Contact Us
Contact Us
Login
Blog

The Importance of OT Threat Intelligence Within the Cyber Assessment Framework (CAF)

November 1, 2023 03:19 PM
5 min read
Simon Warren

The Cyber Assessment Framework (CAF) was developed by the United Kingdom’s National Cyber Security Centre (NCSC) as part of a new programme aimed at improving government cybersecurity in the UK. The CAF cybersecurity principles define a set of top-level outcomes that, collectively, describes good cybersecurity for organisations performing essential functions. The CAF is intended to apply to UK Critical National Infrastructure (CNI), Operators of Essential Services (OES) and organisations subject to Network and Information Systems (NIS) regulations. However, the principles and guidance can be used by any organisation of any size to improve their cybersecurity, in the UK, as well as globally.

Cybersecurity Assessment Framework Principles and Guidance

OT Threat Intelligence in CAF

Threat intelligence is directly referenced several times in the CAF Principles and Guidance. There are also several CAF Principles that allude to the importance of intelligence, without directly mentioning it. Broadly speaking, to fully achieve all the requirements of the CAF, threat intelligence must be operationalised across tactical, operational, and strategic use cases, creating a more proactive security practice. Furthermore, the CAF specifically calls out the requirement for the use of “threat intelligence feeds based on your business needs and sector.”

The following table highlights several CAF principles and how OT and industrial control systems (ICS) threat intelligence can support these principles.

CAF PRINCIPLE
REQUIREMENT
OT INTELLIGENCE FUFILLMENT
B5.aResilience Preparation
“Use your security awareness and threat intelligence sources, to make immediate and potentially temporary security changes in response to new threats.”

Measure security controls based on emergent & active industrial cyber threats

Use Indicators of Compromise (IOCs) to spot early-stage adversary activity

Prioritise ICS vulnerabilities with refactored CVSS scores & alternative mitigations for OT

C1.dIdentifying Security Incidents
“You have selected threat intelligence feeds using risk-based and threat-informed decisions based on your business needs and sector.”

Use industry-specific threat landscapes for cybersecurity planning & budgeting

Employ analyst services for tailored cyber threat intelligence applied to your business needs

C2.aSystem Abnormalities for Attack Detection
“System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.”

Know how to spot threats with detailed technical analysis of ICS exploits & attacks

Detections are codified in the Dragos Platform for visibility & monitoring of ICS assets

C2.bProactive Attack Discovery
“You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.”

Use OT adversary tactics, techniques, and procedures (TTPs) to conduct hypothesis-based hunts

Contextualised IOCs assist with investigating compromises across your networks

D1.cTesting and Exercising
“Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence.”

Model your threats using knowledge of at-risk assets, exploited vulnerabilities, & OT impact

Plan readiness exercises based on OT threat group activity intent, capabilities, & infrastructure

Best Practices for OT Threat Intelligence

Following are best practices needed for assessing the quality of OT threat intelligence and strategies for operationalising that threat intelligence.

CART: Complete, Accurate, Relevant, Timely

Firstly, OT threat intelligence should have the four following qualities to be effective:

  • C – Complete: Threat intelligence must be sufficiently complete to provide effective detection and prevention and guide the organisation’s decision-making.
  • A – Accurate: Faulty intelligence leads to bad decisions. It should originate from a trusted source and be vetted by the receiving organisation.
  • R – Relevant: Threat intelligence must address a threat facing the organisation, in a method that allows for effective action.
  • T – Timely: Intelligence should be timely enough for the decision to make an impact when actioned.

Operationalisation

Secondly, OT threat intelligence should be operationalised across all major use cases to fulfill the requirements of the CAF.

Tactical Use Cases

SOC Analysts

Leverage reports to build and deploy use cases across defensive platforms

Integrate use cases and IOCs into SIEM/XDR and TIP

Operational Use Cases

Threat Hunters

Leverage threat intelligence to engage in hunting across OT network

Leverage reports to reconstruct probable attacks against environment

Vulnerability Managers

Leverage reports and actor profiles to inform vulnerability remediation prioritisation.

Vulnerability advisories written in context for ICS/OT asset owners, containing tailored mitigation/remediation guidance

Incident Responders

Leverage reports and indicators with context to assist in incident response engagements.


OT Network Architects

Leverage reports to better understand adversary capabilities, victimology, infrastructure and TTPs to construct a more defensible OT network.


Strategic Use Cases

CISOs
Leverage reports to inform cyber security decision making around policy, strategy and budget requests.
CIOs/CTOs
Leverage reports to inform ICS/OT investments, architecture and implementation decisions.

In Conclusion

Threat intelligence is an integral and requisite part of a mature security practice, and it is essential to meeting the requirements of the CAF. ICS/OT threat intelligence allows your organisation to acquire the industry-specific intelligence you need to achieve the outcomes set out within the CAF. Operators of Essential Services should use the CAF to identify shortcomings in their current practices, understand the impact and associated risks of these shortcomings, and identify clear opportunities to use OT threat intelligence to close these gaps.

How Dragos Can Help

Dragos Threat Intelligence is available through Dragos WorldView, an annual subscription service that delivers actionable analyst-driven cyber research and reports on adversary threats, malware, and vulnerabilities impacting industrial sectors. With a primary focus on adversary activity and capabilities used in operational technology networks and industrial control systems environments, Dragos WorldView also provides threat intelligence on early-stage adversary activities to help bridge the visibility gap between OT and IT teams.

The outcome – finished threat intelligence that is packaged and delivered for use across multiple settings and audiences. Dragos Threat Intelligence indicators, vulnerabilities, and detections are codified for operational technology facilities leveraging the Dragos Platform.

Tags:
Audit & Compliance
Simon Warren
Simon Warren Simon Warren
Simon Warren is a Threat Intelligence Regional Account Manager at Dragos, Inc. Simon is responsible for designing and delivering OT threat intelligence solutions for clients across Europe.