Integrating Risk Management Practices into Compliance Initiatives within CNI

Across the globe, operators, suppliers and maintainers of Critical National Infrastructure (CNI) ensure the delivery of goods and services, without which, our daily lives could grind to a halt – making it no surprise that CNI has become a highly regulated space. Within Europe, and with particular concern to cyber security, regulation and legislation has materialised in the form of the EU Network and Information Systems Directive (NIS D) and the UK’s implementation of NIS D in the Network and Information Systems Regulations (NIS R). 

The NIS Regulations, which came into force within the UK in May 2018, are aimed at raising the levels of cyber security and resilience of the key systems depended upon by operators of CNI and have become increasingly pertinent in today’s world where operators have seen a significant uptick in the number of security incidents and perceived threat from malicious actors.

With this context in mind, the NIS Regulations sets out two core security duties for Operators of Essential Services, or those organisations within vital sectors that rely upon information networks, requiring operators to take appropriate and proportionate security measures to manage risks to their network and information systems and to prevent and minimise the potential impact of any incidents that may occur. 

Concerning compliance with the regulations and associated requirements, the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF),  and its accompanying ‘collection’, has emerged as the tool of choice when it comes to measuring resilience and steering organisations towards compliance. Within the UK in particular, its utility has seen the framework adopted by Competent Authorities (CAs), or those bodies that establish oversight and enforce the NIS Regulations across the UK, such as the Department for Transport (DfT). These authorities utilise the CAF to set the bar and assess organisations against the expected levels of security across the CAF’s 39 contributing outcomes and supporting Indicators of Good Practice (IGPs). 

Whilst the CAF is an established framework and holds great value in gaining an understanding of organisation’s cyber resilience, internal compliance initiatives aimed at achieving alignment with the established benchmarks or profiles have tendencies to be conducted incommunicado - or siloed from existing internal functions such as risk management.

Within these isolated practices, initiatives often approach CAF compliance assessments from the perspective of a binary ‘have or have not’ gap analysis, against the aforementioned outcomes and IGPs, to identify areas of non-compliance. Whilst such an approach provides value as a first pass, conducting assessments in this manner can lead to compliance activities being based upon initial findings that have been misconstrued as definitive areas of non-compliance or risks that must be addressed – rather than utilising findings within existing risk identification processes to provide a clearer picture.

The results of such practices could take the form of false positive or negative achievement statuses and can lead to the initiation of security improvement activities that are not appropriately prioritised or informed. Ultimately, in the long term, this may harm compliance initiatives and overall organisational resilience with ‘tick box’ approaches leading to investment of resources into the development and operationalisation of Corrective Action Plans that are ill-informed, misaligned and fail to take into account the surrounding context or nature of an organisation’s systems, threat landscape, mitigating controls and established priorities or criticalities.

This critique is something that CAs themselves acknowledge, stating that the four broad objectives “should not be used as a checklist” and that whilst the CAF IGPs should be used to support assessment, they “cannot replace the use of expert judgment when making such assessments”.

To address these concerns, Bridewell has routinely adopted the approach of integrating expert judgment into the process of CAF assessment and the development of compliance initiatives by drawing upon existing risk management practices to support CAF submission statements – permitting the production of reflective CAF submissions and effective Corrective Action Plans.

Most recently, Consultant Jack Sullivan noted that “Utilising CAF gap analysis findings within existing risk management frameworks has played an integral role in our approach to the CAF audit process. Deficiencies that we ran through the risk analysis and evaluation processes have informed our use of alternative method statements, which allowed us to communicate and demonstrate the spirit of IGPs being achieved, despite at first glance the justification suggesting non-compliance.

"This approach has been consistently met with understanding and agreement from the auditors in our recent submission of assessments for a number of critical and complex systems. With the auditors onside, the use of risk analysis and evaluation has also permitted us to assist in the development of Corrective Action Plans that are appropriately prioritised and target the addressment of real world risks faced by the organisations we work with”. 

The intention here is not to gloss over any potential malpractices with risk analysis and evaluation, but to incorporate system and organisational context and the threat landscape into compliance initiatives to demonstrate compliance where, at first glance, outcomes may have previously been assigned with inaccurate achievement statuses.

Furthermore, when it comes to the production of resultant corrective action plans, the benefit of such an integrated approach is two fold – preventing plans being developed as part of ‘tick box’ exercises but instead producing plans that are informed by the results of risk evaluation and promote the introduction of efficient, effective and targeted security solutions that are reflective of system context and the organisation’s own risk profile whilst still supporting compliance initiatives. 

This is something that is aligned to the latest approach adopted by CAs within the UK, with Operators of Essential Services (OES) submission’s to Ofgem requiring not only a CAF assessment, but a detailed overview of the organisation’s approach to risk management, both of which support the development of resultant improvement plans with activity “prioritised based on minimising risks above tolerable levels or rectifying CAF target profile deficiencies”. 

Such an approach, which leaves room for a balanced and rationalised CAF assessment submission and targeted remediation, could not be more timely with 47% of respondents to Bridewell’s latest CNI report noting that they expected a reduction in cyber security budgets over the next 12 months despite 79% of respondents noting a heightened sense of concern to a wide range of security threats.