Bento Cyber Security Framework
Bento Cyber Security Framework (BCSF) is an applied framework for small business cyber security. It is developed to help companies protect data, retain employees, and build trust with customers and vendors.
BCSF recognizes the diversity among organizations. Each businesses will have different needs and requirements based on a number of factors. BCSF is meant to apply to any organization looking to build a cybersecurity program.
BCSF draws extensively on CIS, NIST SP800-17, NIST 800-53, and ISO/IEC 27001 for developing BCSF and associated guidance.
As an applied framework, BCSF provides the general structure and specific guidance through supporting content. BCSF is designed to meet three key criteria:
Adoptable: developed with business owners in mind, the framework is written for boards, owners, and managers. No technical knowledge necessary to understand the principles.
Actionable: extended by BENTO:GUIDES, BCSF allows companies to easily access the framework and supporting materials for implmentation.
Affordable: cyber security is an investment of time, resources, and energy. BCSF focuses on resiliency mechanisms that are high value and can be efficiently implemented at the small business level.
To enable companies to develop their information security governance from one comprehensive resource.
To give our clients actionable and relevant cybersecurity information.
To reduce chaos and spotlight the information critical to cybersecurity success.
To align information security practices with realistic needs and best practices.
To deliver attestation of information security practices to clients, insurance companies, vendors, and oversight organizations.
To weave customer information governance into the daily practices of managed service providers.
To disrupt the IT industry by making cyber security management services transparent and accessible.
When developing your information technology program based on our framework, you should embrace these values:
Be Mindful ------------------------------------- Consider the action you are doing and whether or not that action is in a chain of events that can lead to a customer/employee/vendor having a bad moment, a bad experience, or worse.
Be Methodical ------------------------------------- When process exists - follow it every time. Don’t let the pressures of time and noise distract you from process and methods.
Be Curious ------------------------------------- Take time to educate yourself, access documentation, and become familiar with the policy, process, and security documents your organization has made avaialble.
Putting in place the policies and processes which govern your organization’s approach to the security of network and information systems.
The organization has appropriate management policies and processes in place to govern its approach to the security of network and information systems.
Effective security of network and information systems should be driven by organizational management and corresponding policies and practices. There should be clear governance structures in place with well-defined lines of responsibility and accountability for the security of network and information systems.
Senior management should clearly articulate unacceptable impacts to the business (often called risk appetite), which should take into account the organization’s role in the operation of essential functions, so decision makers at all levels can make informed decisions about risk without constantly referring decisions up the governance chain.
There should be an individual(s) who holds overall responsibility and is accountable for security. This individual is empowered and accountable for decisions regarding how essential functions are protected. For small organizations, the governance structure can be very simple.
Your organization’s approach to security governance needs to be an appropriate fit for your organization. Good security governance is integrated with your business’s usual decision making structures and processes.
Decisions about risk can be made at all levels of your organization when delegated effectively to people with the right security, business and technical knowledge, skills and experience. Clear lines of communication are also necessary.
Following a standardized risk management approach can help in achieving good cyber security governance. There are many such standards to choose from. Some of the most well-known are:
Standard | Summary |
|---|---|
NIST Special Publication (SP) 800-37 | Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy |
This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring. | |
It also includes enterprise-level activities to help better prepare organizations to execute the RMF at the system level. The RMF promotes the concept of near real-time risk management and ongoing system authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy controls into the system development life cycle. | |
Applying the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the security and privacy controls deployed within organizational systems and inherited by those systems. | |
The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the currently established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act. |
Standard | Summary |
|---|---|
ISO 27001 | ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and then revised in 2013. |
An Information Security Management System (ISMS) is a set of policies, procedures, and roles designed to ensure cyber security risks are identified and managed. Traditionally an ISMS is considered to be an information risk management system, however it can be used to manage cyber security risks to essential functions. | |
A properly scoped and implemented ISMS can help your organization to meet requirements your organization might have to protect essential functions by putting in place policies, procedures, and roles which govern the organizational approach to managing cyber security risks to those functions… | |
ISO 27001 is one of many standards you can use to implement an ISMS. If your organization is intending to use ISO 27001, you should consider which elements will help achieve your organizational objectives - full compliance and certification may be unnecessary. | |
Your organization must incorporate into the ISMS any relevant external requirements, for example direction from a regulator. You should also set appropriate cyber security requirements for your supply chain to ensure their support in achieving yourcyber security and resilience objectives (see A4 Supply Chain Security). |
Section References
Identification, assessment and understanding of security risks. And the establishment of an overall organizational approach to risk management.
The organization takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organizational approach to risk management.
There is no single blueprint for cyber security and therefore organizations need to take steps to determine security risks that could affect the operation of essential functions and take measures to appropriately manage those risks.
Threats can come from many sources, in and outside the organization. A good understanding of the threat landscape and the vulnerabilities that may be exploited is essential to effectively identify and manage risks. Such information may come from sources including BCSF, information exchanges relevant to the organization’s sector, and reputable government, commercial, and open sources, all of which can inform the organization’s own risk assessment process. organizations may contribute to the understanding of threats and vulnerabilities in their sector by participating in relevant information exchanges and liaising with authorities as appropriate.
There should be a systematic process in place to ensure that identified risks are managed and the organization has confidence mitigations are working effectively. Confidence can be gained through, for example, product assurance, monitoring, vulnerability testing, auditing and supply chain security.
Our Risk Management guidance aims to help you to choose an approach that’s right for your organization. Organizations responsible for essential functions are likely to benefit from a combination of a system-based approach, which looks at the interactions between components of the function, and a component-driven analysis, which considers the threats, vulnerabilities, and impacts relevant to particular critical components.
Your organization should choose a method or framework for managing risk that fits with the organization’s business and technology needs.
Whichever approach you choose, the scope of your program must include all systems relevant to the operation of essential functions. Simply following the minimum requirements of a standard or applying blanket controls across the organization is unlikely to adequately manage risks to critical systems.
