TechUK recently hosted a lively panel session that I was fortunate enough to participate in, exploring cyber security in the UK energy sector.The session followed an illuminating presentation by a National Cyber Security Centre (NCSC) representative, outlining the current and emerging threat landscape relevant to the sector, and the Critical National Infrastructure (CNI) more generally. The talk reinforced a global picture that includes sophisticated adversaries carrying out a range of activities from reconnaissance to disruption. Such a picture is not new for many, but continues to be a sobering reminder of the need for greater cyber maturity within the sector. This brief article provides a perspective on the relevance of information sharing to promote that required maturity.
From security outcomes to security specifics
At NCSC’s flagship event CyberUK this year, an Energy Sector workshop concluded that the NIS directive has stimulated both focus and investment across the sector. However, for many involved, initial comparison of their organisation’s maturity against the desired outcomes defined by the Cyber Assessment Framework (CAF) can make bleak reading.
The diversity of technology and the dynamic threat environment has required the NIS directive to be outcomes-based. Arguably the degree to which best practice in achieving outcomes is recognised and shared effectively across the CNI will be a significant factor in determining the rate at which adequate cyber maturity is established.
Government as exemplar?
Of course, government itself is part of the CNI, and has an ever-expanding role in sharing best practice, driven in part by the fact that government IT environments are more relevant to the private sector today than they have ever been. Government “High Assurance” environments today look to make use of commercially available technology, avoiding where possible the bespoke government systems that were historically the norm, but today cannot keep pace with either technological change or increasingly demanding user expectations.
Consequently, exemplar IT projects within government have needed to successfully balance achieving “High Assurance” security outcomes with delivering the agility, flexibility and ease of use required of today’s enterprise environments. This has been achieved in part by influencing the standards and techniques employed by market-leading commercial technology, as well as using the extensive expertise possessed by NCSC to develop novel architectures that balance diverse business needs.
Mapping High Assurance and NIS principles
Unsurprisingly, the security objectives of successful government IT projects can be mapped directly to NIS security principles and desired supporting outcomes. These projects therefore can provide meaningful references for network and security architects within the CNI. One example project that illustrates this is the NCSC CloudClient project, devised initially to promote secure collaboration across the Public Sector. Components of the CloudClient programme include an endpoint architecture that allows device health to be measured and used to support device identity management controlling access to online applications and services – principles now also advocated within the ‘Zero Trust’ network model. For illustration, sample desired outcomes referenced in the CAF that map directly to CloudClient properties and principles include:
Sample CAF Outcomes
For reference, a brief video of the mechanisms CloudClient uses for Device Identity and Health management can be found here
A further example, outlined in some detail by NCSC at CyberUK ’19, includes work done under the NCSC Advance mobility programme, illustrating how CAF requirements relating to network segmentation and network flow are met within sensitive government systems.
Sample CAF Outcomes
A short video expanding on some of the network segmentation concepts in the context of Mobile Device Management can be found here
One perspective on the nature of information sharing within cyber is a division between what good outcomes look like, what to avoid, and how to achieve good outcomes. Within this model, arguably the NIS security principles describe best practice or what to strive for, and the growing practice of threat information sharing plays an important part in highlighting what to avoid.
Better understanding how organisations successfully achieve good outcomes, whilst balancing business requirements, through a combination of product and architectures that have or are able to achieve some form of assurance or independent validation must be a key goal for organisations that are seeking to mature efficiently through leveraging sector-wide expertise and experience.
Our adversaries within threat actor communities well understand the benefits of information sharing, creating an asymmetry that needs to be counterbalanced as far as is possible. Unfortunately, much of the commercial cyber security industry is dominated by marketing narratives that can leave buyers challenged in both identifying and quantifying effective investment in cyber defence. Fortunately, the UK at least has expertise within the NCSC that is not only world-leading, but is today not inwardly focused, counting the CNI as a key community with whom to share the experiences gained in recent years. In contrast to a somewhat noisy cyber security market, such experiences provide clear examples of how High Assurance systems can be delivered within well-functioning business environments.