The Importance of OT Threat Intelligence Within the Cyber Assessment Framework (CAF)

The Cyber Assessment Framework (CAF) was developed by the United Kingdom’s National Cyber Security Centre (NCSC) as part of a new programme aimed at improving government cybersecurity in the UK. The CAF cybersecurity principles define a set of top-level outcomes that, collectively, describes good cybersecurity for organisations performing essential functions. The CAF is intended to apply to UK Critical National Infrastructure (CNI), Operators of Essential Services (OES) and organisations subject to Network and Information Systems (NIS) regulations. However, the principles and guidance can be used by any organisation of any size to improve their cybersecurity, in the UK, as well as globally. 

OT Threat Intelligence in CAF 

Threat intelligence is directly referenced several times in the CAF Principles and Guidance. There are also several CAF Principles that allude to the importance of intelligence, without directly mentioning it. Broadly speaking, to fully achieve all the requirements of the CAF, threat intelligence must be operationalised across tactical, operational, and strategic use cases, creating a more proactive security practice. Furthermore, the CAF specifically calls out the requirement for the use of “threat intelligence feeds based on your business needs and sector.” 

The following table highlights several CAF principles and how OT and industrial control systems (ICS) threat intelligence can support these principles. 

CAF PRINCIPLE	REQUIREMENT	OT INTELLIGENCE FUFILLMENT
B5.a Resilience Preparation	“Use your security awareness and threat intelligence sources, to make immediate and potentially temporary security changes in response to new threats.”	Measure security controls based on emergent & active industrial cyber threats Use Indicators of Compromise (IOCs) to spot early-stage adversary activity Prioritise ICS vulnerabilities with refactored CVSS scores & alternative mitigations for OT
C1.d Identifying Security Incidents	“You have selected threat intelligence feeds using risk-based and threat-informed decisions based on your business needs and sector.”	Use industry-specific threat landscapes for cybersecurity planning & budgeting Employ analyst services for tailored cyber threat intelligence applied to your business needs
C2.a System Abnormalities for Attack Detection	“System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.”	Know how to spot threats with detailed technical analysis of ICS exploits & attacks Detections are codified in the Dragos Platform for visibility & monitoring of ICS assets
C2.b Proactive Attack Discovery	“You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.”	Use OT adversary tactics, techniques, and procedures (TTPs) to conduct hypothesis-based hunts Contextualised IOCs assist with investigating compromises across your networks
D1.c Testing and Exercising	“Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence.”	Model your threats using knowledge of at-risk assets, exploited vulnerabilities, & OT impact Plan readiness exercises based on OT threat group activity intent, capabilities, & infrastructure

Best Practices for OT Threat Intelligence

Following are best practices needed for assessing the quality of OT threat intelligence and strategies for operationalising that threat intelligence.

CART: Complete, Accurate, Relevant, Timely 

Firstly, OT threat intelligence should have the four following qualities to be effective: 

• C – Complete: Threat intelligence must be sufficiently complete to provide effective detection and prevention and guide the organisation’s decision-making. 
• A – Accurate: Faulty intelligence leads to bad decisions. It should originate from a trusted source and be vetted by the receiving organisation. 
• R – Relevant: Threat intelligence must address a threat facing the organisation, in a method that allows for effective action. 
• T – Timely: Intelligence should be timely enough for the decision to make an impact when actioned. 

Operationalisation

Secondly, OT threat intelligence should be operationalised across all major use cases to fulfill the requirements of the CAF. 

Tactical Use Cases

SOC Analysts

Leverage reports to build and deploy use cases across defensive platforms Integrate use cases and IOCs into SIEM/XDR and TIP

Operational Use Cases 

Threat Hunters	Leverage threat intelligence to engage in hunting across OT network Leverage reports to reconstruct probable attacks against environment
Vulnerability Managers	Leverage reports and actor profiles to inform vulnerability remediation prioritisation. Vulnerability advisories written in context for ICS/OT asset owners, containing tailored mitigation/remediation guidance
Incident Responders	Leverage reports and indicators with context to assist in incident response engagements.
OT Network Architects	Leverage reports to better understand adversary capabilities, victimology, infrastructure and TTPs to construct a more defensible OT network.

Strategic Use Cases

CISOs	Leverage reports to inform cyber security decision making around policy, strategy and budget requests.
CIOs/CTOs	Leverage reports to inform ICS/OT investments, architecture and implementation decisions.

In Conclusion 

Threat intelligence is an integral and requisite part of a mature security practice, and it is essential to meeting the requirements of the CAF. ICS/OT threat intelligence allows your organisation to acquire the industry-specific intelligence you need to achieve the outcomes set out within the CAF. Operators of Essential Services should use the CAF to identify shortcomings in their current practices, understand the impact and associated risks of these shortcomings, and identify clear opportunities to use OT threat intelligence to close these gaps. 

How Dragos Can Help

Dragos Threat Intelligence is available through Dragos WorldView, an annual subscription service that delivers actionable analyst-driven cyber research and reports on adversary threats, malware, and vulnerabilities impacting industrial sectors. With a primary focus on adversary activity and capabilities used in operational technology networks and industrial control systems environments, Dragos WorldView also provides threat intelligence on early-stage adversary activities to help bridge the visibility gap between OT and IT teams. The outcome – finished threat intelligence that is packaged and delivered for use across multiple settings and audiences. Dragos Threat Intelligence indicators, vulnerabilities, and detections are codified for operational technology facilities leveraging the Dragos Platform. 

Get free sample reports of Dragos WorldView to see the types of intelligence we provide.