Where industrial control and automation systems are in scope of the essential function, you should keep in mind that controls suitable for managing risks on the corporate IT network may be inappropriate or damaging in an operational technology environment. These systems will likely require a more tailored approach, and some frameworks and standards address specific concerns relating to such systems.
Section References
Determining and understanding all systems and/or services required to maintain or support essential functions.
Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).
In order to manage security risks to the network and information systems supporting essential functions, organizations require a clear understanding of service dependencies. This understanding might include physical assets, software, data, essential staff and utilities. These should all be clearly identified and recorded so that it is possible to understand what things are important to the delivery of the essential function and why.
Whichever risk management method your organization uses, asset management will play a key role as you cannot effectively manage risks without understanding what assets are part of the essential function. Your asset management regime should consider all relevant assets, and dependencies between them. Dependencies may be identified between assets under your organization’s control (including IT and OT domains), elements of the supply chain (including power), and key staff who are critical to operations. Assets in an operational technology environment may need a more tailored approach than the corporate IT assets.
For asset management to be effective, up to date knowledge of your assets must be maintained throughout their lifecycle.
Asset management is part of an ISO 27001 ISMS, but management of critical assets may require a tailored approach
An Information Security Management System (ISMS) is a set of policies, procedures, and roles designed to ensure cyber security risks are identified and managed. Traditionally an ISMS is considered to be an information risk management system, however it can be used to manage cyber security risks to essential functions.
If your organization is using an ISMS as a tool for compliance with cyber regulation, you must ensure the scope includes all systems relevant to the operation of the essential function covered by the regulation. Asset management is a key part of an ISMS, although critical services may need more attention than the minimum requirements of the standard. Further guidance is detailed in ISO 27002.
This standard aligns with ISO 27001 and can be used in conjunction with it or independent of it. It outlines requirements for a generic asset management system. An organization following this standard as a tool for compliance with cyber regulation must ensure the scope encompasses all the relevant systems. Section 4.2 covers needs and expectations of stakeholders, which must include any requirements from regulators…
ITIL best practice recommends a staged approach to IT asset management. You may find this useful for improving management of your IT assets, but must keep in mind that there may be assets and dependencies beyond the corporate IT domain as outlined above.
Section References
Understanding and managing the security risks to networks and information systems which arise from dependencies on external suppliers.
The organization understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
If an organization relies on third parties (such as outsourced or cloud based technology services) it remains accountable for the protection of any essential function. This means that there should be confidence that all relevant security requirements are met regardless of whether the owning organization or a third party operates the function.
For many organizations, it will make good sense to use third party technology services. Where these are used, it is important that contractual agreements provide provisions for the protection of things upon which the essential function depends.
Organzations responsible for essential functions need to ensure that when third party suppliers are used, all relevant security requirements are met. This means that a number of specific supply chain related security considerations should be addressed where relevant to the provision of the essential function. This might include:
Ensuring the protection of data shared with a third party. This includes protecting data from actions such as unauthorized access, modification, or deletion that may cause an adverse impact on any essential functions (see Principle B3).
Effective specification of the security properties of products or services procured from a third party that are important for the protection of the essential function. This should include the security requirements derived from the rest of these Principles.
Ensure that any network connections or data sharing with third parties do not introduce unmanaged vulnerabilities that have the potential to affect the security of the essential function.
Confidence that third party suppliers are trustworthy such that malicious attempts to subvert the security of products or systems that could affect the essential function are managed.
Section References
Defining and communicating appropriate organizational policies and processes to secure systems and data that support the operation of essential functions.
The organization defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support the operation of essential functions.
The organization’s approach to securing network and information systems that support essential functions should be defined in a set of comprehensive security policies with associated processes. It is essential that these policies and processes are more than just a paper exercise and steps must be taken to ensure that the policies and processes are well described, communicated and effectively implemented.
Policies and processes should be written with the intended recipient community in mind. For example, the message or direction communicated to IT staff will be different from that communicated to senior managers. There should be mechanisms in place to validate the implementation and effectiveness of policies and processes where these are relied upon for the security of the essential function. Such mechanisms should also support an organizational ability to enforce compliance with policies and processes when necessary.
To be effective, cyber security and resilience policies and processes need to be realistic, i.e. based on a clear understanding of the way people act and make decisions in the workplace, particularly in relation to security. If they are developed without this understanding there is a significant risk that service protection policies and processes will be routinely circumvented as people use work-arounds and shortcuts to achieve their work objectives.
The policies and processes needed by an organization depend upon its function and should integrate with the organization’s approach to governance and risk management. organizations responsible for essential functions should have a range of policies and processes, including:
An organizational security or service protection policy: endorsed by senior management, this high-level policy should include the organization’s overarching approach to governing security and managing risks, the organization’s aims and intents for security and what is of key concern.
Supporting policies and processes: contextual lower-level definitions controlling, directing and communicating organizational security practice.
Compliance policies and processes for sector regulations, standards, etc.: specific policies and processes appropriate to the compliance regime; these may be defined by the regulation, standard, etc. For example, to comply with ISO/IEC 27001, organizations should have in place certain security policies and procedures relevant to what the organization does, how it does it, and what their ISO/IEC 27001 information security management system covers (see ISO/IEC 27002 for detail).
There is a growing body of evidence that people have a limit to the effort available to comply with security and there are recognizable costs to security behaviors. Exceeding human limits of compliance is likely to result in non-compliance, such as workarounds or circumventing controls.
organizations should understand how people work with the systems and data they use to support the operation of essential functions to ensure security and people work together. Discover how people and security really need to work together to achieve the organization’s objectives and desired productivity. Engage in and continue security conversations with staff, partners, contractors, any other system users, security and technical experts, plus organizational representatives such as HR, change and communications experts. These conversations can be enabled through, for example:
personal interviews,
staff security attitude surveys,
promoting security reporting culture without fear of blame or recrimination,
engaging people in the design of processes and policies
Use your understanding of how people work to develop practical security policies and processes and, wherever possible, reduce the human effort required to comply.
