The NCSC has warned that the risk posed by hackers to the country’s critical infrastructure is escalating, and published an updated version of its Cyber Assessment Framework.

In its guidance, the NCSC said Britain continues to underestimate the severity of cyber threats targeting key sectors such as energy, healthcare, and transport. 

Defend and Scrutinise

In the updated version of its Cyber Assessment Framework it urges organisations not only to defend their own systems, but also to scrutinise those of their suppliers and partners, as attackers increasingly exploit third-party vulnerabilities to access sensitive infrastructure.

In particular, version 4.0 of the CAF introduces four major changes:

• A new section on building a deeper understanding of attacker methods and motivations to inform better cyber risk decisions.
• A new section on ensuring software used in essential services is developed and maintained securely.
• Updates to the section on security monitoring and threat hunting to improve the detection of cyber threats.
• Improved coverage of AI-related cyber risks throughout the CAF.

The NCSC claimed the CAF is “primarily designed for CNI organisations operating essential services across energy, healthcare, transport, digital infrastructure and government sectors, helping them to meet legal and regulatory requirements such as the NIS Regulations.” 

This is done by providing a comprehensive framework for assessing how well an organisation is meeting expected security and resilience outcomes, identified as appropriate in relation to a particular level of threat.

James Neilson, SVP international at OPSWAT, called the update a “welcome step” as security teams within critical infrastructure sectors are often expected to manage unfamiliar systems, and few individuals possess deep expertise in both IT and OT, creating knowledge gaps in threat assessment and defence development.

“The updated CAF reflects a trend we’ve observed of cyber-criminals increasingly using multi-layered threats designed to evade analysis and detection,” he said. “An attacker’s aim is to evade and confuse, not overwhelm the network, meaning that threats are missed by legacy anti-virus solutions and EDR stacks.

“We strongly recommend that critical infrastructure organisations review the NCSC’s updated CAF. However, they should also prioritise securing the data that moves in and out of their OT networks, an area often neglected by CNI organisations.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.