industry 4.0

Secure Supply Chains

This blog post is written by Awen Collective Founder & CEO, Daniel Lewis.

Let’s talk about “Secure Supply Chains,” or “Supply Chain Security.” Every single organisation, whether that is private or public sector, is very much reliant on the services and products that are supplied and maintained by third parties. It therefore makes sense that there is a direct relationship between the operational resiliency of a business, and the resiliency of the supply chain.

boris-dunand-Wa9ibpKst3I-unsplash.jpg

This is particularly clear at the moment. We, as members of society, go to various shops (or get deliveries) for our daily and weekly food needs. However, right now, here in the UK at least, we see patches of empty shelves in supermarkets and random things not available on our favoured online supermarket. This is due to the supply of those products to the shop. Various factors could be causing this in the UK – most likely it is related to the COVID pandemic, or it could be as lingering after-effects of Brexit, or it could be a combination of both. The supply chain for food products to the consumer shops is long, and most likely more like a complex network than a simple series. You think about packaged bread – you’ve got the packaging, and you’ve got the bread itself. In the supply chain, the bread will include all the ingredients: yeast, water and even the flour. These individual ingredients will all have their own chain. All of those elements may be produced, supplied and distributed by different organisations. If one of those points gets disrupted, then the rest of the chain could also get disrupted.

Supply chain security is about doing what we can to decrease the risk of disruption to the supply of products and services along a chain (or in a network). This not only includes the obvious manufactured produce that we think about in shops, but also includes things like energy, water, transportation, our local councils and governments, our defence and police services, and our health care. It also includes the economy built upon finance and digital technologies.

It's very true that the world has been through quite significant transformation over the last 30, 50 and 100 years. Digital transformation is increasingly a part of that. Digital technologies now make the supply of goods and services a lot quicker, cheaper and more varied. However, it also opens up the supply chain to new vulnerabilities - cyber vulnerabilities. Cyber security within supply chains is now crucial. So much so that many governments, including the UK, have undergone open calls for views on supply chain cyber security (e.g. Call for views on cyber security in supply chains and managed service providers, published 17 May 2021).

So the question stands, what can an organisation do to ensure the cyber resiliency of the supply chain? Here are some thoughts on how we can collectively do our bit to increase the resiliency of the network, in some kind of order:

Cyber Essentials

Here in the UK we have something called CyberEssentials, this is a very good and not particularly expensive checklist of simple cyber security things for an organisation to have in place. It is worth spending a little more to be independently audited, and you will be awarded with a CyberEssentials+ certificate. This will give some assurance that you have achieved at least a baseline of cyber security, and should give some assurance to the people or organisations to which you provide.

Standards for partners

Next, promote and perhaps even require that your suppliers have at least CyberEssentials+. This could be incorporated into procurement processes as part of other required criteria.

International standard ISO 27001

Next, we would recommend that organisations look at an international standard called ISO 27001. An organisation which is audited against this standard has, in place, an “Information Security Management System.” It is, once again, a baseline and we should never confuse compliance-driven cyber security with real ongoing cyber security management and maintenance! Please note that ISO 27001 is not simple to put together, and it is a real achievement to establish it and keep it going. Once achieved, I would then promote ISO 27001 to my suppliers, and perhaps favour those who have it.

Cyber Assessment Framework (CAF)

Next, for those in the UK industrial sectors and perhaps also worldwide, to look at the Cyber Assessment Framework (CAF) which was created by the UK National Cyber Security Centre (NCSC). This is a framework of good practice that every critical national infrastructure organisation (and their suppliers!) should be checking themselves against, and improving upon. It was made specifically in response to the implementation of the UK & EU wide NIS Directive.

