Helping Clients Adhere to Operational Cyber Security Standards
Cyber security is an important part of any smart business plan, but for highly regulated industries, there are additional industry-specific regulations which must be carefully maintained. For two of Alithya’s large clients, major updates to compliance standards were mandated and the organizations tasked Alithya with analyzing the standards and finding and closing gaps to demonstrate compliance.
Identifying Cyber Assets
The first enhancement to compliance standards was an additional criterion for identifying Cyber Assets, or CAs. A CA is considered an electronic device that has communication ports, programming ports, wireless capabilities, accepts removable media, or has a human machine interface. A device is considered a CA if it also contains a microprocessor or programmable logic item that can be feasibly reprogrammed.
Documented and comprehensive response plan during an incident
The second enhancement was the addition of new requirements formalizing the need for a documented and comprehensive response plan during a cyber security incident. The previous version of the standard considered cyber security incident response and recovery from an individual Cyber Essential Asset, (CEA), basis. The new version of the standard now takes an organizational viewpoint when considering cyber security incident response and recovery. Specifically, focus has been directed towards four steps:
Strict operating roles and responsibilities have been established to handle disaster situations, ensuring that critical components of the computing infrastructure continue to function or be restored quickly following an incident.
This enhancement indicates an increasing emphasis on cyber security incident response and recovery. This makes sense considering the global increase in cyber-attacks, which is supported by Gartner Inc.’s press release stating that 30% of critical infrastructure organizations will experience a security breach by 2025.
Supply Chain for Cyber Essential Assets
The third enhancement included new requirements to further define the necessary components of the supply chain program when procuring CEAs or services impacting CEAs such as maintenance or software development. Although these new requirements are more applicable to high or moderate significance CEAs, they help ensure that vendors operate under the existing trust model for cyber security. This includes establishing secure development environments, ensuring secure and safe storage and delivery of CEAs, and establishing reporting channels for any current or future security vulnerabilities.
Defensive Cyber Security Architecture
The latest version of the standard also introduced the concept of the Defensive Cyber Security Architecture, or the DCSA. The DCSA is a concept which combines the idea of arranging CEAs into groups, called zones, and applying layers of security controls to implement Defense-in-Depth for each zone. These requirements can be grouped into four main categories:
- Requirements to establish zones
- Requirements on communication between zones
- Requirements applied to a zone based on the significance of its assets
- Requirements around zone documentation
The applicability of these requirements is typically based on the classification of the CEAs a zone encompasses: high, moderate, or low significance of compromise. A higher significance of compromise will require stricter security controls than those CEAs with lower significance classifications. It is important to note that every CEA should be grouped into a zone.
Cyber Essential Assets Zones
A zone is a group of CEAs that have similar cyber security requirements. Two perspectives should be considered when establishing a zone’s security: a zone’s physical security and a zone’s logical security. Each zone should form clear boundaries to distinguish itself from other zones.
A physical security boundary is a physical perimeter around one or more CEA, including any of its associated networks and interconnections, where access controls are applied to its physical access points. This could include a building, a room, or a cabinet.
Similarly, a logical security boundary is a logical perimeter around one or more CEAs where access controls are applied to its logical access points. This might be a group of firewalls, data diodes, routers, or any combination of other communication restricting devices.
A physical access point is a physical location that can be used to cross the physical security boundary by personnel or materials. This could mean a locked door on the building, room, or cabinet.
A logical access point is a CEA used at the logical perimeter to allow electronic communications to cross the logical security boundary. This might mean a single firewall or single router, out of the group of communication restricting devices forming the logical security boundary.
Zones for Critical Assets
Before a zone can be created, the operating organization must first identify which of their assets are considered most critical and which are considered less critical. It would also be useful to note their essential functions within the system, their physical location within the facility, any existing physical and logical access points, logical addresses such as IP or MAC addresses, their digital communication pathways and any associated communication equipment, and any functional dependencies with other CEAs or non-CEAs. All this information will help determine which CEAs should be grouped together based on their security needs, and to help reduce the amount of coupling between zones, to minimize the size of the physical security boundaries, and to reduce the functional complexity of the zone.
While changes in cyber security standards can be overwhelming, there are also inherent opportunities for innovation when applying these new principles. Alithya can help identify these for your organization. Learn more here or contact us at email@example.com.