Situation
In advance of an anticipated inspection from the Office of Gas & Electricity Markets (Ofgem) NCC Group worked with a Critical National Infrastructure (CNI) Operator of Essential Services (OES) to deliver an independent assessment that would clarify the current maturity of their security posture.
The objective of this advisory review was to assess the client’s position against the Cyber Assessment Framework (CAF) baseline commitment, demonstrating whether the client has achieved its self-assessed position against the NIS Regulations. Any gaps identified are flagged, and security improvement steps are recommended so the client understands what is needed to meet the commitments.
At a Glance
Organization: Operator of Essential Services
Industry: Energy
Challenge: NCC Group was approached by the company to deliver an independent assessment that would clarify the current maturity of their security posture in advance of an anticipated Ofgem inspection.
Solution: NCC Group carried out a series of pragmatic security assessments that showed the current status of compliance and a review of all systems and networks in scope for the client.
Result: The client received a comprehensive report highlighting each individual CAF requirement including a rating associated with each finding, a recommendation on how they could implement a fix, and the evidence required to prove compliance.
Challenge
Under the NIS regulations, OES have a duty to take “appropriate and proportionate measures in securing the network and information systems” on which their essential service relies. In addition, the OES that are responsible for running electricity and gas networks are under statutory obligations to develop and maintain efficient, coordinated, and economical systems.
To achieve this, OES are required to complete an annual self-assessment utilizing the NCSC Cyber Assessment Framework and complete a return to Ofgem as per the “NIS Guidance for Downstream Gas and Electricity Operators of Essential Services in Great Britain v2.0”.
Solution
NCC Group carried out a series of pragmatic security assessments covering the following steps:
- The approach taken to compile the CAF submission: A review of the overarching approach taken organizationally across all functions as to how they ascertained their compliance status and structured the evidence required.
- The scope of the CAF submission: A review of the claimed network and information systems used for the provision of an essential service, and identification of any new network and information systems that could be deemed in scope.
- CAF Assessment: Completion of CAF self-assessment questionnaire by the OES.
- Evidence Review: A review of all historical evidence and identification of new evidence to support the assessment and the OES being compliant with NIS.
To achieve this, a blended approach was taken involving:
- Review of over 400 pieces of evidence, policies, procedures, and standards.
- Conducting in excess of 30 one-hour workgroups (both remote and in-person).
- Visiting multiple sites deemed to be of interest.
Result
Following this assessment, our client received a comprehensive report highlighting each individual CAF requirement including a rating associated with each finding, a recommendation on how they could implement a fix, and the evidence required to prove compliance.
The report also contained an executive summary, which detailed the following:
- Current position and maturity against the CAF baseline
- Whether they can adequately demonstrate their self-assessed position against the CAF through the provision of appropriate evidence
- Key areas that require attention in advance of a future Ofgem OES inspection
- Key areas of strength
NCC Group exists to make the world safer and more secure.
As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers worldwide to protect their most critical assets from the ever-changing threat landscape.