Operational Technologies and IEC 62443

Next, for those in the industrial sectors, worldwide, I would thoroughly recommend turning your attention to your Operational Technologies (OT). This includes Industrial Automation & Control Systems (ICS/IACS), SCADA and Industrial IoT (IIoT) systems. An up-and-coming cyber security standard for this is called IEC 62443. Once again, it’s a fairly big standard with different options for different types of organisation. Once achieved, I would then promote IEC 62443 to my suppliers, and favour those who have it.

network-hardware-inspection-NSPRULZ.jpg

Each standard and framework should nudge an organisation in the right direction. The trick will then be to maintain it, so regular independent auditing will be required. There is no hiding the fact that this will take time, and money, and effort but the Return on Investment is much more than just decreasing the risk and increasing the resilience. Gaining these certifications gives an organisation competitive advantage, as those with these certifications or frameworks in place will be chosen above others as they will be seen as the less risky option. Organisations with these certifications, in theory, should also require less general maintenance as they recommend using particular network structures and monitoring processes.

Where does Awen fit in?

We make it easier across the whole industrial cyber security process, and can be employed as the first step. With Profile you ensure that you’re working to best cyber security practice as outlined in the Cyber Assessment Framework (CAF). With Dot you will discover all of the devices on your industrial Operational Technology (OT) systems, and you will get actionable intelligence on how to improve your cyber resiliency and decrease your cyber risks. Both products, Profile and Dot, will help in the journey towards getting accreditation in CyberEssentials+, the CAF, ISO 27001 and IEC 62443. Both products will also help to reduce the risk.

It's up to every single one of us to ensure resiliency. Contact us if you need some guidance!

Why should you care about the NIS Directive?

On our website we have a growing amount of information defining the Network and Information Systems Directive on Security, showing how the NIS Directive relates to what we do, and talking about the various sectors that it applies to - such as energy, water and transportation. In this blog post we go a little deeper, and discuss why you should care about the NIS D, and how might it improve your cyber security levels.

First of all, the NIS Directive is a European Union established directive of 2018, which is applied across the EU member states. As this was 2018, this means that the UK has also ratified the directive into law as the NIS Regulation. Different states have implemented it slightly differently, but the goal is the same, and that goal is to essentially reduce disruption to everyday life by making improvements to the cyber security of critical infrastructure operators of essential services (OES) and other critical digital service providers (DSPs) such as search engines and digital markets.

Non-compliance with the implementation of the directive comes with fairly hefty fines, however the primary actions of each nation state is to essentially help operators and service providers improve prior to enacting the full force of fees. Carrots are being offered before the sticks are “thwacked.”

As we mentioned above, different countries are implementing the directive in different ways. In the UK, the National Cyber Security Centre (NCSC) has developed the Cyber Assessment Framework (CAF) which is a framework of best practices within cyber security. It’s a general framework applicable to all kinds of sectors, but it was developed specifically with critical national infrastructure sectors in mind. The energy, water, transportation and a variety of other critical sectors are therefore recommended to work towards full compliance against the CAF, with the regulators in each sector assisting with initial checks, monitoring progression, suggesting recommendations and auditing - with the eventuality of fines in the cases of non-compliance to those recommendations.

However, it should be noted that there is a lot of marketing spiel from the cyber security community saying that compliance is not equal to cyber security. This is certainly true, but only because compliance is the minimum that we should be doing in order to reduce the very real threat of a cyber attack on critical infrastructure. Unfortunately it is the case that many organisations are not yet compliant with the CAF.

Why do Awen care?

Awen cares because compliance to the regulation, and especially using the CAF, leads to a safer society. Imagine, for a second, that the drinking water supply was contaminated because the filtration systems were switched off by a cyber attack. That filtration system was being monitored by an efficiency & predictive maintenance monitoring system directly connected to the filtration controllers. If that water company had followed the CAF as a baseline, then they would have been prompted to ensure that (for example) appropriate authentication was installed on the IT systems, that OT systems were patched, and that the onsite engineers had cyber awareness. Thereby reducing the cyber risk, and ultimately reducing the chance of the water supply of the community being polluted.