There are many resources available intended to help organizations decide what their cyber security and resilience protection policies should look like; for example, SANS provide various information security policy templates.
You should ensure that individuals authorized to access networks and information systems supporting the operation of essential functions are trustworthy. To be fully effective, link personnel security with identity and access control. Further information can be found in CPNI’s Personnel and People Security and ISO/IEC 27002.
Implementation of a new or improved cyber security and resilience policy or process requires communication to those under its scope and evaluation of its effectiveness.
Effectively communicate the policies and information on how processes work to everyone who can affect the security of the system, so that they can readily understand the contribution they make and their responsibilities to essential function security and resilience.
Communication can be achieved through continued security conversations and staff awareness and training programs. However, it should be noted that having a staff awareness and training program alone, without an understanding of how people work with security, is unlikely to result in improved compliance with cyber security and resilience policies and processes. Refer to B6. Staff Awareness & Training for further information on effective staff awareness and training programs.
Suitable data and metrics should be defined prior to implementation to evaluate the previous condition and assess the impact of the new or updated policy or process. Information may be drawn from security incidents, technical measurements, surveys, customer feedback, etc.
Cyber security and resilience policies and processes should be designed to be adaptable, to fit the needs of the changing environment. organizations should regularly review their policies and processes in light of any recorded security breaches so that these documents and the organization’s security can be continually improved.
Section References
Understanding, documenting and controlling access to networks and information systems supporting essential functions.
The organization understands, documents and manages access to networks and information systems and supporting the operation of essential functions. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorized.
It is important that the organization is clear about who (or what in the case of automated functions) has authorization to interact with the network and information systems supporting an essential function in any way or access associated sensitive data. Rights granted should be carefully controlled, especially where those rights provide an ability to materially affect the operation of the essential function. Rights granted should be periodically reviewed and technically removed when no longer required such as when an individual changes role or perhaps leaves the organization.
Users, devices and systems should be appropriately verified, authenticated and authorized before access to data or services is granted. Verification of a user’s identity (they are who they say they are) is a prerequisite for issuing credentials, authentication and access management. For highly privileged access it might be appropriate to include approaches such as two-factor or hardware authentication.
Unauthorized individuals should be prevented from accessing data or services at all points within the system. This includes system users without the appropriate permissions, unauthorized individuals attempting to interact with any online service presentation or individuals with unauthorized access to user devices (for example if a user device were lost or stolen).
The Introduction to identity and access management sets out security fundamentals that operators should consider in designing and managing identity and access management systems. Identity and access control should be robust enough that essential functions are not adversely affected by unauthorized access.
In addition to technical security, organizations should protect physical access to networks and information systems supporting the essential function, to prevent unauthorized access, tampering or data deletion. Some organizations may already have physical security measures in place to comply withnon-cyber regulatory frameworks. See CPNI guidance for further information.
Section References
BCSF Introduction to identity and access management
ISO/IEC 27002
NIST Identity and Access Management publication
SP 800-63 suite “Digital Identity Guidelines”
Protecting stored or electronically transmitted data from actions that may cause an adverse impact on essential functions.
Data stored or transmitted electronically is protected from actions such as unauthorized access, modification, or deletion that may cause an adverse impact on essential functions. Such protection extends to the means by which authorized users, devices and systems access critical data necessary for the operation of essential functions. It also covers information that would assist an attacker, such as design details of networks and information systems.
The protection in place for data that supports the operation of essential functions must be matched to the risks associated with that data.
As a minimum, unauthorized access to sensitive information should be prevented (protecting data confidentiality). This may mean, for example, protecting data stored on mobile devices which could be lost or stolen.
Data protection may also need to include measures such as the sanitization of data storage devices and/or media before sending for maintenance or disposal.
Protect data in accordance with the risks to essential functions posed by compromises of data integrity and/or availability. In addition to effective data access control measures, other relevant security measures might include maintaining up-to-date, isolated (e.g. offline) back-up copies of data, combined with the ability to detect data integrity failures where necessary. Software and/or hardware used to access critical data may also require protection.
It is important to ensure that data supporting the operation of essential functions is protected in transit. This could be by physically protecting the network infrastructure, or using cryptographic means to ensure data is not inappropriately viewed or interfered with. Duplicating network infrastructure to prevent data flows being easily blocked provides data availability.
Some types of information managed by an organization responsible for an essential function would, if acquired by an attacker, significantly assist in the planning and execution of aserious attack. Such information could be, for example, detailed network and system designs, security measures, or certain staff details. These should be identified and appropriately protected.
(Note: data supporting the operation of essential functions must be identified in accordance with Principle A3 Asset Management. Important data to protect may include operational data, network traffic, configurations, as well as data that could provide an insight or advantage to an attacker, such as network and information system designs)
Networks and information systems should be designed to protect important data, for example:
protecting the confidentiality of sensitive data by minimising the number of copies of data, the detail these include and by retaining operationally sensitive data on segregated systems (this includes design documentation)
removing functionality that could allow greater access than has been authorized
protecting the integrity of data essential to the operation of the function by providing a read-only copy (e.g. through a DMZ) for non-essential business system consumption
only deploying well-tested cryptographic suites in common use by your chosen software stack
protecting availability through resilience measures such as multiple network paths and tested automatic backup systems
consider suitable means to retain access to essential information in the event of an incident. For example network diagrams needed for restoration, safety-critical information or essential forecasting data
Consider applying the BCSF principles of protecting bulk personal data to data supporting the operation of essential functions.
Data in transit may be at risk of attacks such as interception, traffic replay, manipulation or jamming. VPNs are one of the most common and effective cryptographic methods used to assure the confidentiality and integrity of data transmitted over an untrusted network, such as remote access or between two sites.
TLS is often used to protect external data connections such as web browser traffic and IPSec is a well-known encryption technology for individual communication links. Where cryptography is deployed to protect communication links, you should protect cryptographic material such as certificates and keys from external or unauthorized access.
Alternative communications links or network paths are recommended for critical data paths.
For cloud services, see our guidance on protecting data in transit.
