cyber assessment framework

Awen accelerate NIS Directive compliance using the Cyber Assessment Framework (CAF)

Many people within the European Critical National Infrastructure (CNI) sectors (electricity, oil & gas, water, rail, aviation, highways etc) will know of the NIS Directive, or to give its full title the “Network and Information Systems Directive on Security” which was implemented across EU member states (including the UK) in 2018. Some inside, and the vast majority outside of CNI, have probably never heard of the NIS Directive especially as it was somewhat overshadowed by the General Data Protection Regulation (GDPR) which was released across the EU at about the same time.

The NIS Directive essentially highlights that across Europe the CNI organisations, labelled as Operators of Essential Services (OES), should have a much higher level of cyber security policies and procedures than they have currently. If those CNI/OES organisations don’t do something about it, then they should suffer the same level of fines that they would face if they were at odds with GDPR laws.

In response to it’s implementation across Europe, the UK’s National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF) to provide a method for analysing a CNI organisation (and their suppliers), in order to check and improve cyber security policies & procedures for the NIS Regulation. The CAF was provided to UK Regulators, some of which have interpreted it in their own way based on the sectors which they serve, but generally the idea is the same: the CAF can be used to check and improve CNI cyber security.

At Awen, we often discuss how our Profile software helps critical infrastructure organisations to adhere to the NIS Directive by providing them with an easy-to-use, efficient and collaborative way to assess and monitor their compliance to the CAF, and submit their audits to their regulators. It’s pretty much a given that Profile is an appropriate tool for the Cyber Assessment Framework and the NIS Directive, not only in the UK but perhaps across Europe too as the CAF can be mapped to other standards and frameworks also. Unlike some other standards/frameworks, the CAF does explicitly apply to both Information Technology (IT) and Operational Technology (OT).

However, perhaps even more importantly, our Dot software leads not only to an increase in situational awareness within an OT environment, but can also help organisations in several areas of the CAF.

Dot’s Asset Discovery and Management within OT has particular applicability with several sections within the NCSC CAF:

✅ A3.a - Asset Management

✅ B4.a - Secure by Design

B4.b - Secure Configuration

B4.d - Vulnerability Management

C1.c - Generating Alerts

Dot’s Vulnerability Discovery and Management within OT has particular applicability with a couple more sections within the NCSC CAF:

A2.a - Risk Management Process

D2.a - Incident Root Cause Analysis

One key thing to note is that Dot is not an Industrial Intrusion Detection System (IDS). Dot can be used for the preparation of deployment of an IDS, and to cover areas of a network (and the legacy equipment) that an IDS cannot reach. In particular we see it providing a lot of value as part of cyber risk assessments, compliance processes, change management processes and incident response planning. An IDS would typically be more useful for Objective C of the CAF, which is all about detecting cyber security events.

Here is a visualisation of where Dot, Profile and Intrusion Detection Systems fall within the CAF:

awen-where-dot-and-profile-fit-with-the-caf-nis-directive.png

If Dot, as an Asset and Vulnerability Discovery software product built for Operational Technology, sounds interesting and you would like to learn more, then please do get in contact today.

Likewise, if Profile, as a Cyber Assessment Framework (CAF) assessment and improvement system, sounds like it could help you out, then also do get in touch. We would love to hear from you.

This post was written by Daniel Lewis, CEO & Cofounder of Awen Collective.

Cyber resilience is NOT futile

What is cyber resilience? What does it even mean?

The coronavirus outbreak got every business executive thinking about the resilience of their operations and their business continuity planning, as we saw challenges coming from every direction: lockdown affecting the routes into offices, temporary closing of office spaces, the virus making staff members sick, schools being closed meaning that staff needed to look after children, clients and suppliers being affected, and investors focusing solely on their existing portfolio and not making new investments.

The disruptions caused to the operations of manufacturing and critical infrastructure have been significant. The resilience of businesses, and critical infrastructure in particular, has only become more important due to the pandemic.

We like to see resilience as essentially being able to deliver a service or fulfil a need, despite an event occurring or, as in the case of the pandemic, a significant change in ecosystem. Cyber resilience is specifically being able to deliver operations in the event of a cyber security related incident occurring.

How can my business achieve cyber resilience? How might I be able to build a cyber resilience strategy?

Cyber resilience differs from, but is obviously strongly related to, cyber security. 

Cyber security is essentially the policies, processes, procedures and technologies which are the armour for a person or organisation. 

