The critical national infrastructure (CNI) consists of assets that are essential for the functioning of our society and economy, including transport, telecommunications, energy, finance and a range of public services. Many of the networks that are used to operate the CNI are increasingly nebulous, some with connections established via the internet for ease of operation. However, the CNI is considered a key target for those who want to disrupt the state and society. It is often far easier and less risky to remotely install disruptive malware than undertake physical disruption.
Despite these risks, the level of cyber defence maturity across much of the CNI has been inadequate. The tools and techniques of bad actors within the cybercriminal community are becoming more sophisticated. In addition, much of the focus of industry commentators is influenced by the latest “zero day” revelation. Yet the CNI, as with other sectors, is still focused on getting the basics right – ensuring they don’t fall victim to the majority of attacks that still rely on basic failures of process – be that patching or passwords.
The EU-driven NIS is a solution to poor self-regulation of CNI
When a sector as important as the CNI does not self-regulate to sufficient standards, government will of course intervene. This is what has happened within the EU with the Network and Information Security (NIS) Directive. The purpose of the NIS Directive is to enhance cybersecurity for operators of essential services across the EU. It has been implemented within UK law as the NIS Regulations in May 2018. There is already clear evidence it has increased focus and cyber security-related investment across the CNI.
NIS is outcomes-based, expressing desired outcomes based on a set of recommended security principles that reflect the practices organisations should have in place. These principles are defined at a high level and expanded through guidance describing specific outcomes that organisations should seek. Organisations across the CNI are incredibly diverse, in terms of the type of technology they depend on, the threats they face and the potential impact of disruption. A principles-based approach provides organisations flexibility around how outcomes are achieved, and avoids the formulaic tick box exercise a more prescriptive approach may result in.
The NCSC has published the CAF
The National Cyber Security Centre (NCSC) has published a Cyber Assessment Framework (CAF). It helps organisations consider how best to achieve their goals and outcomes in order to meet the NIS Regulations. The framework uses concepts such as indicators of good practice to describe typical attributes of compliant environments. Following the framework allows organisations to plan and implement a comprehensive through-life risk management process relevant to their needs. It is arguably one of the most effective mechanisms that exists for organisations of any description to improve cyber resilience.
The combination of the framework’s applicability throughout the risk management life-cycle, with the outcomes-based principles, gives the CAF clear relevance outside of the CNI. It allows organisations from any sector the ability to map security outcomes to their own circumstances. Smaller organisations will find NCSC’s Ten Steps to Cyber Security an easier starting point.
The broadness of scope and relevance of the CAF framework however is no accident. The NIS regulations explicitly reference the need for the supply chains of operators of essential services to also demonstrate alignment with the NIS security principles. For an organisation to assure the cyber security of not just its own networks, but those of its many and varied suppliers is not a simple undertaking. It is performed today in large part through self-reporting and auditing.
New technologies and best practices need wider adoption
However, government over the last three years has been influencing and part funding technologies that address many of the challenges related to maintaining confidence in disparate interconnected networks. Relevant technologies include device identity management and automated device health measurement (A.K.A Zero Trust Networks), novel cross domain solutions for network segmentation and service protection, as well as various forms of secure mobile and secure messaging.
Having moved as far as possible from building bespoke government technology, even for classified environments, government’s strategy today is far more about influencing best of breed commercially available technology. The outputs of government-industry collaboration that has occurred over the last three years are largely available in the form of affordable commercial products that go a long way to simplifying, and in some cases automating, the process of aligning IT infrastructure with the CAF principles.
The technology therefore provides an opportunity for government and the CNI to more easily extend best practice throughout a diverse and often less well-resourced supply chain. However, a major challenge faced by government currently is how to best communicate and encourage the wider adoption of the tools and technologies it has helped mature without further regulation.
While it is still relatively early days, the NIS directive has helped create a journey for CNI organisations, setting a trail that many others will ultimately follow, one way or another, as our technology dependencies and collective liabilities continue to increase.
With a heritage of creating UK National Cyber Security Centre (NCSC) certified products, Becrypt is a trusted provider of endpoint cybersecurity software solutions. Becrypt helps the most security conscious organisations to protect their customer, employee and intellectual property data. It has an established global client base which includes governments (central and defence), wider public sector, critical national infrastructure organisations and SMEs.
As one of the early pioneers in disk encryption software to today being first to market with a unique desktop operating system, Becrypt continues to bring innovation to endpoint cyber security technology. A recognised cyber security supplier to governments around the world, Becrypt’s software also meets other internationally accredited security standards. Through its extensive domain and technical expertise, Becrypt helps organisations optimise the use of new cyber security technologies and its flagship security solution Paradox delivers a highly secure platform for the modern age.