At the February 2024 Rail Partners Rolling Stock Software and Cyber Security event, the work of the National Cyber Security Centre (NCSC) was mentioned.
Launched in October 2016, the NCSC brings together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure, which became the National Protective Security Authority (NPSA) in March 2023).
The NCSC provides a single point of contact for SMEs, larger organisations, government agencies, the general public, and departments. It works collaboratively with other law enforcement agencies, defence, the UK’s intelligence and security agencies, and international partners.
The high-level principles of the NCSC are:
- Understand what’s important. Organisations, government, regulators, and the NCSC should share an up-to-date understanding of risk. This should be based on the criticality of organisations, assets, systems, networks, and projects; the resilience of critical assets, systems, networks, and projects; and the threat faced by organisations including bad actors, methods, capability, and intent.
- Improve the now. Organisations’ existing assets, systems, networks, and processes should be cyber secure and resilient to a degree commensurate with the level of risk they face. Organisations with the highest potential impact should present a difficult target for even capable cyber adversaries.
- Secure the future. Organisations’ new assets, systems, networks, and processes should be secure by design and cyber resilient to a degree commensurate with the level of risk they will face over their lifecycle. Projects with the highest potential impact should present a difficult target for even capable cyber adversaries.
- There are real threats. In its 2023 review, the NCSC said that the UK’s critical sectors face a threat that is ‘enduring and significant’, and it believes it is essential to understand the risks to the UK’s Critical National Infrastructure (CNI) before our adversaries do. But while the UK’s CNI is subject to ever-increasing threats, its operators also face other, especially commercial, pressures.
Ideal approach
The ideal approach requires a variety of tools appropriate to organisational context and risk appetite. The NCSC indicates that organisations should also manage risk through the supply chain and assess the potential for low frequency, but high impact events. Clearly this approach is similar to any other risk assessment/management system. State-sponsored cyber attackers are capable of using the built-in tools on victims’ systems to camouflage their activity.
It is important to establish a system’s context before embarking on its design, and this should include network zoning and supply chain security. Designers should make it hard to compromise the system, by not trusting external input, enforcing one way flow, reducing the attack surface (minimising entry/exit points), and gaining confidence in security controls.
It is clearly good practice to make detection of an attack or a system compromise easier, as well as reducing the impact of compromise together with controls such as duty separation and protecting documentation.
Flat, unsegmented/unsegregated networks, characterised by devices and hosts being able to communicate with other devices and hosts unhindered where they have no legitimate need to do so, are undesirable. These are commonly built using a switch (or several switches) to connect all the devices on the network, without VLAN technology or routers to enforce segregation. The same effect can be seen where firewalls are used without restrictive rules. Thus, all hosts are routable to all other hosts. The NCSC recommends that designers implement network segregation and identify and control network segregation limitations.
There have been more distributed denial-of-service (DDoS) threats and attacks against western critical national infrastructure since Russia invaded Ukraine. They are not necessarily Russian in origin but are state aligned groups sympathetic to Russia and are ideologically motivated rather than rather being aimed at extortion. Clearly poorly protected systems are more at risk.
The NCSC website includes guidance on actions to be taken when the cyber threat is heightened, advice on asset management and on appropriate logging and monitoring techniques. Scan the QR code to visit the online version of this article which includes links to articles and white papers on NCSC’s website relevant to the issues we’ve discussed.
NCSC references
What follows is largely a series of links to the NCSC’s very full and informative website and covering some highlights, references other useful information including white papers.
- https://www.ncsc.gov.uk/news/ncsc-warns-enduring-significant-threat-to-uks-critical-infrastructure
- https://www.ncsc.gov.uk/collection/risk-management
- https://www.ncsc.gov.uk/news/ncsc-and-partners-issue-warning-about-state-sponsored-cyber-attackers-hiding-on-critical-infrastructure-networks
- https://www.ncsc.gov.uk/collection/cyber-security-design-principles/examples/study-operational-tech
- https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns
- https://www.ncsc.gov.uk/guidance/preventing-lateral-movement#:~:text=6.%20Segregate%20networks%20as%20sets
- https://ritics.org/wp-content/uploads/2023/10/ICS-COI-Resolving-Anti-Patterns.pdf
- https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups
- https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened
- https://www.ncsc.gov.uk/guidance/asset-management
- https://ritics.org/wp-content/uploads/2023/10/ICS-COI-Asset-Management.pdf
- https://ritics.org/wp-content/uploads/2024/01/Visibility-for-ICS-OT-Environment-Asset-Management-070124.pdf
- https://ritics.org/wp-content/uploads/2023/10/ICS-COI-Logging-and-Monitoring-1.pdf
- https://www.ncsc.gov.uk/files/White-paper-Ransomware-extortion-and-the-cyber-crime-ecosystem.pdf
- https://www.ncsc.gov.uk/collection/supply-chain
- https://www.ncsc.gov.uk/collection/supply-chain/learning
- https://www.reuters.com/technology/danish-train-standstill-saturday-caused-by-cyber-attack-2022-11-03/
Image credit: iStockphoto.com
