Awen is Cybersecurity Made in Europe

As of 11th March 2021, Awen Collective has received the “Cybersecurity Made in Europe” mark after meeting the requirements outlined by the European Cyber Security Organisation (ECSO).

 
 

The label is issued across Europe somewhat geographically via ECSO Authorised partners. Our issuer was Cyber Wales CIC, which Awen has been a member of since our very earliest days as a business.

 
 


The requirements include ensuring compliance to the “Indispensable baseline security requirements for the secure ICT products and services” by ENISA, which we easily achieved thanks to our existing CyberEssentials+ certification and our in-depth expertise around the NIS Directive, the Cyber Assessment Framework (CAF), ISO 27001 and IEC 62443.

 
 

This ECSO label is very important for us, as we have always considered ourselves as being Made in Wales, Made in Britain and Made in Europe. Every single line of code in our products is developed by us here in Wales, and we are dedicated to making society safer by increasing the cyber resiliency of our critical national infrastructures (and other industrial sectors) in Wales, the United Kingdom, The Netherlands, right across Europe and internationally.

The ECSO label is fast becoming a mark of both quality and trust - and we are honoured and very pleased to be one of the first to have received it.

Profile is a compliance checking and improvement tool which was built specifically with the UK and EU-wide NIS Directive in mind.

Dot is a software system for asset discovery and cyber vulnerability analysis built specifically for Operational Technologies (OT) such as Industrial Automation and Control Systems (IACS), as well as for the specific constraints of industrial engineering processes.

If what we are doing in the UK, Europe and internationally is of interest, then please do contact us today.

,

Awen Collective secures investment round led by Dutch Security TechFund

,

Caerphilly (Wales, UK)/ Naarden (NL), 4th March 2021 - Dutch Security TechFund, managed by TIIN Capital, has led the third investment round in Awen Collective Ltd. Other investors are SFC Capital and two strategic angel investors from the UK. It is the joint mission of Awen Collective and Dutch Security TechFund to make society safer. For Awen Collective this means creating software to increase the cyber resiliency of Critical National Infrastructure and Manufacturing. Dutch Security TechFund aims to support and invest in businesses which advance this mission.

Read the full press release in Dutch and English here [PDF]

Read the blog post on the TIIN Capital Website (in Dutch)
(TIIN Capital are the managers of the Dutch Security TechFund)

To summarise the investors in this round are:

  • The Dutch Security TechFund (managed by TIIN Capital) - lead investor

  • SFC EIS Fund and the SFC BBI Fund (managed by SFC Capital) - follow-on funding from their 2019 SEIS investment in us!

  • Paul Dennis (an experienced executive from the industrial automation industry)

  • Paul Rix (an experienced process engineer from the industrial automation industry)

The press release also includes a quote from the Deputy British Ambassador to The Netherlands, Lucy Ferguson, and a quote from Philip Meijer of InnovationQuarter.

Awen Collective wishes to thank all the investors, the British Embassy in The Hague, InnovationQuarter, Lime Advisory and Acuity Law for all their help during this investment round and going forward.

Cyber doesn't go so swimmingly for Florida water company

What happened?

On Friday 5th February, a hacker tried to poison the water supply of Oldsmar, Florida, after gaining access to the water treatment control system. Through remote desktop software TeamViewer, the hacker took control of an employee’s computer at the water treatment plant and subsequently increased the amount of sodium hydroxide (lye) in the water to dangerous levels.

The consequences

The operator monitoring the system at the time of the cyber attack immediately noticed the increase of lye from 100 parts per million to 11,100 parts per million and reversed the change. This attack could have otherwise had very serious consequences to the population of Oldsmar. The treatment plant supplies water to around 15,000 residents as well as businesses in the area. Under normal circumstances, lye is a substance that is added to water to control the acidity. However, the substance is very corrosive, and can have serious health consequences if ingested. So thanks to the quick response of the keen-eyed operator at the treatment plant, the residents of Oldsmar, really did have a lucky escape!

How it happened

At the time of writing, no arrests have been made. Authorities cannot publicly describe if the attacker accessed TeamViewer using a zero-day vulnerability or by using a known one. It is unknown where the breach even originated or how many people were behind the attack: whether the attacker or attackers operated within the state of Florida, or from across the world. 

In the days following the intrusion, the treatment plant has uninstalled the software that enabled the hacker to gain access, and TeamViewer has asserted that there is no indication it was their platform that was compromised. It is suspected that the attacker took advantage of systems still using Windows 7, whose end-of-life date was early last year. This is plenty of time for vulnerabilities to be discovered, without any patches to be officially released for them. Still, whether the intrusion was carried out due to a weakness in TeamViewer, stolen credentials, a Windows 7 zero-day, or a combination of these factors, we must consider what steps to take to ensure all of these potential exposures are managed and reinforced.