This is the raison d’être for Awen. We exist to make society safer by reducing the cyber risks in critical national infrastructure and manufacturing. Our product Profile helps to ensure that organisations progressively improve their adherence to the Cyber Assessment Framework (CAF), leading to NIS Directive compliance. Our other product Dot, then goes one step further and begins to help organisations reduce the vulnerabilities on their operational technologies. Not through any fancy artificial intelligence system, but through actionable intelligence working in collaboration with engineering and business processes.

p.s. You can now buy Profile through our website using a credit or debit card, with options for monthly or annual agreements! To celebrate we’ve also applied a discount. Plus, don’t forget that if you are a healthcare organisation, or are manufacturing face masks, hand sanitiser, other PPE, ventilators, vaccines or treatment for COVID-19 then you can get Profile from us for no charge for the remainder of 2020.

Awen Software Engineering Approach

In this blog post our CEO, Daniel Lewis, discusses his experience of software engineering approaches and the direction of the Awen Software Engineering approach.

Agile but Pragmatic

A well known formal definition of the traditional “Waterfall method” (as it has become known today) of project management / software engineering was established by an academic by the name of Winston Royce in 1970 [1]. Royce defined it as a flawed method which is a risky, failure-inviting method. (Note that older and newer definitions are available)

I, personally, have found the waterfall method to be flawed too. When a software project is started, we do not always know all parameters in advance either because the software exists in a complex, ever evolving system, or because implicit/tacit knowledge was not uncovered upfront.

This is why, I believe, some of the earliest descriptions describe the waterfall method as flawed. It just cannot react to the needs of the project/system as it evolves and is discovered internally and externally. I like to see the waterfall method a little like the original game from which Monopoly was derived (known as The Landlord’s Game). This game was specifically developed to show the negative effects of land grabbing on both the economy and on the human psyche - the waterfall method is similar, it was essentially developed to show how the worst of the popular/contemporary ways of working.

With this said, the Agile approach, where projects go through iterations adapting to new information, is not without its faults. The biggest fault that I have seen in agile approaches is that it has become a bit of a soup of buzzwords, where agile project managers tend to run agile projects with as much rigidity as they would with waterfall that the overheads often become too costly to make much benefit.

This is why at Awen we approach software engineering with a pragmatic agile method. A kind of soft agile method. Depending on our clients, we often have to work with a sort of waterfall-like method implemented alongside PRINCE2 or ITIL, but the internal technical work we run our own pragmatic soft agile approach. Do the things which work, don’t do the things which won’t work, minimise overheads and maximise impact. Our approach is always evolving, especially as the business continues to grow, and gaining new people with new experiences.

Security-by-Design

Even though our software engineering project management might seem flexible, there are some things within software engineering which we do not compromise. One such thing we consider as uncompromisable is developing everything that we do with Security-by-Design.

In particular we follow the Cyber Security Design Principles by the NCSC:

  1. Make compromise difficult

  2. Make disruption difficult

  3. Make compromise detection easier

  4. Reduce the impact of compromise

These principles are all based on top of various software development testing techniques and cyber security testing techniques that we employ alongside development.

We are also aware that our software is deployed in highly sensitive areas, where equipment is safety-critical (or at least operations-critical). This is why Safety-by-Design is also a consideration in our software development, and is a key component of our innovative Dot product for asset & vulnerability discovery on Operational Technologies (OT).

Conclusion

When Awen software is deployed and used, you can rest assured knowing that the highest levels of pragmatic software development have been employed, everything has been thoroughly tested and the products and services are well thought through with both Security-by-Design and the industry critical Safety-by-Design. Our software can help industrial organisations reach Industry 4.0 and beyond, pragmatically and securely.

  1. Winston W. Royce (1970). "Managing the Development of Large Software Systems" in: Technical Papers of Western Electronic Show and Convention (WesCon) August 25–28, 1970, Los Angeles, USA.