NIS Breakfast Briefing Secure Your Supply Chain Thursday 6 th - - PowerPoint PPT Presentation

nis breakfast briefing
SMART_READER_LITE
LIVE PREVIEW

NIS Breakfast Briefing Secure Your Supply Chain Thursday 6 th - - PowerPoint PPT Presentation

May 09, 2023 131 likes •576 views

NIS Breakfast Briefing Secure Your Supply Chain Thursday 6 th September 2018 Agenda Welcome David Duke, Gemserv An Introduction to NIS Ian Davis, Gemserv Case Study National Energy Generator and Distributor Andy Green, Aprose

slide-1
SLIDE 1

NIS Breakfast Briefing

Thursday 6th September 2018

Secure Your Supply Chain

slide-2
SLIDE 2

Agenda

  • Welcome

David Duke, Gemserv

  • An Introduction to NIS

Ian Davis, Gemserv

  • Case Study – National Energy Generator and Distributor

Andy Green, Aprose

  • Introducing NIS into ABP

Ewan Duncan, Associated British Ports

Gemserv 2

slide-3
SLIDE 3

Agenda

  • Welcome

David Duke, Gemserv

  • An Introduction to NIS

Ian Davis, Gemserv

  • Case Study – National Energy Generator and Distributor

Andy Green, Aprose

  • Introducing NIS into ABP

Ewan Duncan, Associated British Ports

Gemserv 3

slide-4
SLIDE 4

NIS Regulation

Ian Davis – Head of Information Security

NIS Regulation Breakfast Meeting

slide-5
SLIDE 5

Agenda

  • Introduction to NIS
  • Essential Service Scoping
  • Extent and complexity of the supply chain
  • Question and answer session

Gemserv 5

slide-6
SLIDE 6

Network Information Security Regulation

Introduction

Gemserv 6

slide-7
SLIDE 7

Attacks on the Increase

Gemserv 7

92%

Increase in new downloader variants*

600%

Increase in IoT Attacks*

54%

Increase in mobile malware variants*

13%

Overall increase in reported vulnerabilities*

13%

Overall increase in reported vulnerabilities*

29%

Increase in industrial control system (ICS) related vulnerabilities*

*Source: Symantec 2018 Internet Security Threat Report

slide-8
SLIDE 8

Attacks on the Increase

Gemserv 8

Initial Compromise Intelligence gather Stolen credentials Modify systems Future attack OT

slide-9
SLIDE 9

Attacks on the Increase

Gemserv 9

State and state-sponsored threats

  • Motivation
  • Political, diplomatic, technological, commercial,

strategic advantage

  • To cause disruption
  • Skill
  • Offensive & destructive cyber capabilities
  • Highly funded
  • Covert operations and attacks
  • Opportunity
  • 24/7 internet connected
  • Inadequate defences
  • Social engineering
slide-10
SLIDE 10

Network Information Security Regulation

  • Raise UK Cybersecurity levels
  • Protect Critical National Infrastructure

Gemserv 10

slide-11
SLIDE 11

Apr May Jul Aug Sep Nov Jan May

NIS Timeline

Gemserv 11

CAF NIS 72 HOURS CAF CAF INCIDENTS OFCOM CRITICAL SYSTEMS

2018 2019

OES THRESHOLDS INCIDENTS CAF FINDINGS

slide-12
SLIDE 12

Cyber Assessment Framework

Indicators of Good Practice tables in the CAF are not:

  • A checklist to be used in an

inflexible assessment process

  • An exhaustive list covering

everything an assessor needs to consider

  • Guaranteed to apply verbatim to all
  • rganisations

Gemserv 12

Indicators of Good Practice in the CAF are:

  • Intended to help inform expert

judgement

  • Examples of what an assessor will

normally need to consider

  • May need to be supplemented in

some cases

  • Designed to be widely applicable

across organisations

  • Applicability needs to be

established

slide-13
SLIDE 13

Cyber Assessment Framework

  • OES’ will benefit from a mature ISMS
  • Audit team to complete self-

assessment

  • Expected to take months
  • Continual improvement

Gemserv 13

slide-14
SLIDE 14

Essential Service Scope

14

slide-15
SLIDE 15

Operator of Essential Service Thresholds

Gemserv 15

250,000 Consumers 200,000 Consumers 10M+ Passengers Providers of healthcare TLD 2 billion DNS 2M+ IXP 50% DNS 250,000

slide-16
SLIDE 16

Suppliers IT & OT Network Physical People Processes ICS Transport Thresholds

Scope of Essential Service

Gemserv 16

Other CNI, power, water, transport, DSP Dependencies on sector

Essential Service

slide-17
SLIDE 17

Scope of Essential Service - Threats

Gemserv 17

?

