So, what is a Cyber Risk Review?
2T Security has been conducting Cyber Risk Reviews for over a decade now. These are typically performed for organisations operating in the Critical National Infrastructure (CNI) space, especially in sectors that rely heavily on Operation Technology (OT).
OT, which includes Industrial Control Systems, is a specialist field and has a number of differences to the IT that we traditionally work with. It is the interface between computers and the physical world, and in many cases uses software that is embedded into the hardware modules linked to systems such as pumps, valves, and switches.
These differences include:
- Software that is difficult to upgrade because it is stored as part of the hardware
- Systems that need to be operational 24×7, and so can’t be taken off-line for an upgrade
- Safety-critical systems that operators don’t like changing once they’re up and running
- Technology which stays in place for decades because it’s built into the system
A lot of OT has weaker security than IT for a number of reasons, but especially the last point. Some of this is old, legacy equipment designed in an age before everything was networked together and accessible over the internet, and where the security models haven’t moved on since deployment. The trouble is, some of this equipment has now been put onto modern networks, running their proprietary protocols over TCP/IP with the assumption that they are too obscure to be attacked.
In a Cyber Risk Review we take a detailed look at the systems necessary to keeping the critical processes up and running. As the name implies, we’re looking at cyber risks – not at the fencing, or other physical and personnel controls (although it can be useful to know about these where relevant).
We focus on areas such as where the OT and IT networks interconnect. It’s all very well to avoid putting an internet connection into the OT network, but if an attacker can reach it via the IT network then it’s effectively out there.
The approach that we follow is built around the National Cyber Security Centre’s Cyber Assessment Framework (CAF). The operators of these sites are usually familiar with the CAF as in many cases they are being required to assess themselves against it by their regulators. This gives us a structured process to follow that they are familiar with, and which can contribute to completion of their next CAF return.
Experience shows that running the workshops as a conversation about the system being evaluated – from both a business process and technical perspective – leads to a good understanding of the system security. It can also let us find out about loopholes and workarounds that might not have seemed important when introduced, but which provide unexpected vulnerabilities. We don’t use the CAF as a checklist, which was never its intention. As a result, some areas of the CAF might get a very detailed look – for example, the site where we spent a couple of hours dissecting firewall rules – whilst others might not get a mention.
The aim is to combine our breadth of security expertise with the detailed knowledge that the operator’s staff have of their systems to cover ground rapidly and build a picture of the cyber security landscape. We timebox the reviews to two days, which gives us time to get an overview of the system architecture before drilling into the CAF. Overnight, between the two days, all sorts of interesting thoughts arise that can be explored on day two.
Our team has a wide range of backgrounds that all add to the value that we bring to these reviews. This includes staff who have worked as regulators for CNI sectors, security architects, and AI specialists, as well as risk experts.
Once we leave site, we write the report collaboratively. We share a draft with the client in advance of returning to present our findings. We inevitably have a list of recommendations for improvements – usually for security, but sometimes just other observations that have arisen. These are given priorities based on how severe the risks are.
To date, we have delivered Cyber Risk Reviews into clients across most of the thirteen CNI sectors. Every sector and system is different, but our experience means that we can rise to the challenge. Learning on the job about the latest client is part of the excitement of running one of these fast-paced workshops, followed by the satisfaction of knowing that we will have improved the security of another system that is critical to the UK.
Independent. Tested. Assured. That’s 2T Security—and that’s how we’ll continue making the improbable possible.
Contact our team to discuss a tailored security strategy that always puts your organisation first.