Wherever data is stored, even temporarily, it may be vulnerable to unauthorized access, tampering or deletion.
You should identify where data supporting the operation of essential functions is stored, including:
exports from core operational systems to other business systems
on mobile devices
removable media
in temporary caches
in systems used for remote access.
You should reduce these unauthorized access, tampering and deletion risks to stored data by limiting the quantity and detail of data held to the minimum necessary for business purposes, especially on devices and media that are more vulnerable to unauthorized access or that could be stolen.
Where dedicated systems and removable media are used, the storage devices can be hardware or software encrypted. You should take suitable measures to physically protect devices and media containing data supporting the operation of essential functions.
Backups remain an essential part of resilience measures and should be appropriately secured.
For cloud services, refer to BCSF cloud security principle 2 on asset protection and resilience.
Mobile devices may be used by an organization responsible for essential functions, a partner or third-party supplier. Whether owned and managed by the responsible organization or not, these devices are likely to contain business data. Potentially, data important to the operation of the essential function could be on these devices.
Well-configured and managed, business-owned, devices are preferred to personal or external organization equipment: refer to the BCSF End User Device Security Collection for security principles and platform-specific guidance.
It may be possible to gain sufficient assurance that a partner or supplier applies security controls to the same rigor (or better).
In addition to good mobile device management, ensure that mobile devices accessing data supporting service delivery are well monitored.
Data important to the operation of the essential function is likely to be found on network and information system media and operational equipment, including IT and operational technology (OT) assets. Service management systems, along with network and mobile devices are familiar targets for secure sanitization. Some organizations responsible for essential functions may also need to consider the data stored on defunct OT and safety systems.
Protecting critical network and information systems and technology from cyber attack.
Network and information systems and technology critical for the operation of essential functions are protected from cyber attack. An organizational understanding of risk to essential functions informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.
There is a range of protective security measures that an organization can use to minimize the opportunities for an attacker to compromise the security of networks and information systems supporting essential functions. Not all such measures will necessarily be applicable in all circumstances – each organization should determine and implement the protective security measures that are most effective in limiting those opportunities for attackers associated with the greatest risks to essential functions.
Opportunities for attackers to compromise networks and information systems, also known as vulnerabilities, arise through flaws, features and user error. organizations should ensure that all three types of vulnerability are considered when selecting and implementing protective security measures.
organizations should protect networks and information systems from attacks that seek to exploit software vulnerabilities (flaws in software). For example, software should be supported and up-to-date with security patches applied. Where this is not possible, other security measures should be in place to fully mitigate the software vulnerability risk.
Limiting functionality (e.g. disabling services that are not required) and careful configuration will contribute to managing potential vulnerabilities arising from features in hardware and software.
Some common user errors, such as leaving an organization-issued laptop unattended in a public place, inadvertently revealing security-related information to an attacker (possibly as a result of social engineering) etc. can provide opportunities for attackers. Staff training and awareness on cyber security should be designed to minimize such occurrences (see B.6 Staff Training & Awareness).
The majority of cyber security incidents can be traced to common cyber attack vectors. The opportunity for successful attack can be minimized by managing the known vulnerabilities which these attacks exploit. Many opportunities for user error can be reduced by technical means.
Attempts to circumvent the measures described below should be detected by security monitoring. Together with data security and resilience measures, the impact of any attempts to circumvent security on the operation of the essential function should be limited.
You should design the systems and networks operating or supporting the operation of essential functions to make compromise difficult, avoid disruption and reduce the impact of compromise. Where the design also makes compromise easy to detect, this will help achieve effective monitoring.
Stronger security architectures usually include:
the most critical services and systems segregated into a higher security zone. This corresponds with the concept of zones and conduits described in the IEC 62443 reference model.
at boundaries with higher security zones where it’s necessary to import and trust data from a lower security zone, where possible:
in a DMZ convert the data into the simplest appropriate alternate protocol, to create a “break” that makes protocol based attacks more difficult;
perform validation of both message format and content.
where messaging received from outside the organization is used to control the essential function (e.g. customer or supplier system messages or critical telemetry), prefer a simple messaging format that can be validated and authenticated, or consider additional monitoring.
reduced attack surface by limiting software, network data flows, system access, etc. to only those essential and necessary
secured platform by default, with a system design that enables application of system updates without interrupting business, wherever possible
a separate management layer, preferably using dedicated equipment and a separate network
resilience and recovery features
Well-configured networks and information systems reduce unauthorized access to technologies and simplify security management across hardware, firmware, software and configuration data. This should include:
baseline build (also known as a “gold build”) is recommended to apply a well-understood, consistent and secured platform across the organization, and can also apply system hardening techniques to minimize the attack surface. Gold build images should be appropriately protected from interference and be available for use in the event of system recovery.
Configuration management policies or software should be used to ensure that only permitted software is installed and authorized devices, e.g. mobile devices and removable media, are permitted to connect. An asset management inventory could be used to manage authorized devices.
In addition to the gold build and permitted software installed, maintain a record of the current “known good” configuration (including, for example, patch levels, OT ladder logic) and the resources, such as patch and configuration files, required to create this environment. It should be possible to revert or rebuild to this known good baseline.
Systems, software or devices that are not actively supported by the developers should be identified, with appropriate additional security measures in place until they can be retired and removed.
Users should not be able to change settings affecting the security of the service.
Network devices should be configured to limit access to the minimum required for business operation. It may also be possible to apply standardized network device builds.
Some organizations responsible for essential functions may use automated decision making technologies, for example safety systems or machine learning in smart transport technologies. Where such automated decision making has the ability to affect an essential function, it must be possible to understand the data, process and thresholds used to make automated decisions so that it can be reproduced, audited and malicious changes detected.
For decisions based on pre-determined, unchanging behavior this would entail knowing the exact hardware, firmware, software, and configuration of individual systems (this may be achieved with detailed configuration and asset management) and monitoring for any unplanned changes.
