cyber security

Resiliency: Cyber & Net Zero

This post has been written by Awen Collective CEO & Founder, Daniel Lewis.

I've been thinking a lot about the concept of resiliency, and in particular cyber resiliency and ecological resiliency (by achieving net zero). Can we draw parallels? Can we learn from each other?

What is “cyber resiliency”?

Cyber resiliency, I would say, is ensuring that systems are prepared for a potential cyber attack. This includes thinking about:

  • What do you do if something goes wrong?

  • Do you have mitigations and contingencies to ensure continuous operations?

  • Do you have processes and resources in place to not only react but also be able to best learn from what might have gone wrong?

What is "ecological resiliency"?

There is a lot of talk at the time of writing about humanity's and the Earth's resiliency in regard to the impact of climate change. The goal is to achieve Net Zero (the balance of carbon produced and removed from the atmosphere), which in turn should reduce existential risk caused by human-driven climate change. So the resiliency aspect includes the societal changes required to work towards Net Zero.

Are there similarities? Could we learn from each other?

In order for any resiliency to be most effective it requires efforts from multiple directions:

  • People - ultimately, we are all in this together. Every single one of us needs to know that we (as individuals and as a society/community) are susceptible to cyber attacks, and to the impact of climate change. We therefore need to be doing our bit where we can: e.g. having good password hygiene, using two-factor/multi-factor, keeping our systems up to date, using antivirus, looking out for nefarious activity in the physical or cyber world, etc. E.g. recycling, reducing waste, choosing a renewable energy supply, reducing air travel, considering electric vehicles and public transport.

  • Technological advancements - doing realistic and effective R&D - getting both the quick wins (e.g. updating and upgrading protection - antivirus or intrusion detection system. e.g. increasing energy efficiency through hybrid energy sources), and the longer term plans (e.g. carbon scrubbing, developing new alternative energy sources).

  • Government response - the "carrot and stick approach" - but I would say that the "carrot" is going to be much more effective from a widespread perspective than the "stick" (and many situations) because we need governmental support to do realistic research, improve the current state of affairs, and work towards the best possible outcome with good and clear guidance. Subsidies and grants work best if not only do they give instant relief, but are then coupled with short and long term hands-on support and guidance. This goes to both cyber security/resilience and Net Zero efforts.

  • Opportunities through standardisation - despite the complaints people have about complying to standards, and other complaints about compliance not being the end goal, it can be an opportunity having standardisation. For example, if a tendering & procurement process for an organisation includes the requirement for (or even just favours) suppliers to have a particular standard, then that prompts the supplier market to do better. Standards need to evolve over time, and be feasible to not only large enterprises but smaller ones too. Examples in cyber security include ISO 27001 and IEC 62443, and examples in the eco-friendly business world are many and varied - ISO have 14001, but there are sector and application specific standards such as LEED and Energy Star.

No doubt that there are other options too. These are just some thoughts about the parallels and what we might be able to do about the resilience of it all. If you have any thoughts on the subject, it would be great to hear from you.

On Friday 5th November 2021, in my capacity as the CEO and a founder of Awen Collective, I pitched Awen Collective (alongside other British and Brazilian businesses) at COP-26 as part of a Connected Places Catapult virtual event where I highlighted that cyber security is important to be included in smart city, industry 4.0 and Net Zero initiatives. Please do go download the Business Portfolio brochure of companies, including Awen Collective, from the CPC UK - Latin America Net Zero Solutions website. We are also now members of the Connected Places Catapult.

Secure Supply Chains

This blog post is written by Awen Collective Founder & CEO, Daniel Lewis.

Let’s talk about “Secure Supply Chains,” or “Supply Chain Security.” Every single organisation, whether that is private or public sector, is very much reliant on the services and products that are supplied and maintained by third parties. It therefore makes sense that there is a direct relationship between the operational resiliency of a business, and the resiliency of the supply chain.

boris-dunand-Wa9ibpKst3I-unsplash.jpg

This is particularly clear at the moment. We, as members of society, go to various shops (or get deliveries) for our daily and weekly food needs. However, right now, here in the UK at least, we see patches of empty shelves in supermarkets and random things not available on our favoured online supermarket. This is due to the supply of those products to the shop. Various factors could be causing this in the UK – most likely it is related to the COVID pandemic, or it could be as lingering after-effects of Brexit, or it could be a combination of both. The supply chain for food products to the consumer shops is long, and most likely more like a complex network than a simple series. You think about packaged bread – you’ve got the packaging, and you’ve got the bread itself. In the supply chain, the bread will include all the ingredients: yeast, water and even the flour. These individual ingredients will all have their own chain. All of those elements may be produced, supplied and distributed by different organisations. If one of those points gets disrupted, then the rest of the chain could also get disrupted.

Supply chain security is about doing what we can to decrease the risk of disruption to the supply of products and services along a chain (or in a network). This not only includes the obvious manufactured produce that we think about in shops, but also includes things like energy, water, transportation, our local councils and governments, our defence and police services, and our health care. It also includes the economy built upon finance and digital technologies.

