Traditionally, advice to industry on cyber risk has been provided from disparate sources. This is changing rapidly with cyber initiatives such as the Defence, Science and Technology Laboratory’s Cyber Vulnerabilities Investigation project, which aims to provide a focal point for industry guidance, as well as help government manage cyber risk.
There are many enterprise risks in any business, whether that business is defending the realm or providing essential services through Critical National Infrastructure (CNI). This is particularly important for a number of government departments as they have responsibilities to work with selected CNI industry areas.
Although there are cyber systems in all businesses, cyber protection and resilience is not always prioritised. This increasingly becomes a concern as businesses adopt a more automated approach with technology upgrades, efficiency savings and regulatory requirements. The cyber domain is fast moving, evolving and refreshing its technology capability on a regular basis. Visibility of its operation is largely hidden within computing devices and cables (or over the air e.g. Wi-Fi) and it often cares little about geography. Hence consideration of how to protect the electronic borders or gateways within CNI as well as the devices and software within it are all key considerations.
Both information technology networks (IT) and operational technology networks (OT) are areas of cyber risk and should be considered and sponsored appropriately and regularly. The work that Dstl has been carrying out has identified, at a very high level, that there are two elements to mitigating cyber risk. The first of these is the traditional consideration of appropriate technical solutions and assurance. Operating systems such as Windows XP are no longer supported, so any new vulnerability is unlikely to be patched. These types of issue exist for computing hosts, servers and industrial computing solutions such as programmable logic controllers.
The second element is governance with many organisations not funded for even the most basic situational awareness tools such as network monitoring. Working with other commercial suppliers, Dstl has developed the capability to co-ordinate advice to customers in this area. As one of a number of organisations in government working together, we offer a collaborative approach, supporting the National Cyber Security Programme.
And the extensive work on cyber continues. Read more here on how MOD is seeking innovative ways to help commanders understand cyber.