cyber resilience

The Cyber Assessment Framework - What is it and What Does it Mean for You?

The Cyber Assessment Framework (CAF) is a collection of 14 guidelines produced by the United Kingdom National Cyber Security Centre (UK NCSC) aimed to support organisations in developing their cyber security systems. This is used in conjunction with the UK implementation of the EU Network and Information Systems Directive (NIS-D) to further protect Critical National Infrastructure (CNI); however the framework is designed in such a way that it can be applied to a wider range of organisations.

Secure Supply Chains

This blog post is written by Awen Collective Founder & CEO, Daniel Lewis.

Let’s talk about “Secure Supply Chains,” or “Supply Chain Security.” Every single organisation, whether that is private or public sector, is very much reliant on the services and products that are supplied and maintained by third parties. It therefore makes sense that there is a direct relationship between the operational resiliency of a business, and the resiliency of the supply chain.

boris-dunand-Wa9ibpKst3I-unsplash.jpg

This is particularly clear at the moment. We, as members of society, go to various shops (or get deliveries) for our daily and weekly food needs. However, right now, here in the UK at least, we see patches of empty shelves in supermarkets and random things not available on our favoured online supermarket. This is due to the supply of those products to the shop. Various factors could be causing this in the UK – most likely it is related to the COVID pandemic, or it could be as lingering after-effects of Brexit, or it could be a combination of both. The supply chain for food products to the consumer shops is long, and most likely more like a complex network than a simple series. You think about packaged bread – you’ve got the packaging, and you’ve got the bread itself. In the supply chain, the bread will include all the ingredients: yeast, water and even the flour. These individual ingredients will all have their own chain. All of those elements may be produced, supplied and distributed by different organisations. If one of those points gets disrupted, then the rest of the chain could also get disrupted.

Supply chain security is about doing what we can to decrease the risk of disruption to the supply of products and services along a chain (or in a network). This not only includes the obvious manufactured produce that we think about in shops, but also includes things like energy, water, transportation, our local councils and governments, our defence and police services, and our health care. It also includes the economy built upon finance and digital technologies.

It's very true that the world has been through quite significant transformation over the last 30, 50 and 100 years. Digital transformation is increasingly a part of that. Digital technologies now make the supply of goods and services a lot quicker, cheaper and more varied. However, it also opens up the supply chain to new vulnerabilities - cyber vulnerabilities. Cyber security within supply chains is now crucial. So much so that many governments, including the UK, have undergone open calls for views on supply chain cyber security (e.g. Call for views on cyber security in supply chains and managed service providers, published 17 May 2021).

So the question stands, what can an organisation do to ensure the cyber resiliency of the supply chain? Here are some thoughts on how we can collectively do our bit to increase the resiliency of the network, in some kind of order:

Cyber Essentials

Here in the UK we have something called CyberEssentials, this is a very good and not particularly expensive checklist of simple cyber security things for an organisation to have in place. It is worth spending a little more to be independently audited, and you will be awarded with a CyberEssentials+ certificate. This will give some assurance that you have achieved at least a baseline of cyber security, and should give some assurance to the people or organisations to which you provide.

Standards for partners

Next, promote and perhaps even require that your suppliers have at least CyberEssentials+. This could be incorporated into procurement processes as part of other required criteria.

International standard ISO 27001

Next, we would recommend that organisations look at an international standard called ISO 27001. An organisation which is audited against this standard has, in place, an “Information Security Management System.” It is, once again, a baseline and we should never confuse compliance-driven cyber security with real ongoing cyber security management and maintenance! Please note that ISO 27001 is not simple to put together, and it is a real achievement to establish it and keep it going. Once achieved, I would then promote ISO 27001 to my suppliers, and perhaps favour those who have it.

Cyber Assessment Framework (CAF)

Next, for those in the UK industrial sectors and perhaps also worldwide, to look at the Cyber Assessment Framework (CAF) which was created by the UK National Cyber Security Centre (NCSC). This is a framework of good practice that every critical national infrastructure organisation (and their suppliers!) should be checking themselves against, and improving upon. It was made specifically in response to the implementation of the UK & EU wide NIS Directive.