Cyber resilience is more about: 

  • knowing the environment that you’re in, 

  • knowing the risks and threats, 

  • knowing how you might be able to mitigate those risks and/or follow contingency plans

The Cyber Assessment Framework (CAF) addresses the cyber security needs of UK-based Critical National Infrastructure and many other businesses. Principle B5 within the CAF is entirely focused on resilient networks and systems. Principle B5 overarching questions ask you:

  1. Are you prepared to restore the operation of your essential function following adverse impact?

  2. Have you designed the network and information systems supporting your essential function to be resilient to cyber security incidents? Are systems appropriately segregated, and are resource limitations mitigated?

  3. Do you hold accessible, secured and up-to-date backups of data and information needed to recover the operation of your essential function?

This is in addition to other parts of the CAF which prompt the framework adopter to produce resilience policies and processes which manage and mitigate the risk of adverse impact on the essential functions of your organisation.

Our Profile software assists you to work on all aspects of the CAF, but is particularly important when considering cyber resilience.

Our Dot software assists you directly with cyber resilience, as it gives a detailed understanding of the assets and vulnerabilities (and risk) of an operational technology environments - whether this is Industrial Control Systems (ICS), SCADA, Industrial IoT or Smart Buildings.

Output from both systems is actionable intelligence which can be used as part of cyber resilience strategies and business continuity plans.

Awen lets you know what you’re facing and simplifies processes. Let us do the heavy lifting.

Our best wishes to everyone in this current climate.
Keep healthy, keep safe, keep social.

Why should you care about the NIS Directive?

On our website we have a growing amount of information defining the Network and Information Systems Directive on Security, showing how the NIS Directive relates to what we do, and talking about the various sectors that it applies to - such as energy, water and transportation. In this blog post we go a little deeper, and discuss why you should care about the NIS D, and how might it improve your cyber security levels.

First of all, the NIS Directive is a European Union established directive of 2018, which is applied across the EU member states. As this was 2018, this means that the UK has also ratified the directive into law as the NIS Regulation. Different states have implemented it slightly differently, but the goal is the same, and that goal is to essentially reduce disruption to everyday life by making improvements to the cyber security of critical infrastructure operators of essential services (OES) and other critical digital service providers (DSPs) such as search engines and digital markets.

Non-compliance with the implementation of the directive comes with fairly hefty fines, however the primary actions of each nation state is to essentially help operators and service providers improve prior to enacting the full force of fees. Carrots are being offered before the sticks are “thwacked.”

As we mentioned above, different countries are implementing the directive in different ways. In the UK, the National Cyber Security Centre (NCSC) has developed the Cyber Assessment Framework (CAF) which is a framework of best practices within cyber security. It’s a general framework applicable to all kinds of sectors, but it was developed specifically with critical national infrastructure sectors in mind. The energy, water, transportation and a variety of other critical sectors are therefore recommended to work towards full compliance against the CAF, with the regulators in each sector assisting with initial checks, monitoring progression, suggesting recommendations and auditing - with the eventuality of fines in the cases of non-compliance to those recommendations.

However, it should be noted that there is a lot of marketing spiel from the cyber security community saying that compliance is not equal to cyber security. This is certainly true, but only because compliance is the minimum that we should be doing in order to reduce the very real threat of a cyber attack on critical infrastructure. Unfortunately it is the case that many organisations are not yet compliant with the CAF.

Why do Awen care?

Awen cares because compliance to the regulation, and especially using the CAF, leads to a safer society. Imagine, for a second, that the drinking water supply was contaminated because the filtration systems were switched off by a cyber attack. That filtration system was being monitored by an efficiency & predictive maintenance monitoring system directly connected to the filtration controllers. If that water company had followed the CAF as a baseline, then they would have been prompted to ensure that (for example) appropriate authentication was installed on the IT systems, that OT systems were patched, and that the onsite engineers had cyber awareness. Thereby reducing the cyber risk, and ultimately reducing the chance of the water supply of the community being polluted.

This is the raison d’être for Awen. We exist to make society safer by reducing the cyber risks in critical national infrastructure and manufacturing. Our product Profile helps to ensure that organisations progressively improve their adherence to the Cyber Assessment Framework (CAF), leading to NIS Directive compliance. Our other product Dot, then goes one step further and begins to help organisations reduce the vulnerabilities on their operational technologies. Not through any fancy artificial intelligence system, but through actionable intelligence working in collaboration with engineering and business processes.

p.s. You can now buy Profile through our website using a credit or debit card, with options for monthly or annual agreements! To celebrate we’ve also applied a discount. Plus, don’t forget that if you are a healthcare organisation, or are manufacturing face masks, hand sanitiser, other PPE, ventilators, vaccines or treatment for COVID-19 then you can get Profile from us for no charge for the remainder of 2020.