It's very true that the world has been through quite significant transformation over the last 30, 50 and 100 years. Digital transformation is increasingly a part of that. Digital technologies now make the supply of goods and services a lot quicker, cheaper and more varied. However, it also opens up the supply chain to new vulnerabilities - cyber vulnerabilities. Cyber security within supply chains is now crucial. So much so that many governments, including the UK, have undergone open calls for views on supply chain cyber security (e.g. Call for views on cyber security in supply chains and managed service providers, published 17 May 2021).

So the question stands, what can an organisation do to ensure the cyber resiliency of the supply chain? Here are some thoughts on how we can collectively do our bit to increase the resiliency of the network, in some kind of order:

Cyber Essentials

Here in the UK we have something called CyberEssentials, this is a very good and not particularly expensive checklist of simple cyber security things for an organisation to have in place. It is worth spending a little more to be independently audited, and you will be awarded with a CyberEssentials+ certificate. This will give some assurance that you have achieved at least a baseline of cyber security, and should give some assurance to the people or organisations to which you provide.

Standards for partners

Next, promote and perhaps even require that your suppliers have at least CyberEssentials+. This could be incorporated into procurement processes as part of other required criteria.

International standard ISO 27001

Next, we would recommend that organisations look at an international standard called ISO 27001. An organisation which is audited against this standard has, in place, an “Information Security Management System.” It is, once again, a baseline and we should never confuse compliance-driven cyber security with real ongoing cyber security management and maintenance! Please note that ISO 27001 is not simple to put together, and it is a real achievement to establish it and keep it going. Once achieved, I would then promote ISO 27001 to my suppliers, and perhaps favour those who have it.

Cyber Assessment Framework (CAF)

Next, for those in the UK industrial sectors and perhaps also worldwide, to look at the Cyber Assessment Framework (CAF) which was created by the UK National Cyber Security Centre (NCSC). This is a framework of good practice that every critical national infrastructure organisation (and their suppliers!) should be checking themselves against, and improving upon. It was made specifically in response to the implementation of the UK & EU wide NIS Directive.

Operational Technologies and IEC 62443

Next, for those in the industrial sectors, worldwide, I would thoroughly recommend turning your attention to your Operational Technologies (OT). This includes Industrial Automation & Control Systems (ICS/IACS), SCADA and Industrial IoT (IIoT) systems. An up-and-coming cyber security standard for this is called IEC 62443. Once again, it’s a fairly big standard with different options for different types of organisation. Once achieved, I would then promote IEC 62443 to my suppliers, and favour those who have it.

network-hardware-inspection-NSPRULZ.jpg

Each standard and framework should nudge an organisation in the right direction. The trick will then be to maintain it, so regular independent auditing will be required. There is no hiding the fact that this will take time, and money, and effort but the Return on Investment is much more than just decreasing the risk and increasing the resilience. Gaining these certifications gives an organisation competitive advantage, as those with these certifications or frameworks in place will be chosen above others as they will be seen as the less risky option. Organisations with these certifications, in theory, should also require less general maintenance as they recommend using particular network structures and monitoring processes.

Where does Awen fit in?

We make it easier across the whole industrial cyber security process, and can be employed as the first step. With Profile you ensure that you’re working to best cyber security practice as outlined in the Cyber Assessment Framework (CAF). With Dot you will discover all of the devices on your industrial Operational Technology (OT) systems, and you will get actionable intelligence on how to improve your cyber resiliency and decrease your cyber risks. Both products, Profile and Dot, will help in the journey towards getting accreditation in CyberEssentials+, the CAF, ISO 27001 and IEC 62443. Both products will also help to reduce the risk.

It's up to every single one of us to ensure resiliency. Contact us if you need some guidance!

Event: Factory of the Future - Big Data and Automation

IMG_20190910_112014.jpg

Last Tuesday (10th September 2019) Awen attended the Factory of the Future (Big Data & Automation) event organised by ESTnet, supported by Barclays and hosted by the Newport Wafer Fab.

We heard from three keynote speakers:

  • Mike Lakoju [archive.org] from Cardiff University, who spoke about the Chatty Factories project which attempts to apply cutting-edge data science techniques for a variety of factory-floor applications.

  • Emily Bristow from BluePrism, who spoke about their software bot system RPA used to automate IT & business processes

  • Gareth Jones from the industrial automation division of Omron Electronics in the UK.

We also had a great tour around the wonderful Newport Wafer Fab.

We were invited by the organisers to come along to exhibit our software & services as part of a local showcase of solution providers within Factory of the Future / Industry 4.0 / Smart Factories. We spoke to delegates about our asset & vulnerability discovery for OT system Dot, our NIS Directive compliance system Profile, and the past-present-future of Awen Collective in general.

Awen develops software which provides practical solutions to cyber security problems in industrial environments, and we do so through local and global lenses. We will continue the dialogue with all partners involved in this event, and invite others reading this to contact us today to get involved in that dialogue.

IMG_20190910_122310.jpg