Where systems use some element of machine learning and the decision making process changes over time. The model used should be auditable, so that malicious changes can be detected. This should identify cases where changes have been made directly, or where malicious or misleading data has been used for learning.
Routine system management should support and maintain security. Technical documentation of the networks and information systems should be up to date.
Access to the essential function’s facilities and systems should be managed and monitored to restrict to authorized personnel, in line with guidance in B2 Identity and Access Control.
As described in B2 Identity and Access Control Privileged User Management, technical means for access should separate essential functions from other activities, for example using dedicated separate systems or sandboxed email and Internet access.
Further protection from physical interference can be afforded through tamper protection, such as port locks and tamper evident tape. Such physical tamper protections should be regularly checked.
Flaws, features and user errors that impact the security of the essential function may be known to the organization, or not yet discovered. System design, configuration and system management can reduce the likelihood of a vulnerability being accessed or exploited. New vulnerabilities need to be managed to maintain network and system security.
Effective risk management should ensure that appropriate measures are taken to maintain awareness of and address known vulnerabilities. The organization endeavors to detect when changes to internally managed settings and configurations introduce vulnerabilities.
The latest mitigated vulnerabilities are often published by vendors, some providing automatic update functionality. Other vulnerabilities can be discovered through threat intelligence sources.
You should prevent the exploitation of known vulnerabilities in networks and information systems supporting essential functions. Many of the most effective methods are well-known, including:
moving vulnerabilities by maintaining systems to the latest patch level and only applying authentic, vendor-sourced and validated updates.
removing access to vulnerabilities by segregation, or ensuring the vulnerable system only receives trusted data.
preventing, detecting and removing malware or unauthorized software.
verification of imported data and software. Where possible this should be automatic.
regular vulnerability and security assessments, e.g. penetration tests and vulnerability scans. BCSF guidance on penetration testing provides further detail. Operators should carefully consider their approach to the testing of live Operational Technology, as system operation or availability could be affected. Assurance could be gained without this additional risk by testing against non-operational environments or by testing individual components in a laboratory environment.
software that the essential function relies upon should be in active support, so vulnerabilities will be patched. You should provide additional protection where obsolete platforms cannot be easily replaced.
Section References
BCSF Obsolete platforms security guidance
ISO/IEC 27002
Building resilience against cyber attack.
The organization builds resilience against cyber attack into the design, implementation, operation and management of systems that support the operation of essential functions.
The essential functions performed by an organization should be resilient to cyber attack. Building upon B.4 (the technical protection of systems), organizations should ensure that not only is technology well built and maintained, but consideration is also given to how operation of the essential function can continue in the event of technology failure or compromise. In addition to technical means, this might include additional contingency capability such as manual processes to ensure functions can continue.
organizations should ensure that systems are well maintained and administered through life. The devices and interfaces that are used for administration are frequently targeted, so should be well protected. Spear phishing remains a common method used to compromise accounts with privileged access. Preventing the use of these accounts for routine activities such as email and web browsing significantly limits the ability for a hacker to compromise them.
It’s important to be prepared to respond to significant disruption by having business continuity and disaster recovery planning in place. This should include a definition of your most critical resources and an understanding of the order of actions needed to restore service. Test that these plans work, for example through manually triggering failover testing, carrying out table-top scenario walk-throughs or red-teaming. You should be ready to adjust the security measures in place in response to changes in risk. For example, if threat intelligence indicates an increased likelihood of your organization or sector being targeted you may decide to isolate operational networks until the threat has decreased. Alternatively, in the event of public disclosure of an unpatched vulnerability in equipment that you use, with reported use of exploits targeting the vulnerability, you may respond by elevating your protective monitoring, changing your configuration to avoid being susceptible, or taking other mitigating action in the period until a patch is made available and can be deployed.
You should reduce the likelihood of failure or attack by taking all reasonable measures to maintain networks, information systems and necessary technologies in good working order. Exceptions should be appropriately managed.
In the event of an incident, it is more likely that an essential function will be able to continue where the networks and information systems that support it are segregated from other business and external systems. Separation of system architecture, remote access and privileged access are some key principles that can protect more critical systems from external compromise.
Some sectors responsible for the operation of essential functions may apply the industrial automation and control system security standard IEC 62443, which applies a reference model that separates systems into different logical layers. The standard’s architecture model segregates equipment into security zones.
Limitations of networks and information systems, or external services or resources, such as network bandwidth, processing capability, or data storage capacity, should be understood and managed with suitable mitigations to avoid disruption through resource overload.
Make appropriate use of diverse technologies, geographic locations and so on, to provide resilience. You should understand and manage external or lower-priority dependencies to ensure that alternative means are suitable for continuation of the essential function.
In the event of a adverse event, you should be able to revert to backups of hardware and data that are known to be functioning and accessible. organizations should maintain secured offline, potentially off-site, backups of the operational data, equipment configurations, gold builds, etc. needed to recover from an extreme event.
Suitable alternative backups may include paper-based information and manual processes. Other essential backups may include personnel with appropriate knowledge and access to up-to-date documentation. Consider how to make it easy to recover following an incident or compromise.
Appropriately supporting staff to ensure they make a positive contribution to the cyber security of essential functions.
Staff have appropriate awareness, knowledge and skills to carry out their organizational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.
Staff are central to any organization’s ability to operate securely. Therefore, organizations responsible for essential functions should ensure that their employees have the information, knowledge, and skills they need to support the security of networks and information systems.
To be effective any security awareness and training program needs to recognize and be tailored to reflect the way people really work with security in an organization, as part of creating a positive security culture.
The people who operate and support essential functions should be provided with all they need to carry out their job while supporting the organization’s cyber security. In line with the design of service protection policies and processes, you should apply the same people-focussed approach to staff awareness and training.
Training and awareness activities should provide appropriate cyber security skills for the job role based on an understanding of how people really work with the systems, with ongoing reminders and top-up training to maintain skills.
