The Cyber Assessment Framework (CAF) was developed by the United Kingdom’s National Cyber Security Centre (NCSC) as part of a new programme aimed at improving government cybersecurity in the UK. The CAF cybersecurity principles define a set of top-level outcomes that, collectively, describes good cybersecurity for organisations performing essential functions. The CAF is intended to apply to UK Critical National Infrastructure (CNI), Operators of Essential Services (OES) and organisations subject to Network and Information Systems (NIS) regulations. However, the principles and guidance can be used by any organisation of any size to improve their cybersecurity, in the UK, as well as globally.
OT Threat Intelligence in CAF
Threat intelligence is directly referenced several times in the CAF Principles and Guidance. There are also several CAF Principles that allude to the importance of intelligence, without directly mentioning it. Broadly speaking, to fully achieve all the requirements of the CAF, threat intelligence must be operationalised across tactical, operational, and strategic use cases, creating a more proactive security practice. Furthermore, the CAF specifically calls out the requirement for the use of “threat intelligence feeds based on your business needs and sector.”
The following table highlights several CAF principles and how OT and industrial control systems (ICS) threat intelligence can support these principles.
CAF PRINCIPLE | REQUIREMENT | OT INTELLIGENCE FUFILLMENT |
B5.a Resilience Preparation | “Use your security awareness and threat intelligence sources, to make immediate and potentially temporary security changes in response to new threats.” |
|
C1.d Identifying Security Incidents | “You have selected threat intelligence feeds using risk-based and threat-informed decisions based on your business needs and sector.” |
|
C2.a System Abnormalities for Attack Detection | “System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.” |
|
C2.b Proactive Attack Discovery | “You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.” |
|
D1.c Testing and Exercising | “Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence.” |
|
Best Practices for OT Threat Intelligence
Following are best practices needed for assessing the quality of OT threat intelligence and strategies for operationalising that threat intelligence.
CART: Complete, Accurate, Relevant, Timely
Firstly, OT threat intelligence should have the four following qualities to be effective:
- C – Complete: Threat intelligence must be sufficiently complete to provide effective detection and prevention and guide the organisation’s decision-making.
- A – Accurate: Faulty intelligence leads to bad decisions. It should originate from a trusted source and be vetted by the receiving organisation.
- R – Relevant: Threat intelligence must address a threat facing the organisation, in a method that allows for effective action.
- T – Timely: Intelligence should be timely enough for the decision to make an impact when actioned.
Operationalisation
Secondly, OT threat intelligence should be operationalised across all major use cases to fulfill the requirements of the CAF.
Tactical Use Cases
SOC Analysts |
|
Operational Use Cases
Threat Hunters |
|
Vulnerability Managers |
|
Incident Responders |
|
OT Network Architects |
|
Strategic Use Cases
CISOs |
|
CIOs/CTOs |
|
In Conclusion
Threat intelligence is an integral and requisite part of a mature security practice, and it is essential to meeting the requirements of the CAF. ICS/OT threat intelligence allows your organisation to acquire the industry-specific intelligence you need to achieve the outcomes set out within the CAF. Operators of Essential Services should use the CAF to identify shortcomings in their current practices, understand the impact and associated risks of these shortcomings, and identify clear opportunities to use OT threat intelligence to close these gaps.
How Dragos Can Help
Dragos Threat Intelligence is available through Dragos WorldView, an annual subscription service that delivers actionable analyst-driven cyber research and reports on adversary threats, malware, and vulnerabilities impacting industrial sectors. With a primary focus on adversary activity and capabilities used in operational technology networks and industrial control systems environments, Dragos WorldView also provides threat intelligence on early-stage adversary activities to help bridge the visibility gap between OT and IT teams. The outcome – finished threat intelligence that is packaged and delivered for use across multiple settings and audiences. Dragos Threat Intelligence indicators, vulnerabilities, and detections are codified for operational technology facilities leveraging the Dragos Platform.
Get free sample reports of Dragos WorldView to see the types of intelligence we provide.
Ready to put your insights into action?
Take the next steps and contact our team today.