How to prevent the incident from happening again, or happening to you

What prevented this intrusion from becoming life-threatening was the watchful eye and quick action of the operator. If the attacker had gotten their hands on the proper credentials, it's possible that the attack could have been carried out in the middle of the night. The use of remote software was already common in industrial plants before lockdowns to monitor performance, but with so many professionals working from home these days, it's especially imperative to (just one more time today) inspect what technology you use to enable remote work. Are your organisation's VPN servers hardened? Is multi-factor authentication enabled where possible? Is it really necessary to utilise screen-monitoring capabilities where you’re doing so? Are you and your colleagues running the latest versions of your communication platforms? What about the devices on your physical site? Do you even know what remote-access software is running on your systems, right now?

Asking such questions and being thorough in finding the answers is absolutely worth the cost, as any organisation that has been hit will tell you. Preventing yourself from being the next target and appearing on the news for all the wrong reasons is less painful and is cheaper than cleaning up the aftermath of an attack. Even then, it's not a one-time endeavour; no matter what sector you operate in, it is necessary to regularly perform audits, scan your network and hosts for any suspicious behaviour or vulnerabilities (provided that you know what would constitute as suspicious vs. normal in the first place), and so on and so forth. And if it turns out you need to, say, uninstall some remote desktop software, your pre-incident preparation will likely involve another round of security auditing if you have a rigorous change management plan. This is no small task.

The Industrial Cyber Security Ecosystem

There is no silver bullet for the problems related to the cyber security of Operational Technology (OT). There are some great solutions out there, and some which could be better. There are some amazing service providers out there who truly specialise in industrial cyber security, and others who are striving to become better in this emerging field.

We have an opportunity here to increase not only awareness but knowledge and skill. Cyber security experts, in general, have traditionally focused on IT-based cyber security. OT engineers, in general, have traditionally focused more on human safety, and not really touched cyber security.

Awen exists to reduce cyber risk and increase cyber resilience within the industrial sectors, giving value to both traditional IT-based cyber experts who are turning their attention to OT, and to OT engineers who are becoming concerned about their cyber security. Our two software products, Profile and Dot, are both about increasing awareness. Profile increases awareness about industry-focused cyber security policies and procedures. Dot increases awareness about the landscape of OT assets, and can deduce the vulnerabilities of those assets. This in turn, gives the organisation intelligence which is truly actionable. Both products are focused on the pre-incident space, and are useful in cyber risk assessments, cyber security audits, embedding security in the OT systems design and deployment stages, and more general OT change management. This is where our solutions fit in with the industrial cyber security ecosystem.

If this sounds great, and you would like to talk with us (guaranteed radical honesty, and no hard selling) then please contact us today.

This blog post was written by Awen industrial cyber software development specialists - Seren Corbett and Paige Pesigan.

Awen accelerate NIS Directive compliance using the Cyber Assessment Framework (CAF)

Many people within the European Critical National Infrastructure (CNI) sectors (electricity, oil & gas, water, rail, aviation, highways etc) will know of the NIS Directive, or to give its full title the “Network and Information Systems Directive on Security” which was implemented across EU member states (including the UK) in 2018. Some inside, and the vast majority outside of CNI, have probably never heard of the NIS Directive especially as it was somewhat overshadowed by the General Data Protection Regulation (GDPR) which was released across the EU at about the same time.

The NIS Directive essentially highlights that across Europe the CNI organisations, labelled as Operators of Essential Services (OES), should have a much higher level of cyber security policies and procedures than they have currently. If those CNI/OES organisations don’t do something about it, then they should suffer the same level of fines that they would face if they were at odds with GDPR laws.

In response to it’s implementation across Europe, the UK’s National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF) to provide a method for analysing a CNI organisation (and their suppliers), in order to check and improve cyber security policies & procedures for the NIS Regulation. The CAF was provided to UK Regulators, some of which have interpreted it in their own way based on the sectors which they serve, but generally the idea is the same: the CAF can be used to check and improve CNI cyber security.

At Awen, we often discuss how our Profile software helps critical infrastructure organisations to adhere to the NIS Directive by providing them with an easy-to-use, efficient and collaborative way to assess and monitor their compliance to the CAF, and submit their audits to their regulators. It’s pretty much a given that Profile is an appropriate tool for the Cyber Assessment Framework and the NIS Directive, not only in the UK but perhaps across Europe too as the CAF can be mapped to other standards and frameworks also. Unlike some other standards/frameworks, the CAF does explicitly apply to both Information Technology (IT) and Operational Technology (OT).