OT OT

Essential Service

slide-18
SLIDE 18

Scope of Essential Service - Risk

Gemserv 18

Threat Vulnerability Asset Impact Likelihood Treatment

Essential Service

slide-19
SLIDE 19

Business Impact Analysis

Gemserv 19

Objective: essential service

  • perating within threshold

level Criticality, function and processes Tolerable disruption without dependencies Recovery time objective (RTO) Recovery point objective (RPO)

Risk assessment Strategy and priority

Essential Service

slide-20
SLIDE 20

Extent and Complexity of the Supply Chain

slide-21
SLIDE 21

Extent and Complexity of the Supply Chain

Gemserv 21

Essential Service

slide-22
SLIDE 22

Extent and Complexity of the Supply Chain

People

  • Skills shortage
  • Supplier culture
  • Leavers and movers
  • Physical equipment
  • Security awareness training
  • Phishing and ransomware serious

threat

  • Background checks
  • 24/7 day and night shift

Gemserv 22

Essential Service

slide-23
SLIDE 23

Extent and Complexity of the Supply Chain

Gemserv 23

Technology, IT and OT

  • Network segmentation or air gap
  • Introduction of IoT
  • OT expertise with limited people
  • Incident response / forensics

capabilities for OT & IT

  • System and components
  • Secure engineering principles
  • Vulnerabilities

Essential Service

slide-24
SLIDE 24

Extent and Complexity of the Supply Chain

Gemserv 24

Cloud Services

  • Information in transit
  • Stored information
  • Physical access
  • Governance
  • Background checks, user management
  • Active monitoring and audit records
  • Remote access, authentication
  • Privileged access
  • External interfaces

Essential Service

slide-25
SLIDE 25

Extent and Complexity of the Supply Chain

Gemserv 25

Supplier Security Baseline

  • Certification
  • ISO 27001
  • ISO 22301
  • Cyber Essentials Plus
  • Procurement process
  • Security Awareness Training
  • BS7858 Background checks
  • Transparency
  • Contractual agreement
  • Notification
  • Incident response

Essential Service

slide-26
SLIDE 26

In summary

  • The clock is ticking
  • Clear scope is essential
  • How exposed are you to risks from

suppliers?

Gemserv 26

slide-27
SLIDE 27

Agenda

  • Welcome

David Duke, Gemserv

  • An Introduction to NIS

Ian Davis, Gemserv

  • Case Study – National Energy Generator and Distributor

Andy Green, Aprose

  • Introducing NIS into ABP

Ewan Duncan, Associated British Ports

Gemserv 27

slide-28
SLIDE 28

Case Study – National Energy Generator and Distributor

Andy Green - Lead Security Consultant

slide-29
SLIDE 29

Overview

  • National Energy Company
  • Power Generation
  • Distribution Network Operator
  • Onward connectivity to other EU Power networks
  • Operator of Essential Service (OES) with c450k consumers
  • Need to comply with NIS Directive

29

slide-30
SLIDE 30
  • Large fibre network covering entire island
  • Distribution sub-stations
  • Interconnector to mainland EU
  • Head-office and remote offices
  • Power Stations
  • Large IT Network
  • OT Infrastructure including SCADA and ICS

30

Organisational Scope

slide-31
SLIDE 31
  • Risk Assessment followed the ISO27005 framework
  • Technical Risk Treatment was based the Critical Security

Controls Top 20

  • The CSC20 has ICS alignment guidelines
  • Further aligned with NIST Cyber Security Framework for

cyber resilience

31

Cyber Security Risk Assessment

slide-32
SLIDE 32
  • In partnership with the Home Office the risk assessment will

be used as evidence for CEF funding

  • Connecting Europe Facility (CEF) is an EU funding

programme

  • Objective 2: Capability development of Operators of

Essential Services (OES) and Digital Service Providers (DSP) in line with the Security of Network and Information Systems Directive

32

EU Funding

slide-33
SLIDE 33

Agenda

  • Welcome

David Duke, Gemserv

  • An Introduction to NIS

Ian Davis, Gemserv

  • Case Study – National Energy Generator and Distributor

Andy Green, Aprose

  • Introducing NIS into ABP

Ewan Duncan, Associated British Ports

Gemserv 33

slide-34
SLIDE 34

Ewan Duncan Group Head of Security Associated British Ports

“Networked and Information Systems Regulations Introducing NIS R into ABP

slide-35
SLIDE 35

NIS R and cyber security.

