UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
The U.K. National Cyber Security Centre (NCSC) recently published Cyber Assessment Framework 3.2 reflecting the increased threat to critical national infrastructure (CNI). The NCSC CAF cyber security and resilience objective and principles provide the foundations of the CAF. Rather than being a checklist of things that need to be done, the 14 principles and the four high-level objectives are written in terms of outcomes, or what needs to be achieved. The CAF v3.2 adds greater detail to the top-level principles, including a collection of structured sets of Indicators of Good Practice (IGPs).
“Following analysis of various cyber attacks affecting CNI organizations across the world, we have made significant changes to sections of the CAF covering remote access, privileged operations, user access levels, and the use of multi-factor authentication,” Jason G, NCSC support to regulation, wrote in a blog post. “We have also improved CAF alignment with Cyber Essentials (CE) and, where appropriate, have mirrored some of the CE requirements while ensuring the existing outcome-focussed approach of the CAF is retained.”
The executive added that the latest revision, CAF v3.2, has again been completed in full consultation with NIS regulators and other interested parties. “All feedback was carefully considered, and it was encouraging to read the number of responses. As a result, we have revised the pages to improve navigation across the CAF collection and consolidated references to both internal NCSC and wider external guidance,” he added.
The common core of the CAF is sector-agnostic in the sense that it is designed to be generally applicable to organizations responsible for essential functions across all key sectors. There may be a need for some sector-specific aspects of the CAF, which could include sector-specific CAF profiles Some target profiles may well be sector-specific.
The agency outlined that sector-specific interpretations of contributing outcomes/IGPs may be necessary in some cases for a sector-specific interpretation of contributing outcomes and/or IGPs to better clarify meaning within the sector. Also, in the case of these sector-specific additional contributing outcomes/IGPs, there may be circumstances in which sector-specific cyber security requirements cannot be adequately covered by an interpretation of a generic contributing outcome or IGP. In these cases, an additional sector-specific contributing outcome or IGP may need to be defined. The NCSC will continue to work with the full range of CAF stakeholders to determine if sector-specific aspects of the CAF are required and to assist in introducing changes as necessary.
The CAF has been developed to provide a suitable framework to assist in carrying out cyber resilience assessments; maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments being carried out as tick-box exercises; be compatible with the use of appropriate existing cybersecurity guidance and standards; and enable the identification of effective cyber security and resilience improvement activities.
Additionally, it also takes into account that it exists in a common core version that is sector-agnostic; is extensible to accommodate sector-specific elements as may be required; enables the setting of meaningful target security levels for organizations to achieve, possibly reflecting a regulator view of appropriate and proportionate security; and be as straightforward and cost-effective to apply as possible.
The four objectives of the CAF v3.2 include managing security risk where appropriate organizational structures, policies, processes, and procedures are in place to understand, assess, and systematically manage security risks to the network and information systems supporting essential functions. It also focuses on protecting against cyber attacks with proportionate security measures in place to protect the network and information systems supporting essential functions from cyber attacks.
The CAF also covers detecting cybersecurity events with appropriate capabilities to ensure security defenses remain effective and to detect cybersecurity events affecting, or with the potential to affect, essential function(s). Lastly, the CAF v3.2 aims to mitigate the negative effects of cybersecurity incidents on essential functions, including their restoration, by implementing available capabilities.
Each top-level NCSC security and resilience principle defines a broad cyber security outcome. The precise approach organizations should adopt to achieve each principle is not specified as this will vary according to organizational circumstances. However, each principle can be broken down into a collection of lower-level contributing cyber security and resilience outcomes, all of which will normally need to be achieved to fully satisfy the top-level principle.
An assessment of the extent to which an organization is meeting a particular principle is accomplished by assessing all the contributing outcomes for that principle. In order to inform assessments at the level of contributing outcomes, each contributing outcome is associated with a set of IGPs, and using the relevant IGPs, the circumstances under which the contributing outcome is judged ‘achieved’, ’not achieved’ or (in some cases) ‘partially achieved’ are described.
For each contributing outcome the relevant IGPs have conveniently been arranged into table format that constitute the basic building blocks of the CAF. In this way, each principle is associated with several tables of IGPs, one table per contributing outcome.
In his post, Jason added “Even though this version of the CAF is ‘hot off the press’, we continue to plan for future iterations. In particular, we are committed to ensuring that CAF development fully reflects changes to cyber resilience regulation (such as the government’s proposal to expand the scope of NIS regulation to include digital managed service providers).”
“Another development with possible significant implications is the increased use of artificial intelligence (AI) technologies,” Jason noted. “Some limited aspects of AI-related cyber risk are currently reflected in the sections covering ‘automated functions’ and ‘automated decision-making technologies’ and we will be considering the impact of AI in more detail as part of future iterations of the CAF.”
The CAF is now being used more widely, beyond the context of cyber-regulated sectors. The UK Government Cyber Security Strategy 2022-2030 was introduced using the NCSC CAF as the assurance framework for government, with specific CAF profiles to articulate the outcomes required by government organizations to respond proportionately to the varying threats to their most important functions.
Adoption of the CAF provides a common framework for the government to understand and manage cyber risk. This cybersecurity assurance approach for the government has replaced the cyber security element of the Departmental Security Health Check (DSHC) and is called GovAssure.
The CAF has also been adopted for use for the local government sector with the Department for Levelling Up, Housing and Communities (DLUHC) taking on the role of the responsible cyber oversight body. Adopting the CAF allows a cyber oversight body to assess the cyber resilience posture of its sector consistently and comparably to other organizations that operate the U.K.’s essential services.
Last month, the NCSC issued security guidance to assist organizations utilizing operational technology (OT) in assessing the feasibility of migrating their supervisory control and data acquisition (SCADA) systems to the cloud. The move encourages OT organizations to make a risk-informed decision on migrating SCADA solutions to the cloud, with cybersecurity as a key consideration. The guidance aims to identify some of the key considerations required before migrating SCADA to the cloud.
Related
