Cyber updates09 January 2023

Cyber Assessment Framework National Cyber

What is the Cyber Assessment Framework, and should you consider implementing a cyber security programme?

The digital age is making the world more interconnected than ever before, driving extraordinary opportunity, innovation and progress. Alongside the huge opportunities this offers comes the increased threat of cyber-attacks.

The National Cyber Security Centre (NCSC) says it has encountered a record number of cyber incidents in the UK over the last year and that there has been a 7.5% increase in cases in the year to August 2021, fuelled by the surge of criminal hackers seizing control of corporate data and demanding payment in cryptocurrency for its return.

Julia Lopez MP, minister for media, data and digital infrastructure, says: “Recent high-profile cyber incidents where attackers have targeted organisations through vulnerabilities in their supply chains, such as SolarWinds and Microsoft Exchange, along with the notable increase in ransomware attacks on organisations and critical national infrastructure, such as the Colonial Pipeline in the US, have demonstrated the disruptive potential of these threats and the real world impacts they can realise.”

Cyber incidents can result in several different consequences depending on the nature of the computer systems targeted and intention of the perpetrators. Circumstances where the possible results of cyber incidents are extremely serious, or even catastrophic, require very robust levels of cyber-security and resilience.

It is for these circumstances that the NCSC has developed the Cyber Assessment Framework (CAF) collection, which is intended to be used by organisations that are responsible for services that play a vital role in society, from ensuring the supply of electricity, water, oil and gas, to the provision of healthcare and the safety of passenger and freight transport.

The CAF defines four top-level objectives consisting of 14 principles with guidance on how to apply them. The objectives are:

1. Managing security risk

2. Protecting against cyber attack

3. Detecting cyber security events

4. Minimising the impact of cyber security incidents.

The 14 principles are designed to help organisations make their digital services cyber resilient and demonstrate the level of resilience achieved.

Julian David, chief executive officer of cyber industry association techUK said: “The strategy recognises the important role industry already plays in protecting government, and techUK looks forward to engaging with the cabinet office to further unite public and private sectors to ‘defend-as-one’ – both in terms of technological capability and in developing the skills we need to instil cyber resilience across the whole of the UK.”

Outside of government, the organisations likely to find the CAF collection most useful fall into three broad categories:

  • organisations within the UK critical national infrastructure
  • organisations subject to network and information systems regulations
  • organisations managing cyber-related risks to public safety.

  • ATTACKS ON RENEWABLES

    Cyber-attacks on three Germany-based wind-energy companies, Deutsche Windtechnik, Nordex and Enercon, have raised alarms that attempts are being made to disrupt efforts to reduce dependence on Russian oil and gas, though the attacks have not been publicly attributed to particular groups.

    Deutsche Windtechnik was hacked in April and remote-control systems for 2,000 of its wind turbines were taken offline for more than a day. Nordex, which discovered a security incident in March, said it was forced to shut its IT systems down. The ransomware group ‘Conti’, which has declared its support for the Russian government, said it was responsible for the attack on Nordex, though this has not been confirmed.

    However, Enercon says it was part of the “collateral damage” from an attack on a satellite company in February which knocked out remote controls for 5,800 of Enercon’s wind turbines at almost the exact time that Russian troops invaded Ukraine.

    “We need high IT security standards because the growing renewable-energy sector will become a bigger target for hackers,” warns Matthias Brandt, director of Deutsche Windtechnik. “The crisis in Russia and Ukraine shows us that renewables are replacing oil and gas in the future.”

    Germany has rejected EU-wide sanctions on Russian fuel. Instead, the country’s government has accelerated plans to reach 100% renewable energy by 2035 and wean itself off Russian oil and coal imports by the end of this year.

    IT AND OT

    In a recent survey conducted by energy technology company DNV, over 80% of professionals working in the power, renewables and oil and gas sectors who responded believe that a cyber-attack on the industry is likely to cause operational shutdowns and damage assets and critical infrastructure. According to the report, 85% foresee operational shutdown and 84% damage to critical infrastructure. Additionally, 74% expect an attack to harm the environment while 57% even anticipate that it will cause loss of life.

    The biggest threat may now come not directly to the IT systems of companies themselves, but to the operational technology (OT) that links and controls an increasingly interconnected energy system. The convergence of previously separate sectors around renewable smart grids is creating an expansive energy value chain with widely divergent cyber security practices and vulnerabilities, eroding organisational control over energy security.

    Trond Solberg, managing director, cyber security at DNV says: “Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security.”

    DNV recommends that firms identify where critical infrastructure is vulnerable to attack. In particular, better workforce training is needed to ensure improved enforcement of protective measures.

    BOX: PARKER SUFERS DATA BREACH

    Major US precision aerospace engineering business, Parker-Hannifin Corporation (Parker), has confirmed that it was hit by hackers that exposed current and past employees’ personally identifiable information, including bank account information, passport numbers, Social Security numbers, dates of birth, driver’s license numbers, online account usernames and passwords.

    Parker, which has a revenue of $15.6 billion and employs over 58,000 people, has disclosed that ‘an unauthorised third party’ gained access to its IT systems between 11 and 14 March 2022, although the intrusion was not detected until more than a month later, in May.

    Parker says it conducted ‘basic protocols’ to contain the attack when it was detected and has delivered breach notification letters to those affected. The company said: “Safeguarding the information held within the company’s systems is critically important to Parker, and the company is continuing to take steps to help safeguard its systems and data against the rapidly evolving threats to company information. Parker regrets any inconvenience or concern this incident may cause.”

    While Parker has not disclosed who attacked it, the ‘Conti ransomware gang’, a state-sponsored Russian hacking group known for targeting critical national infrastructure and government systems, claimed responsibility in April when it published 3% of the data that it allegedly stole. Publication of the full 419GB data set followed on 20 April, which most likely means that negotiations for the payment of a ransom failed or may never have happened.

    Tom Austin-Morgan

    Related Companies
    DNV-GL
    Parker-Hannifin GmbH
    techUK

    This material is protected by MA Business copyright
    See Terms and Conditions.
    One-off usage is permitted but bulk copying is not.
    For multiple copies contact the sales team.