It is no secret that cyber security is a priority for all sectors, as threats evolve in terms of frequency, scale, and sophistication. However, for Operators of Essential Services (OESs), this is just part of a larger, more complex picture. With the ongoing convergence of IT and OT and the resulting drive for an integrated approach to physical and cyber security, combined with increasingly complex compliance obligations, a more considered approach to the design and implementation of security ecosystems is needed.
A ‘secure by design’ approach.
It’s no accident that we at Vysiion describe our delivery process, service and solution portfolio in this way – not just in relation to the cyber components of the delivery, but the systems, controls, and governance used in our delivery of mission-critical infrastructure into the most challenging environments, for the most stringently regulated sectors.
The Vysiion view, robust security is not a retrofit – it needs to be inherent in both approach and design, taking process, controls, hardware, and software into consideration, and ensuring stakeholders are aware of their roles and responsibilities.
So, taking a step back and considering how this works in practice, and from the earliest stages of a project…
An established project management methodology will include the creation of a risks and methods document, ensure the right security and risk management specialists have been engaged, and that processes are in place that follow best practice throughout each phase of delivery. A ‘secure by design’ approach takes this further by considering the full range of IT and OT security systems and processes that will overlay every element of the project – validated against the relevant frameworks and regulations, with the latest threat intelligence used to pinpoint the areas of greatest risk. Crucially, this includes all elements of the proposed supply chain, as these represent an increasingly common target for cyberattacks as a means of gaining backdoor access to critical data and infrastructure.
A rigorous, standards-based approach is essential, as OESs’ regulatory obligations are rapidly evolving in response to the complexity of IT/OT systems, with regulations like NIS (2018) reflecting the larger attack surface created by this new breed of infrastructure.
As such, the following standards should be considered as the baseline for establishing secure, integrated IT and OT systems:
- ISO 27001. The globally recognised standard for information security.
- NIS (2018). Measures to optimise the resilience (both physical and cyber) of network and information systems.
- Cyber Assessment Framework (CAF). A systematic approach to measuring multiple aspects of cyber risk, maintained by the NCSC.
- IEC-62443. A framework for mitigating security vulnerabilities in the design and operation of critical infrastructure.
- Cyber Assurance of Physical Security Systems (CAPSS). Assurance for physical security systems.
Do not make assumptions here. The regulatory environment is increasingly rigorous, with standards and frameworks extending to organisations and market verticals previously exempt. For example, some manufacturers are now regarded as part of the UK’s CNI sector and must be able to demonstrate appropriate and proportionate consideration has been given to the same regulatory and compliance goals.
Once the applicable standards have been identified, their robust principles can be adopted throughout the design and implementation phases and beyond, utilising proven methodologies like the Purdue Model to ensure dataflows and physical assets are identified and documented, and proactive monitoring of the potential attack surface is maintained (and automated, where appropriate). This should be subject to regular review using collated security data and the most up-to-date threat intelligence, and supported by a responsive maintenance capability, 24/7 support and monitoring, and regular auditing.
The actual execution and impact of this approach will naturally vary from project to project and sector to sector, but it is essential that all OESs, their technology partners, and all organisations acting as part of their supply chains are ready and willing to adopt these principles, not only to fulfil their specific compliance obligations, but to ensure their services remain secure and available to citizens across the UK.
In this way, the ‘secure by design’ approach represents a powerful investment in your organisation’s future, ensuring the continued availability and integrity of the critical product or service you provide.
Whatever the nature of your next project, if you are ready to adopt a ‘secure by design’ approach, don’t hesitate to contact us. We will collaborate with you to establish an appropriate and proportionate approach, aligned with industry best practice and regulatory compliance, and drawing on our deep experience as an experienced supplier to the Defence, Energy, and wider CNI sectors.
Recent Comments