Using a range of approaches to training and awareness can improve understanding and information retention, from briefings, online courses and blogs to simulated cyber attack. You may achieve the widest uptake of training and awareness by accommodating different learning preferences and using various delivery methods. organizations may find the GCHQ certified training scheme useful when considering commercial offerings.
organizations responsible for essential functions should aim to create a positive security culture, where people are aware of their role in maintaining security and actively take part and contribute to improving security. This is particularly important where a technical solution is not possible, so security relies on people making the right cyber security decisions. Developing a positive security culture is likely to take some time, with some changes possibly taking years to become established and is unlikely to be achieved simply through written guidance or training events.
These outcomes are best achieved when organizations actively engage with staff and communicate effectively with them about network and information system security and how it relates to their jobs. This should be more easily achieved where organizations create and promote a long-term security culture vision that is endorsed and supported by senior management, then make incremental, focused changes to address specific business issues. In some cases, particularly where an essential function is safety-related, an organization may be able to draw on activities supporting positive safety culture to build up the organization’s cyber security culture.
Section References
Monitoring to detect potential security problems and track the effectiveness of existing security measures.
The organization monitors the security status of the networks and systems supporting the essential functions in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.
An effective monitoring strategy is required so that actual or attempted security breaches are discovered and there are appropriate processes in place to respond. Good monitoring is more than simply the collection of logs. It is also the use of appropriate tools and skilled analysis to identify indicators of compromise in a timely manner so that corrective action can be taken.
This principle also indicates the need to provide effective and ongoing operational security. As time goes on, new vulnerabilities are discovered, support arrangements for software and services change and functional needs and uses for technology change. Security is a continuous activity and the effectiveness of the security measures in place should be reviewed and maintained throughout the delivery and operational lifecycle of a system or service.
One clear focus of your security monitoring should be the detection of incidents or activity that could have an adverse impact on the operation of essential functions and the network assets and systems that underpin them. Log and network data collection, analysis tools and threat intelligence should prioritize these assets and systems.
An organization’s monitoring capability should be able to find known threats on their network, for example detecting when known command and control traffic is communicating to the Internet, or an AV signature is present in a file. organizations should endeavour to understand what automated tools do and how best to use them, in order to ensure they are getting value for money from them.
While this guidance focuses on detection of known threats, organizations should also have the capability to find previously unknown threats, by looking for indicators of attack combined with local system knowledge and sector threat information. See C2 Proactive Security Event Discovery for guidance on detection of previously unknown threats.
Having the correct visibility of your systems is critical to detect potentially malicious activities. It is possible to detect cyber-attacks at an early stage by collecting and aggregating the following non-exhaustive list of log sources and then comparing them against known indicators of compromise:
Web site traffic going to the Internet. As a minimum this should include domain names and URL’s, but if possible, stretch to the full HTTP header information. This is because the initial infection and persistent connections are often made through HTTP(S) traffic and could appear to come from user devices (most likely) or servers. HTTP headers often provide clues to malicious activity.
Email traffic.As a minimum, the metadata about what is sent and received, but if it is possible to capture both headers and contents then consider doing so. Phishing attacks, delivered over email, often tempt the user to click links, so getting visibility of these links in combination with web traffic helps detection and subsequent analysis.
IP connections between your network and the Internet. It is useful to capture 5-tuple metadata of accepted connections on the edge of your network. This would show any raw connections coming out of your network, such as HTTP traffic not going through a proxy server or direct malware command and control
IP connections between zones in OT (Operational Technology) networks. As a minimum, capturing 5-tuple metadata from critical OT zone boundaries such as the IT/OT interface is important. This IP traffic is likely to contain evidence of an attacker’s actions against cyber-physical systems and so detection strategies should be in place to identify the indicators of a compromise of OT systems.
Host-based activity. A host-based monitoring system can detect unauthorized activity on computer systems themselves (e.g. unusual or unauthorized activity by software systems), which might evade detection systems focused on network interfaces."
Your log collection should capture staff use of corporate systems, both regular users and system administrators, at the application and operating system layers. This helps to identify suspicious user behavior for either an attacker or insider.
Duration and level of logging is a corporate choice, balancing storage cost with ability to retrospectively query data during (and after) an incident. Consider any legal data protection laws you may need to adhere to on the collected information, for example if collecting personal data in logs.
The audit and log information should be held in a database with access controls that limit access to monitoring analysts, and is isolated from other corporate trust domains. This is important as it will prevent an attacker from deleting or modifying logs.
Your organization’s asset management processes should ensure knowledge of network assets is sufficiently detailed and accurate to quickly and efficiently trace observed events to their sources.
For more detail on how your organization should approach security logging, see the BCSF’s Introduction to logging for security purposes.
The collected logs should be compared against Indicators of Compromise (from threat intelligence sources) to detect known threats.
You should choose appropriate tools to help analyze and correlate differently structured and normalized network datasets, to identify and investigate events of interest. These tools should be chosen to optimally scale to and use the types of network and logging data you expect to analyze and the workflows you have designed to analyze, triage and investigate security events. Your staff should receive the appropriate training to use these tools.
Consider the flexibility of the tools used, as you do not want to preclude your analysts from proactively finding unknown threats (as described in C2). Avoid purchasing black box tools that do not allow flexible querying, or provide results without showing the corresponding rationale.
This is a key requirement for any security monitoring capability and can come in many formats, volumes and quality. Threat intelligence can be collected from open discussion forums, trusted relationships, paid-for contracts with threat intelligence companies or even generated internally.
Threat intelligence can be either automated feeds that describe Indicators of Compromise (e.g. hashes of known nefarious files or lists of IP addresses) or more descriptive human readable reports documenting indicators of attacks or reporting on a type of malware. You should consume both types of threat intelligence appropriately.
We would recommend that when choosing automated threat intelligence feeds, favour quality over quantity (false positives can be costly for analyst time) and ensure the feeds can be automatically ingested by your chosen analysis platform.
Your operational monitoring teams should comprise roles and responsibilities that cover both security and performance related monitoring. Combining these functions can help bring greater business benefit and multi-purpose use of the same datasets.
