What is a cyber security company doing talking about digital transformation? Our proposition is that the first step for effective cyber security is to know what assets you have, ideally in as much detail as possible. The same is with digital transformation; the first step for effective digital transformation is to know what you have got.
Event: Factory of the Future - Big Data and Automation
Last Tuesday (10th September 2019) Awen attended the Factory of the Future (Big Data & Automation) event organised by ESTnet, supported by Barclays and hosted by the Newport Wafer Fab.
We heard from three keynote speakers:
Mike Lakoju [archive.org] from Cardiff University, who spoke about the Chatty Factories project which attempts to apply cutting-edge data science techniques for a variety of factory-floor applications.
Emily Bristow from BluePrism, who spoke about their software bot system RPA used to automate IT & business processes
Gareth Jones from the industrial automation division of Omron Electronics in the UK.
We also had a great tour around the wonderful Newport Wafer Fab.
We were invited by the organisers to come along to exhibit our software & services as part of a local showcase of solution providers within Factory of the Future / Industry 4.0 / Smart Factories. We spoke to delegates about our asset & vulnerability discovery for OT system Dot, our NIS Directive compliance system Profile, and the past-present-future of Awen Collective in general.
Awen develops software which provides practical solutions to cyber security problems in industrial environments, and we do so through local and global lenses. We will continue the dialogue with all partners involved in this event, and invite others reading this to contact us today to get involved in that dialogue.
Cyber Security for Aviation
British Airways (BA) has appeared in the news recently because data of around 500,000 customers has been stolen from their website and mobile app, and this has led to the Information Commissioner’s Office (ICO) in the UK handing them a potential fine of £183.4million (GBP) under the General Data Protection Regulation (GDPR). This is a fine of approximately 1.5% of their worldwide annual turnover, with the maximum fine being 4% of annual turnover (or around £18million, whichever is greater).
nis Directive WITHIN AVIATION
At the same time as GDPR came into force across the EU, The NIS Directive also came into force (somewhat drowned out by the GDPR noise, unsurprisingly). The NIS Directive requires organisations within Critical National Infrastructure, including transportation networks such as aviation, to embed a particular level of cyber security and incident response planning throughout the entire organisation from engineering operations and IT, through to board level.
In the UK, the National Cyber Security Centre (NCSC) which is the public-facing cyber security division of GCHQ, released the Cyber Assessment Framework (CAF) to address the minimal requirements critical national infrastructure must adhere to in order to be compliant enough for the regulation. It was the CAF that was the initial framework of our Profile software. Audits against the CAF are then checked by the regulators for the different sectors.
For the aviation sector in the UK, the NIS Directive regulation still applies, and the Civil Aviation Authority (CAA) is the organisation charged with ensuring that aviation organisations within the UK are complying with that regulation. They, however, are currently not using the NCSC CAF but are using their own framework entitled “CAP 1574: 26 security controls for regulation.”
It is with pleasure that we announce full support of CAP 1574 in the Profile product by Awen Collective, meaning that we make the whole process of helping aviation organisations within the UK comply with the NIS Directive, enabling them also to track their scores over time and assist them with making improvements.
Within the aviation sector, the regulation and the framework should apply to all organisations that own or operate: aircraft, airlines, airports, airspace management and aviation security. The NIS Directive also states that suppliers to these organisations should also have the same or greater levels of cyber security.
Building Automation and Control within Aviation
Aviation sector organisations have to consider the cyber security of their facilities, including their buildings - both private and public-facing, including airports. These buildings are increasingly being fitted with digital networks and internet-connected devices. These devices are often sensors but in some cases they are controllers and actuators (something that makes a physical change). Examples include Heating, Ventilation, Air Conditioning (HVAC); elevators, escalators and travelators; physical access systems (such as key cards or biometric scanners); bag checking systems; fire alarms and so on.
These systems generally come under the category of Building Automation & Control (BAC), and it is with pleasure that we announce that our product Dot supports protocols for BAC, including BACnet. With our software, organisations within the aviation sector will be able to perform automated asset and vulnerability discovery, leading to a greater understanding of risk and the mitigation of that risk. Dot will not only help to improve safety and security within an aviation organisation, but will also help to save money as budget can be correctly allocated to any security concerns before an incident happens. Dot will also help aviation organisations to achieve various components of the CAP 1574 and the Cyber Assessment Framework, in particular those compliance points related to Asset Management, Risk Management, Secure Configuration, Network Segregation, Security by Design, Vulnerability Monitoring and Knowledge Sharing.
Profile and Dot are available now to the aviation industry, contact us today to book a demonstration and to discuss next steps, by emailing hello@awencollective.com
—
This is the first in a series of a series of blog posts about the cyber security of Building Automation and Control (BAC) and Building Management Systems (BMS).