour those who have it.
Each standard and framework should nudge an organisation in the right direction. The trick will then be to maintain it, so regular independent auditing will be required. There is no hiding the fact that this will take time, and money, and effort but the Return on Investment is much more than just decreasing the risk and increasing the resilience. Gaining these certifications gives an organisation competitive advantage, as those with these certifications or frameworks in place will be chosen above others as they will be seen as the less risky option. Organisations with these certifications, in theory, should also require less general maintenance as they recommend using particular network structures and monitoring processes.
Where does Awen fit in?
We make it easier across the whole industrial cyber security process, and can be employed as the first step. With Profile you ensure that you’re working to best cyber security practice as outlined in the Cyber Assessment Framework (CAF). With Dot you will discover all of the devices on your industrial Operational Technology (OT) systems, and you will get actionable intelligence on how to improve your cyber resiliency and decrease your cyber risks. Both products, Profile and Dot, will help in the journey towards getting accreditation in CyberEssentials+, the CAF, ISO 27001 and IEC 62443. Both products will also help to reduce the risk.
It's up to every single one of us to ensure resiliency. Contact us if you need some guidance!