However, perhaps even more importantly, our Dot software leads not only to an increase in situational awareness within an OT environment, but can also help organisations in several areas of the CAF.

Dot’s Asset Discovery and Management within OT has particular applicability with several sections within the NCSC CAF:

✅ A3.a - Asset Management

✅ B4.a - Secure by Design

B4.b - Secure Configuration

B4.d - Vulnerability Management

C1.c - Generating Alerts

Dot’s Vulnerability Discovery and Management within OT has particular applicability with a couple more sections within the NCSC CAF:

A2.a - Risk Management Process

D2.a - Incident Root Cause Analysis

One key thing to note is that Dot is not an Industrial Intrusion Detection System (IDS). Dot can be used for the preparation of deployment of an IDS, and to cover areas of a network (and the legacy equipment) that an IDS cannot reach. In particular we see it providing a lot of value as part of cyber risk assessments, compliance processes, change management processes and incident response planning. An IDS would typically be more useful for Objective C of the CAF, which is all about detecting cyber security events.

Here is a visualisation of where Dot, Profile and Intrusion Detection Systems fall within the CAF:

awen-where-dot-and-profile-fit-with-the-caf-nis-directive.png

If Dot, as an Asset and Vulnerability Discovery software product built for Operational Technology, sounds interesting and you would like to learn more, then please do get in contact today.

Likewise, if Profile, as a Cyber Assessment Framework (CAF) assessment and improvement system, sounds like it could help you out, then also do get in touch. We would love to hear from you.

This post was written by Daniel Lewis, CEO & Cofounder of Awen Collective.

,

What the UK Government is doing to protect our cities from future cyber threats

,

The UK National Cyber Security Centre (NCSC) have chosen Awen Collective for their Smart Cities innovation acceleration programme.

The UK National Cyber Security Centre (NCSC), which is part of the GCHQ intelligence and security organisation, announced on 2nd February 2021 that they have chosen three British businesses, including Awen Collective, to work on some of the toughest security problems within the Smart Cities domain as part of a two and a half month virtual programme.

WatchKeeper and the Cyber Defence Service are the two other businesses in the cohort. The programme is the 7th cohort in a series of NCSC Cyber Accelerators and is the first to have been dedicated to Smart Cities Security. The programme is in collaboration with Wayra, the innovation division of telecoms company Telefónica, and has partnerships with the Digital Catapult, Microsoft and others.

Cyber-attacks to energy, water, transportation, or manufacturing organisations are causing economic damage to these sectors and could cause significant disruption to society if the attack were large enough. It is the mission of Awen Collective to increase resilience and reduce the impact of cyber-attacks on society's critical infrastructures. Awen Collective does this by creating software to improve cyber security policies and procedures, and to enhance visibility in operational technology environments before attackers have opportunities.

Smart cities are a frequently discussed and increasingly popular concept. There are many flavours of smart city, but essentially, they involve taking advantage of digital technology for services such as traffic, electricity, heating, waste collection and other community services. The concept is popular and budgets for the implementation of such technology are increasing.

Smart city technology will bring efficiencies, cost savings, and better service to its end-users. However, the employment of smart city technology when it is overlaid on top of the legacy equipment found in the traditional infrastructure sectors has led to an increase in cyber vulnerabilities. Therefore, there is an increase in attention to industrial cyber security initiatives, products, and services by both the public and private sectors.

This cohort of the NCSC Accelerator is not the only initiative or programme that Awen Collective is involved in related to Smart Cities cyber security. Awen Collective was also announced in September 2020 by the UK Government Department for International Trade (DIT), as one of 30 British tech companies to be chosen as the first participants in their Tech Export Academy, which is a 9 month programme aimed at showcasing the best smart cities technologies across the Asia Pacific region. The CEO of Awen Collective, Daniel Lewis, was also announced by techUK (the British technology trade association) in November 2020 as being on the steering board of the techUK Smart City group.

Our civil society continues to move toward a more efficient and sustainable future powered by data in schemes such as Smart Cities and Industry 4.0, we are doing our best to look out for the security, safety and privacy of everyone.

If this article is of interest to you or your business, and you would like to discuss more about what we are doing at Awen Collective, including our products Profile and Dot, then please contact us today for a chat.

Awen Collective is Cyber Essentials Plus Certified

 
cyberessentials_certification mark plus_colour.png
 

As of 26th January 2021 Awen Collective is officially Cyber Essentials Plus certified!

After completing the initial Cyber Essentials certification on 13th January 2021, the wonderful team at Wolfberry Cyber Security completed an audit of our systems under to confirm we comply with the requirements of the Cyber Essentials Plus scheme. Wolfberry are an IASME Cyber Essentials Certification body.

