Many people within the European Critical National Infrastructure (CNI) sectors (electricity, oil & gas, water, rail, aviation, highways etc) will know of the NIS Directive, or to give its full title the “Network and Information Systems Directive on Security” which was implemented across EU member states (including the UK) in 2018. Some inside, and the vast majority outside of CNI, have probably never heard of the NIS Directive especially as it was somewhat overshadowed by the General Data Protection Regulation (GDPR) which was released across the EU at about the same time.
The NIS Directive essentially highlights that across Europe the CNI organisations, labelled as Operators of Essential Services (OES), should have a much higher level of cyber security policies and procedures than they have currently. If those CNI/OES organisations don’t do something about it, then they should suffer the same level of fines that they would face if they were at odds with GDPR laws.
In response to it’s implementation across Europe, the UK’s National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF) to provide a method for analysing a CNI organisation (and their suppliers), in order to check and improve cyber security policies & procedures for the NIS Regulation. The CAF was provided to UK Regulators, some of which have interpreted it in their own way based on the sectors which they serve, but generally the idea is the same: the CAF can be used to check and improve CNI cyber security.
At Awen, we often discuss how our Profile software helps critical infrastructure organisations to adhere to the NIS Directive by providing them with an easy-to-use, efficient and collaborative way to assess and monitor their compliance to the CAF, and submit their audits to their regulators. It’s pretty much a given that Profile is an appropriate tool for the Cyber Assessment Framework and the NIS Directive, not only in the UK but perhaps across Europe too as the CAF can be mapped to other standards and frameworks also. Unlike some other standards/frameworks, the CAF does explicitly apply to both Information Technology (IT) and Operational Technology (OT).
However, perhaps even more importantly, our Dot software leads not only to an increase in situational awareness within an OT environment, but can also help organisations in several areas of the CAF.
Dot’s Asset Discovery and Management within OT has particular applicability with several sections within the NCSC CAF:
✅ A3.a - Asset Management
✅ B4.a - Secure by Design
✅ B4.b - Secure Configuration
✅ B4.d - Vulnerability Management
✅ C1.c - Generating Alerts
Dot’s Vulnerability Discovery and Management within OT has particular applicability with a couple more sections within the NCSC CAF:
✅ A2.a - Risk Management Process
✅ D2.a - Incident Root Cause Analysis
One key thing to note is that Dot is not an Industrial Intrusion Detection System (IDS). Dot can be used for the preparation of deployment of an IDS, and to cover areas of a network (and the legacy equipment) that an IDS cannot reach. In particular we see it providing a lot of value as part of cyber risk assessments, compliance processes, change management processes and incident response planning. An IDS would typically be more useful for Objective C of the CAF, which is all about detecting cyber security events.
Here is a visualisation of where Dot, Profile and Intrusion Detection Systems fall within the CAF:
If Dot, as an Asset and Vulnerability Discovery software product built for Operational Technology, sounds interesting and you would like to learn more, then please do get in contact today.
Likewise, if Profile, as a Cyber Assessment Framework (CAF) assessment and improvement system, sounds like it could help you out, then also do get in touch. We would love to hear from you.
This post was written by Daniel Lewis, CEO & Cofounder of Awen Collective.