The size and structure of these teams will vary between organizations, but should usually include people who know the network, its hardware and software and the types of data that they process and produce. The team should also include investigators, who can work with threat intelligence to identify, investigate and triage security events and managers who understand the organization’s business and are able to assess the significance of security events in terms of their potential to cause harm, such as disrupting operations or leaking sensitive corporate or personal data.
Your monitoring capability should work seamlessly with Incident Management (see Objective D), knowing when and how to alert on or escalate events and how to share the right sort of information with incident managers. Monitoring and Incident Management may even comprise some of the same staff, working as part of a Security Operations Centre (see BCSF guidance - SOC Buyer’s Guide).
Your monitoring strategy and capability should evolve with your business requirements, networks and systems. That is, as the system develops (e.g. new systems, networks or software versions), the monitoring capability is updated in order to ensure that all essential functions and related assets are covered. Your capabilities should also evolve to keep up with changes in the threats you need to mitigate.
Your tools should be configurable and adjustable to handle new datasets and your monitoring staff should be able to work with these changes. New IT systems should be designed to produce logging data that allows the appropriate level of monitoring, before they are made operational.
Section References
Continuous Security Monitoring
NIST Guide to Intrusion Detection and Intrusion Prevention Systems
ISO 27002 / 27019
Detecting anomalous events in relevant network and information systems.
The organization detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployable).
Some cyber attackers will go to great lengths to avoid detection via standard security monitoring tools such as anti-virus software, or signature-based intrusion detection systems, which give a direct indication of compromise.
Other, less direct, security event indicators may provide additional opportunities for detecting attacks that could result in an adverse impact on essential functions.
Examples of less direct indicators could include the following:
Deviations from normal interaction with systems (e.g. user activity outside normal working hours).
Unusual patterns of network traffic (e.g. unexpectedly high traffic volumes, or traffic of an unexpected type etc).
‘Tell-tale’ signs of attack, such as attempts to laterally move across networks, or running privilege escalation software.
The retrieval of large numbers of essential function design documents
It is not possible to give a generic list of suitable indicators since their usefulness in detecting malicious activity will vary considerably, depending on how a typical attacker’s actions might reveal themselves in relation to the normal operation of an organization’s networks and information systems. Opportunities for exploiting these less direct security event indicators to improve network and information system security should be proactively investigated, assessed and implemented when feasible e.g. technically possible, cost effective etc.
Successful attack detection by means of less direct security event indicators may depend on identifying combinations of network events that match likely attacker behavior, and will therefore require an analysis and assessment capability to determine the security significance of detected events.
Wherever possible, network and information systems supporting the operation of essential functions should be designed with proactive security event discovery in mind.
Proactive security event discovery is more difficult than standard security monitoring because it looks beyond the known or prescriptive threat signatures and indicators described in C1. Security Monitoring.
The aim is to build on what is known of past attacks to hypothesize what new or previously unseen intrusions might look like in essential functions environments. As such, this heuristic sort of monitoring should not be prioritized unless standard monitoring (see Principle C1) is already effective, or is not possible or practicable for some reason. It requires more experienced knowledge of network and system behavior and of the general characteristics that a malicious intrusion might exhibit. This sort of proactive monitoring or threat discovery would normally involve:
Designing your own alerts or trip-wires, using experience or reasoning of what an intrusion might do, rather than specifically around what past attacks have done
A good understanding of normal system behavior (e.g. what software is authorized and how it would normally behave, how user accounts normally access network resources or how network components connect to each other and transfer data)
A good understanding of the ways that different types of anomaly might signify a malicious intrusion, based on a comprehensive and advanced understanding of threat intelligence
The science of anomaly detection, which goes beyond using pre-defined or prescriptive pattern matching, is a challenging but growing area. Capabilities like machine learning are increasingly being shown to have applicability and potential in the field of intrusion detection. However, if they are not well designed and executed, these technologies can be expensive, difficult to implement and can produce high false-alarm rates. organizations that want to use such tools should consult the BCSF’s guidance on Intelligent Security Tools.
Putting suitable incident management and mitigation processes in place.
There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential functions in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place.
Incidents will invariably happen. When they do organizations should be prepared to deal with them, and as far as possible, have mechanisms in place that minimize the impact on the essential function.
The particular mechanisms required should be determined as part of the organization’s overall risk management approach. Examples might include things such as DDoS protection, protected power supply, critical system redundancy, rate-limiting access to data or service commands, critical data backup or manual fail-over processes.
Note: Some cyber-related regulation have mandatory reporting requirements around cyber security incidents that have the potential to affect essential functions. organizations should make sure that they understand any mandatory incident reporting requirements that apply to them and include such requirements in their incident management planning.
Incident Management in Ten Steps is the most concise guidance here, but organizations should use other more detailed guidance as and when appropriate. Other authoritative guidance pieces are referenced below.
In addition to meeting the expectations of 10 Steps: Incident Management, you should ensure that your organization’s incident response plans are grounded in thorough and comprehensive risk assessments. Response plans should prioritize essential functions along with the assets and systems that are required to ensure their continued effective operation, such as operational technologies, or key datasets.
The business continuity implications of any compromise should also be taken into account and your cyber incident response plans should link to other business response functions. You should form a cyber response team that is capable of implementing the plan, with the appropriate skills, tools and reach into other parts of your organization, such as security monitoring and business continuity.
In practice, the Incident Response function should interoperate with the security monitoring function. The Incident Response Function needn’t be a dedicated team and some members may have non-response related roles. Collectively, the team should have knowledge of IT security, IT infrastructure and Business Management, any specialist technologies (e.g. Operational Technologies or datacenters), incident reporting requirements, and Communications plans.
Your plan should cover all relevant potential incidents. It should be auditable and testable (via exercises) across a range of incident scenarios and should encompass all realistic descriptions of what might constitute an incident and its severity. Your test scenarios should draw on threat intelligence, past incidents, exercises and the ways in which security capabilities (e.g. security monitoring and alerting) would feature in your response options. Your scenarios should also consider incidents that involve suppliers and your wider supply chain (e.g. incidents arising through supplier relations, or relying on suppliers as part of your response).