We see the Cyber Essentials and Cyber Essentials Plus schemes as a vital stepping stone to help UK-based SME’s engage with their cyber security and ensure a reasonable level of thought and attention has been paid to their ongoing protection from cyber attack.

As a cyber security software supplier, we hold ourselves to the highest standards of internal cyber security, both as a company, and within the security-first principles we build our products under. Cyber Essentials Plus certification marks our first steps into officially recognising those efforts, but by no means will be the last. Our products have previously, and will continue to, undergo testing and validation using external partners to ensure their safety and security, and we look forward to being able to bring you news on further cyber security certifications in the future.

Awen Collective would certainly encourage all organisations to consider the Cyber Essentials and Cyber Essentials Plus schemes as a foundation of their cyber security efforts, and we’d like to extend our thanks to Wolfberry Cyber Security, IASME and the NCSC for their support of both Awen Collective and the provision of this scheme.

Those in one of the UK Critical National Infrastructure (CNI) sectors, or servicing the CNI sectors, should not only look at Cyber Essentials but should consider the NCSC Cyber Assessment Framework (CAF) which is made much simpler to check and monitor using the Profile software system by Awen Collective.

Awen Collective is now a Digital Outcomes and Specialists 5 Supplier

 
CCS-supplier-logo-black-300dpi.jpg
 

In October 2019 we announced that we were on the Digital Outcomes and Specialists 4 framework (DOS4) of the UK Government Crown Commercial Service.

Well, in January 2021, we now have the pleasure that we’ve been accepted on to the subsequent framework which is aptly named Digital Outcomes and Specialists 5 (DOS5).

What is DOS5?

DOS5 or the Digital Outcomes and Specialists 5 framework, is a public sector procurement framework by the UK Government Crown Commercial Service.

The precise wording is: “This agreement helps the public sector buy, design, build and provide bespoke digital outcomes by finding appropriate specialists to provide agile software development.[REF]

The UK Government Digital Marketplace provides the ability for public sector to search for suppliers, and for members of the frameworks to look for opportunities.

What does DOS5 mean for Awen Collective?

DOS5 means that we, as Awen Collective, will continue to be able to look for relevant public sector problems where we can apply our two products:

  • Dot a software system to help industrial organisations to discover devices and vulnerabilities on the Operational Technology (OT) networks, so that those organisations can gain as much actionable intelligence about their cyber risks, thereby enabling them to use budget wisely to reduce risk and increase resilience.

  • Profile is a Software-as-a-Service (SaaS) system enabling critical infrastructure operators and their suppliers to adhere to the EU and UK-wide NIS Directive. It provides an easy-to-use web interface for collaborating, checking and monitoring compliance to the implemented directive.

The parts of public sector that use DOS is wide! Departments/Organisations such as the Cabinet Office, the MOD, the Environment Agency, the Highway Agency and also regulators. So it provides direct access between these public sector organisations and the private sector organisations on the framework - including us, Awen Collective!

What experience does Awen Collective have with government procurement frameworks?

Awen Collective is indeed now on DOS5. We first joined the Digital Outcomes and Specialists framework series in the previous framework DOS4.

As of September 2020 we were also accepted on to G-Cloud 12, which is a UK Government framework aimed at the provision of cloud-based services.


If this sounds interesting and you would like to know more, then please do contact us today.


Extending Profile to be free for healthcare in 2021!

When the coronavirus pandemic began to spread and the first lockdowns came into force around the world, we made the decision to offer our Profile software system for free to all healthcare organisations throughout 2020.

At Awen Collective we have made the decision to extend this offer throughout 2021 too. So if you are in:

  • A public or private hospital, GP surgery, health centre or other centre which offers healthcare services

  • A test centre

  • A vaccine centre

  • A manufacturer of

    • COVID-19 Vaccines

    • Vaccine Paraphernalia, such as vials, syringes and needles

    • COVID-19 Test Materials or Devices

    • Personal Protective Equipment (PPE)

    • Hand sanitisers of at the very least 60% alcohol

    • Surface disinfectants approved for use against COVID-19

Then you can get free accounts on Profile for your organisation, enabling you to do your part to ensure that your organisation is considering the cyber security of operations using the Cyber Assessment Framework (CAF).

The wellbeing of humanity is of the utmost importance. If a cyber attack to happen to any of the above organisations, it could cause a delay in the supply of healthcare goods or services, which has a direct impact on the welfare of people. This is why we are offering Profile for free to the healthcare sector, it helps these organisations to effectively and efficiently consider their cyber security policies and procedures.

If this sounds interesting, then please contact us today. We will be happy to help.