OG86 is Operational Guidance issued by the Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) to mitigate the risk of cyber-attacks that could result in health and safety incidents, major accidents and/or the loss of essential services.
The Cyber Assessment Framework - What is it and What Does it Mean for You?
The Cyber Assessment Framework (CAF) is a collection of 14 guidelines produced by the United Kingdom National Cyber Security Centre (UK NCSC) aimed to support organisations in developing their cyber security systems. This is used in conjunction with the UK implementation of the EU Network and Information Systems Directive (NIS-D) to further protect Critical National Infrastructure (CNI); however the framework is designed in such a way that it can be applied to a wider range of organisations.
Why should you care about the NIS Directive?
On our website we have a growing amount of information defining the Network and Information Systems Directive on Security, showing how the NIS Directive relates to what we do, and talking about the various sectors that it applies to - such as energy, water and transportation. In this blog post we go a little deeper, and discuss why you should care about the NIS D, and how might it improve your cyber security levels.
First of all, the NIS Directive is a European Union established directive of 2018, which is applied across the EU member states. As this was 2018, this means that the UK has also ratified the directive into law as the NIS Regulation. Different states have implemented it slightly differently, but the goal is the same, and that goal is to essentially reduce disruption to everyday life by making improvements to the cyber security of critical infrastructure operators of essential services (OES) and other critical digital service providers (DSPs) such as search engines and digital markets.
Non-compliance with the implementation of the directive comes with fairly hefty fines, however the primary actions of each nation state is to essentially help operators and service providers improve prior to enacting the full force of fees. Carrots are being offered before the sticks are “thwacked.”
As we mentioned above, different countries are implementing the directive in different ways. In the UK, the National Cyber Security Centre (NCSC) has developed the Cyber Assessment Framework (CAF) which is a framework of best practices within cyber security. It’s a general framework applicable to all kinds of sectors, but it was developed specifically with critical national infrastructure sectors in mind. The energy, water, transportation and a variety of other critical sectors are therefore recommended to work towards full compliance against the CAF, with the regulators in each sector assisting with initial checks, monitoring progression, suggesting recommendations and auditing - with the eventuality of fines in the cases of non-compliance to those recommendations.
However, it should be noted that there is a lot of marketing spiel from the cyber security community saying that compliance is not equal to cyber security. This is certainly true, but only because compliance is the minimum that we should be doing in order to reduce the very real threat of a cyber attack on critical infrastructure. Unfortunately it is the case that many organisations are not yet compliant with the CAF.
Why do Awen care?
Awen cares because compliance to the regulation, and especially using the CAF, leads to a safer society. Imagine, for a second, that the drinking water supply was contaminated because the filtration systems were switched off by a cyber attack. That filtration system was being monitored by an efficiency & predictive maintenance monitoring system directly connected to the filtration controllers. If that water company had followed the CAF as a baseline, then they would have been prompted to ensure that (for example) appropriate authentication was installed on the IT systems, that OT systems were patched, and that the onsite engineers had cyber awareness. Thereby reducing the cyber risk, and ultimately reducing the chance of the water supply of the community being polluted.
This is the raison d’être for Awen. We exist to make society safer by reducing the cyber risks in critical national infrastructure and manufacturing. Our product Profile helps to ensure that organisations progressively improve their adherence to the Cyber Assessment Framework (CAF), leading to NIS Directive compliance. Our other product Dot, then goes one step further and begins to help organisations reduce the vulnerabilities on their operational technologies. Not through any fancy artificial intelligence system, but through actionable intelligence working in collaboration with engineering and business processes.
p.s. You can now buy Profile through our website using a credit or debit card, with options for monthly or annual agreements! To celebrate we’ve also applied a discount. Plus, don’t forget that if you are a healthcare organisation, or are manufacturing face masks, hand sanitiser, other PPE, ventilators, vaccines or treatment for COVID-19 then you can get Profile from us for no charge for the remainder of 2020.
Cyber Security for Aviation
British Airways (BA) has appeared in the news recently because data of around 500,000 customers has been stolen from their website and mobile app, and this has led to the Information Commissioner’s Office (ICO) in the UK handing them a potential fine of £183.4million (GBP) under the General Data Protection Regulation (GDPR). This is a fine of approximately 1.5% of their worldwide annual turnover, with the maximum fine being 4% of annual turnover (or around £18million, whichever is greater).
nis Directive WITHIN AVIATION
At the same time as GDPR came into force across the EU, The NIS Directive also came into force (somewhat drowned out by the GDPR noise, unsurprisingly). The NIS Directive requires organisations within Critical National Infrastructure, including transportation networks such as aviation, to embed a particular level of cyber security and incident response planning throughout the entire organisation from engineering operations and IT, through to board level.
In the UK, the National Cyber Security Centre (NCSC) which is the public-facing cyber security division of GCHQ, released the Cyber Assessment Framework (CAF) to address the minimal requirements critical national infrastructure must adhere to in order to be compliant enough for the regulation. It was the CAF that was the initial framework of our Profile software. Audits against the CAF are then checked by the regulators for the different sectors.