These scenarios could include, but is not limited to:
malware infection
denial of service
hacker infiltration
an Insider Incident
an inability to view status of the network or operational system
emergency patching or antivirus signature roll-out
system backup and restore
confirmation of normal operations
Your plan should work seamlessly with other system management and security functions, such as security monitoring. Changes and improvements to response plans should reflect changes to these functions and vice versa, where appropriate.
Plans should articulate clear governance frameworks and roles with procedures for reporting to relevant internal or external stakeholders, such as regulators and competent authorities.
Your plan should also set out a comprehensive range of containment, eradication and recovery strategies, specifying how and when they should be used.
Your organization should be able to describe its own state of readiness, using any criteria or expected standards from regulators or competent authorities, or from your internal governance arrangements, where appropriate.
You should run exercises to test your ability to respond to incidents that could affect the operation of essential functions. These exercises should reflect past experience, red-teaming/scenario planning, or threat intelligence and should draw heavily on your risk assessment, considering all relevant assets and vulnerabilities, especially where they relate to essential functions.
Exercises should record lessons learned, covering governance, roles and internal communication, quality of network and security monitoring data, containment and recovery strategies, or any other factors relevant to their effectiveness. This should integrate with lessons learned activities (see D2 Lessons Learned).
In order to report coherently on incidents when required, your plan should set out reporting thresholds (i.e. what does and does not need to be reported) and standards (i.e. the level of detail that should be reported) and which authorities to report to.
More detailed guidance on developing an incident response plan, and the underlying capability to implement it, can be found in Section 2 of the NIST Computer Security Incident Handling Guide, Part 4 of CREST Cyber Security Incident Response Guide or the Prepare section of ISO 27035.
Your organization’s security monitoring function should be capable of alerting with enough detail for a response team to triage and determine the most appropriate response, which might be to investigate further, to take predetermined action, or to take no action. Eventualities not covered in the plan should be dealt with by risk-based decisions, taking account of factors like potential disruption, cost-effectiveness of response and the need for evidence preservation.
The resilience measures your organization has in place should support incident response (see B5 Resilient Networks and Systems).
Incidents should be reported to the appropriate internal and external authorities, in line with the relevant reporting thresholds and standards. The response team should be capable of prioritizing incidents, according to the potential consequences and possible adverse impact on essential functions, using risk-based methods. These events should be documented, including alerts provided, information passed and decisions taken.
In addition to adhering to mandatory reporting requirements, organizations should seriously consider voluntarily reporting cyber security incidents to the BCSF, who may be able to provide situational awareness, drawing on incident reporting from other victims, as well as response and protective security advice. Assistance may also be sought from Cyber Incident Response (CIR) companies - see CIR scheme.
Further guidance is found in Section 3 of NIST Computer Security Incident Handling Guide, Part 5 of CREST Computer Security Incident Response Guide or Part 4 of ISO 27035.
Section References
NIST Computer Security Incident Handling Guide
Prepare section of ISO 27035
ENISA Good practice guide for incident management
Learning from incidents and implementing these lessons to improve the resilience of essential functions.
When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.
If an incident does occur, it is important your organization learns lessons as to why it happened and, where appropriate, takes steps to prevent the issue from reoccurring. The aim should be to address the root cause or to identify systemic problems, rather than to fix a very narrow issue. For example, to address the organization’s overall patch management process, rather than to just apply a single missing patch.
You should use all of the guidance points below to learn lessons and address shortfalls in:
your overall protective security (see Objectives A - C) and
your incident response plan (see Response and Recovery Planning).
Each incident or exercise should include assessment of root causes and any other factors that obstructed the required standard of recovery. You should consider what measures would need to be in place to prevent similar incidents in the future or to improve your response capabilities. This might mean improving the quality or timeliness of detection, or designing the system so that simpler or more effective actions can be taken more quickly, or introducing mitigations to reduce the likelihood of such incidents occurring.
Your organization should produce good quality reporting during incident response and exercising. Factors that affect the quality of reporting include information sharing, governance or processes, or clearly defined roles, responsibilities and training.
You should keep sufficiently detailed records to show how information was used to make decisions, so that the root causes of an incident can be identified and any shortfalls in response and preventive strategies can be assessed. These might include gaps in security monitoring, poor understanding of networks, insufficient business continuity planning, or inadequate internal communication
These lessons should be clearly and comprehensively documented and fed into your protective security as well as your response plans. Further details can be found in Sections 3.1-2 of NIST Computer Security Incident Handling Guide, Part 5 of CREST Computer Security Incident Response Guide and parts 2-3 of ISO 27035.
You should use post-incident and post-exercise reviews to actively reduce the risks associated with the same, or similar, incidents happening in future.
Lessons learned can inform any aspect of your cyber security, including:
System configuration
Security monitoring and reporting
Investigation procedures
Containment/recovery strategies
Governance and communication around incident management
Lessons drawn from incidents or exercising should be shared with all relevant internal and external stakeholders e.g. regulators and competent authorities, as and when required, but also to internal governance, who can approve new preventive/responsive measures, or to organizations such as BCSF, who can provide insight around incident trends.
Many incidents go undetected for long periods. You should consider your organization’s data retention policies, especially the retention period and quality of historical data (e.g. any data aggregation performed after a time may restrict investigation), in order to ensure that incidents detected several months after they occurred can still be analyzed adequately.
In determining adequate retention periods, you should consider how effective your monitoring capability is (i.e. how long might an incident go undetected), experience of past incidents and any examples available in threat intelligence. Ensure that, if an incident occurs, your organization would have sufficient data to perform the required level of post-incident analysis, learn lessons from the analysis, and report the right details to the right people (e.g. internal decision-makers or external regulators or competent authorities).
Section References
Incident Management
Chapter 8 of ENISA Good Practice Incident Management Guide
ISO 27035:2016 - Principles of Incident Management
Section 3 NIST Computer Security Incident Handling Guide