25/09/2018 35

  • ABP Context:
  • UK’s largest Port Operator
  • Humber to Silloth
  • Europe’s largest Cruise Liner operations (Southampton)
  • Reliance upon a variety of networked and information systems
  • Regulated by the DfT
  • Physical Security – PFSIs, vetting, annual audit and inspections

(ISPS)

  • Data Protection
  • www.abports.co.uk
slide-36
SLIDE 36

NIS R and cyber security.

25/09/2018 36

  • We should be doing this anyway, but it’s forced upon us….
  • No different to physical security – threat, risk, vulnerabilities.
  • NIS Regulation.
  • Alongside GDPR.
  • Impact upon Risk Management.
  • It came late….
  • DCMS, Guidance, Direction – now ‘live’.
  • Cyber Security Code of Practice – not mandatory.
  • How important is it ?
  • Difficult to secure ‘buy in’.
slide-37
SLIDE 37

NIS R and cyber security.

25/09/2018 37

  • We should be doing this anyway, but its forced upon us….
  • No different to physical security – threat, risk, vulnerabilities.
  • NIS Regulation.
  • Alongside GDPR.
  • Impact upon Risk Management.
  • It came late….
  • DCMS, Guidance, Direction – now ‘live’.
  • Cyber Security Code of Practice – not mandatory.
  • How important is it ?
  • Difficult to secure ‘buy in’ – in a commercial environment..
slide-38
SLIDE 38

NIS R and cyber security.

25/09/2018 38

Security of Networked and Information Systems

  • Does this include:
  • Cyber Security ?
  • Physical Security ?
  • Data Protection ?
  • Risk Management ?
  • Physical processes ?
slide-39
SLIDE 39

NIS R and cyber security.

25/09/2018 39

Security of Networked and Information Systems

  • Does this include:
  • Cyber Security ?
  • Physical Security ?
  • Data Protection ?
  • Risk Management ?
  • Physical processes ?

…it does within ABP.

slide-40
SLIDE 40

NIS R and cyber security.

25/09/2018 40

ABP’s approach

  • Gemserv consultants
  • Cyber Security Steering Committee
  • NIS R Project/implementation
  • Practically:
  • Immingham and Southampton – sole Ports ‘in scope’
  • Criteria ?
  • Workshops at each – identify processes and ‘critical systems’
  • CAF – initial benchmark check
  • Identify ‘critical systems’ to DfT
  • Await initial DfT inspections
  • Alongside:
  • GDPR/DPA 18
  • Physical Security – organised crime, Islamic terrorism

On track, so far……

slide-41
SLIDE 41

NIS R and cyber security.

25/09/2018 41

Have we suffered cyber attacks ?

  • Southampton Oct 18
  • Fraud against a tenant
  • Inside information
  • emails and invoice exact
  • Correct date/time
  • Change of bank details,
  • ‘Human factor’
  • We learned so much:
  • Accounts not closed
  • Shared access
  • Disinterest
  • Security controls
  • Police interest
  • ‘human factor’
slide-42
SLIDE 42

NIS R and cyber security.

25/09/2018 42

Have we suffered cyber attacks ?

  • Humber 2018/Ipswich 2018
  • Personal accounts hacked
  • Phishing attacks
  • Auto-forward on emails
  • Loss of personal data
  • NIS R notification to ICO and DfT/NCSC
  • Similar with our clients/customers
  • We learned so much:
  • Accounts not closed
  • Shared access
  • Disinterest
  • Security controls
  • ‘human factor’
slide-43
SLIDE 43

Ewan Duncan Group Head of Security Associated British Ports

“Networked and Information Systems Regulations Introducing NIS R into the Ports sector of the Maritime Industry”

slide-44
SLIDE 44

Q&A Session