Strengthening Critical Infrastructure with the NCSC CAF

Posted on by Admin
Strengthening Critical Infrastructure with the NCSC CAF

Related Post


Critical infrastructure organizations bear an enormous responsibility. The assets, systems, and networks they manage are crucial to the functioning of a healthy society. They provide water, energy, transportation, healthcare, telecommunications, and more—should they fail, they would bring entire countries to their knees.

The vast importance of Critical National Infrastructure (CNI) makes it a prime target for cybercriminals. Research from early this year even found that global critical infrastructure suffered 13 cyberattacks every second in 2023.

And things are only likely to get worse: the potentially destabilizing impact of attacks on CNI makes these organizations particularly vulnerable to nation-state attacks, which are on the rise amid an increasingly tense geopolitical landscape. As such, protecting critical infrastructure from cybercrime is a worldwide priority.

The Expanding Critical Infrastructure Regulatory Landscape

In response to these threats, the European Union (EU) and the US have all developed extensive regulatory frameworks to protect critical infrastructure. While these frameworks differ slightly in their approach, they share a common goal: ensure critical infrastructure organizations can protect themselves against threats.

EU: NIS2

The EU’s framework, Network and Information Security Directive 2 (NIS2), will come into force on October 18th, 2024. It builds on the original NIS Directive, expanding its scope to include more sectors and entities while imposing stricter security requirements. While the European Commission is yet to publish comprehensive guidelines for implementing the Act, it has released two documents to help organizations assess when NIS2 or sector-specific requirements apply and ensure consistency in registration requirements across the Union.

US: Presidential Policy Directive 21 (PPD-21)

The US’s primary critical infrastructure legislation is Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience, which establishes a national policy to strengthen and secure critical infrastructure against physical and cyber threats. The Cybersecurity and Infrastructure Agency (CISA) oversees this directive, providing sector-specific compliance guidance through the National Infrastructure Protection Plan.

NCSC Cyber Assessment Framework (CAF)

In this expanding and complex regulatory landscape, the Cyber Assessment Framework (CAF) developed by the UK’s NCSC can become a formidable ally. The CAF collection provides a systematic method for organizations to assess their cybersecurity posture, and while it was not specifically designed for NIS2 or PPD-21 compliance, its comprehensive approach to assessing cybersecurity makes it a useful framework for organizations looking to align with the requirements of these regulations.

The NCSC CAF Explained

According to the NCSC website, the CAF collection “is aimed at helping an organization achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified essential functions performed by that organization.” The NCSC developed the CAF to meet the following requirements:

  1. Provide a suitable framework to assist in carrying out cyber resilience assessments.
  2. Maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments from being carried out as tick-box exercises.
  3. Be compatible with the use of appropriate existing cyber security guidance and standards.
  4. Enable the identification of effective cyber security and resilience improvement activities.
  5. Exist in a common core version, which is sector-agnostic.
  6. Be extensible to accommodate sector-specific elements as may be required
  7. Enable the setting of meaningful target security levels for organisations to achieve, possibly reflecting a regulator view of appropriate and proportionate security.
  8. Be as straightforward and cost-effective to apply as possible.

It is built around four key objectives, each supported by a set of principles that provide detailed guidance on achieving the desired outcomes.

Objectives Principles

 

Objective A – Managing Security Risk
  • Principle: A1 Governance
    • Putting in place the policies, processes, and procedures which govern your organization’s approach to the security of network and information systems.
  • Principle: A2 Risk Management
    • Identification, assessment, and understanding of security risk, including the establishment of an overall organizational approach to risk management.
  • Principle: A3 Asset Management
    • Determining and understanding everything required to deliver, maintain, and / or support essential functions.
  • Principle: A4 Supply Chain
    • Understanding and managing the security risks to networks and information systems that arise from dependencies on external suppliers.
Objective B – Protecting against cyber attacks
  • Principle: B1 Service Protection Policies, Processes and Procedures
    • Defining and communicating appropriate organizational policies, processes, and procedures to secure systems and data that support the operation of your essential function(s).
  • Principle: B2 Identity and Access Control
    • Understanding, documenting, and controlling access to networks and information systems supporting essential functions.
  • Principle: B3 Data Security
    • Protecting stored or electronically transmitted data from actions that may cause an adverse impact on essential functions.
  • Principle: B4 System Security
    • Protecting critical network and information systems and technology from cyber attacks.
  • Principle: B5 Resilient Networks and Systems
    • Building resilience against cyber attacks.
  • Principle: B6 Staff awareness and training
    • Appropriately supporting staff to ensure they make a positive contribution to the cyber security of essential functions.
Objective C – Detecting cyber security events
  • Principle: C1 Security Monitoring
    • Monitoring to detect potential security problems and track the effectiveness of existing security measures.
  • Principle: C2 Proactive Security Event Discovery
    • Detecting anomalous events in relevant network and information systems.
Objective D – Minimising the impact of cyber security incidents
  • Principle: D1 Response and Recovery Planning
    • Putting suitable incident management and mitigation processes in place.
  • Principle: D2 Lessons Learned
    • Learning from incidents and implementing these lessons to improve the resilience of essential functions.

The CAF takes this prescriptive-based approach to driving change toward a recognized desirable end-state because it offers adaptability and resilience. The principles serve as general guidelines, allowing flexibility so diverse organizations can apply the framework to their unique circumstances.

Assessors can determine the extent to which an organization meets specific principles by assessing all the contributing outcomes for that principle. To inform assessments at the level of contributing outcomes:

  • Each contributing outcome is associated with a set of indicators of good practice (IGPs) and
  • using the relevant IGPs, the circumstances under which the contributing outcome is judged ‘achieved,’ ’not achieved,’ or (in some cases) ‘partially achieved’ are described.

The relevant IGPs are arranged in table format for each contributing outcome. The resulting IGP tables constitute the basic building blocks of the CAF. In this way, each principle is associated with several IGP tables, one per contributing outcome.

The following table summarizes the key points relating to the purpose and nature of the indicators included in the CAF IGP tables.

Source: https://www.ncsc.gov.uk/collection/cyber-assessment-framework/introduction-to-caf

How Can the NCSC CAF Help Strengthen Cyber Security and Resilience?

The NCSC CAF helps organizations strengthen their cyber security and resilience by providing a systematic and comprehensive approach to assessing the extent to which organizations manage cyber risks to their essential functions. The CAF collection aims to help an organization achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified essential functions performed by that organization.

The NCSC notes that the CAF is not an all-encompassing cybersecurity “to-do” list. Organizations should use the CAF in the following way:

  • Understand the principles and why they are important. Interpret the principles of the organization.
  • Compare the outcomes described in the principles to the organization’s current practices. Use the guidance to inform the comparison.
  • Identify shortcomings. Understand the seriousness of shortcomings using organizational context and prioritize.
  • Implement prioritized remediation. Use the guidance to inform remediation activities.

Conclusion

Fundamentally, the CAF helps organizations understand their ability to manage security risk, protect against cyber attacks, detect cyber security events, and minimize the impact of cybersecurity incidents so they can improve in areas they fall short.

However far along your organization is in demonstrating resilience, Tripwire’s platform of products can help you on your journey. Schedule a demo of Tripwire Enterprise or any of our other products to see how we can add value to your cybersecurity program.



Source link

Leave a Comment