For the aviation sector in the UK, the NIS Directive regulation still applies, and the Civil Aviation Authority (CAA) is the organisation charged with ensuring that aviation organisations within the UK are complying with that regulation. They, however, are currently not using the NCSC CAF but are using their own framework entitled “CAP 1574: 26 security controls for regulation.”
It is with pleasure that we announce full support of CAP 1574 in the Profile product by Awen Collective, meaning that we make the whole process of helping aviation organisations within the UK comply with the NIS Directive, enabling them also to track their scores over time and assist them with making improvements.
Within the aviation sector, the regulation and the framework should apply to all organisations that own or operate: aircraft, airlines, airports, airspace management and aviation security. The NIS Directive also states that suppliers to these organisations should also have the same or greater levels of cyber security.
Building Automation and Control within Aviation
Aviation sector organisations have to consider the cyber security of their facilities, including their buildings - both private and public-facing, including airports. These buildings are increasingly being fitted with digital networks and internet-connected devices. These devices are often sensors but in some cases they are controllers and actuators (something that makes a physical change). Examples include Heating, Ventilation, Air Conditioning (HVAC); elevators, escalators and travelators; physical access systems (such as key cards or biometric scanners); bag checking systems; fire alarms and so on.
These systems generally come under the category of Building Automation & Control (BAC), and it is with pleasure that we announce that our product Dot supports protocols for BAC, including BACnet. With our software, organisations within the aviation sector will be able to perform automated asset and vulnerability discovery, leading to a greater understanding of risk and the mitigation of that risk. Dot will not only help to improve safety and security within an aviation organisation, but will also help to save money as budget can be correctly allocated to any security concerns before an incident happens. Dot will also help aviation organisations to achieve various components of the CAP 1574 and the Cyber Assessment Framework, in particular those compliance points related to Asset Management, Risk Management, Secure Configuration, Network Segregation, Security by Design, Vulnerability Monitoring and Knowledge Sharing.
Profile and Dot are available now to the aviation industry, contact us today to book a demonstration and to discuss next steps, by emailing hello@awencollective.com
—
This is the first in a series of a series of blog posts about the cyber security of Building Automation and Control (BAC) and Building Management Systems (BMS).
Collaboration across EU helps cyber-security of society
Awen Collective has produced a Software-as-a-Service product called Profile which makes it much quicker and easier for Critical National Infrastructure, their partners and their regulators to perform audits to ensure regulatory compliance to the NIS Directive. We are also actively working on other projects for some of our continental partners.
The NIS Directive is a European Union directive that has, as of 2018, been implemented in law in all 28 member states of the EU (including the UK). This regulation provides a much needed prompt to European critical infrastructure providers to improve the cyber-security policies, processes and technologies within their whole organisation – from board member to engineer, from IT to Operational Technologies (OT).
However, it is not the only good thing that the European Union has done or is doing in regard to cyber-security in general and industrial cyber-security in specific. We don’t even need to mention GDPR. This blog post outlines some of the other great initiatives.
Europe-wide Cyber-Security Initiatives & Programmes
European Union Agency for Network and Information Security (ENISA) – is a great organisation (or agency) which contributes to the network & information systems security across Europe, with a particular focus on ensuring the security and safety of European society, commerce and government. It is a very holistic organisation, very much worth checking out if you have not heard of them. ENISA has done so well over the years, that the EU decided to enhance the powers of ENISA through the Cybersecurity Act of December 2018.
The Computer Emergency Response Teams for the EU institutions, agencies and bodies (CERT-EU). It provides threat intelligence and assistance in the prevention, detection, mitigation and response to cyber-attacks by providing a cyber-security information exchange. It works closely with other CERTs in the public & private sectors across Europe.
The European Cyber Crime Centre (EC3) is a division of the EU agency for law enforcement cooperation (EUROPOL). EC3 assists with the law enforcement response to cyber-crime across the EU, with particular focus on strategy, forensics and operations/intelligence. EC3 publishes the Internet Organised Crime Threat Assessment report, which highlights some interesting information.
The European Cybersecurity Industrial, Technology and Research Competence Centre (ECITRCC) is a policy-driven centre focused on the European digital market. It will contribute to the deployment of the latest cyber-security technology, provide financial & technical support to cyber-security start-ups & SMEs, it will support industrial R&D, push high-levels of cyber-security standards and facilitate cooperation between civil & defence spheres in regard to cyber-security. It is too early to say how effective the Centre will be, but it seems to be very promising.
There is also a significant number of funded R&D initiatives across Europe through the Horizon 2020 framework, which require collaboration from different organisations in at least a few member states and typically support a mixture of SMEs, universities, larger organisations and the public sector across Europe.
Plus much more…
All of the above combine to help everyone to live and work in Europe safely and securely.
What are Awen doing?
Awen have built software to provide solutions to an international problem. One product, Profile, addresses the NIS Directive directly and is naturally a European-focused product. Contact us today to organise a demonstration of Profile. Email: hello@awencollective.com