Operational Technologies and IEC 62443

Next, for those in the industrial sectors, worldwide, I would thoroughly recommend turning your attention to your Operational Technologies (OT). This includes Industrial Automation & Control Systems (ICS/IACS), SCADA and Industrial IoT (IIoT) systems. An up-and-coming cyber security standard for this is called IEC 62443. Once again, it’s a fairly big standard with different options for different types of organisation. Once achieved, I would then promote IEC 62443 to my suppliers, and favour those who have it.

network-hardware-inspection-NSPRULZ.jpg

Each standard and framework should nudge an organisation in the right direction. The trick will then be to maintain it, so regular independent auditing will be required. There is no hiding the fact that this will take time, and money, and effort but the Return on Investment is much more than just decreasing the risk and increasing the resilience. Gaining these certifications gives an organisation competitive advantage, as those with these certifications or frameworks in place will be chosen above others as they will be seen as the less risky option. Organisations with these certifications, in theory, should also require less general maintenance as they recommend using particular network structures and monitoring processes.

Where does Awen fit in?

We make it easier across the whole industrial cyber security process, and can be employed as the first step. With Profile you ensure that you’re working to best cyber security practice as outlined in the Cyber Assessment Framework (CAF). With Dot you will discover all of the devices on your industrial Operational Technology (OT) systems, and you will get actionable intelligence on how to improve your cyber resiliency and decrease your cyber risks. Both products, Profile and Dot, will help in the journey towards getting accreditation in CyberEssentials+, the CAF, ISO 27001 and IEC 62443. Both products will also help to reduce the risk.

It's up to every single one of us to ensure resiliency. Contact us if you need some guidance!

Cyber resilience is NOT futile

What is cyber resilience? What does it even mean?

The coronavirus outbreak got every business executive thinking about the resilience of their operations and their business continuity planning, as we saw challenges coming from every direction: lockdown affecting the routes into offices, temporary closing of office spaces, the virus making staff members sick, schools being closed meaning that staff needed to look after children, clients and suppliers being affected, and investors focusing solely on their existing portfolio and not making new investments.

The disruptions caused to the operations of manufacturing and critical infrastructure have been significant. The resilience of businesses, and critical infrastructure in particular, has only become more important due to the pandemic.

We like to see resilience as essentially being able to deliver a service or fulfil a need, despite an event occurring or, as in the case of the pandemic, a significant change in ecosystem. Cyber resilience is specifically being able to deliver operations in the event of a cyber security related incident occurring.

How can my business achieve cyber resilience? How might I be able to build a cyber resilience strategy?

Cyber resilience differs from, but is obviously strongly related to, cyber security. 

Cyber security is essentially the policies, processes, procedures and technologies which are the armour for a person or organisation. 

Cyber resilience is more about: 

  • knowing the environment that you’re in, 

  • knowing the risks and threats, 

  • knowing how you might be able to mitigate those risks and/or follow contingency plans

The Cyber Assessment Framework (CAF) addresses the cyber security needs of UK-based Critical National Infrastructure and many other businesses. Principle B5 within the CAF is entirely focused on resilient networks and systems. Principle B5 overarching questions ask you:

  1. Are you prepared to restore the operation of your essential function following adverse impact?

  2. Have you designed the network and information systems supporting your essential function to be resilient to cyber security incidents? Are systems appropriately segregated, and are resource limitations mitigated?

  3. Do you hold accessible, secured and up-to-date backups of data and information needed to recover the operation of your essential function?

This is in addition to other parts of the CAF which prompt the framework adopter to produce resilience policies and processes which manage and mitigate the risk of adverse impact on the essential functions of your organisation.

Our Profile software assists you to work on all aspects of the CAF, but is particularly important when considering cyber resilience.

Our Dot software assists you directly with cyber resilience, as it gives a detailed understanding of the assets and vulnerabilities (and risk) of an operational technology environments - whether this is Industrial Control Systems (ICS), SCADA, Industrial IoT or Smart Buildings.

Output from both systems is actionable intelligence which can be used as part of cyber resilience strategies and business continuity plans.

Awen lets you know what you’re facing and simplifies processes. Let us do the heavy lifting.

Our best wishes to everyone in this current climate.
Keep healthy, keep safe, keep social.