RIIO is the approach used by the Office of Gas and Electricity Markets (OFGEM) – a non-ministerial department of the UK government – to ensure the companies running the country’s gas and electricity networks have the appropriate financial resources to operate effectively and efficiently. RIIO stands for Revenues = Incentives + Innovation + Outputs.

OFGEM released RIIO-1 for the gas distribution and gas and electricity transmission price controls in 2013. These are due to finish in March 2021. RIIO-2 was released in July 2020.

As part of the RIIO-2, OFGEM included a set of cyber security resilience guidelines. These guidelines follow closely from many of the leading cyber security standards and are specifically targeted to the electricity and gas distribution networks.

The Verve Security Center platform is uniquely positioned to assist the electricity and gas network operators to meet these guidelines. Verve’s comprehensive platform for OT security brings together all of the technical requirements for RIIO-2 into a single, integrated platform. For those entities that have pre-existing tools, Verve’s open-API infrastructure enables us to integrate this data into a single asset-management function to provide efficiency and effectiveness to maintain the guidelines.

The below graphic explains how Verve Security Center delivers on each of the controls within the guidelines.

Table of Contents

A3.a Asset Management

RIIO-2 Cyber Resilience Outcome Description for A3.a Asset Management:

1. Create and maintain a register of all assets – The register of assets should be with an appropriate level of detail and format for all components that support the delivery of the essential service.

Verve creates and maintains a register of all assets within the OT environment. This asset register includes all of the components included in the guidance. For most assets the list of documented data goes well beyond the guidance requirements.

2.Prioritise assets – The assets are prioritised according to their importance for delivering the essential service.

Verve can help prioritise assets based on the network impact of the asset as well as the security risk. In addition, Verve can import asset criticality from other customer databases

3.Create and maintain a register of all assets – The register of assets should be with an appropriate level of detail and format for all components that support the delivery of the essential service.

Verve can track asset ownership directly in the asset database

4.Manage assets throughout their life-cycle – With the execution of appropriate policies and procedures, security of assets from creation through to eventual decommissioning or disposal.

Verve can track the asset through its lifecycle. When a device is connected to the network, Verve will discover that asset and ask the user to “manage” the asset or alternatively to place it into a quarantine state. All elements of security management are managed and visible from the Verve console

A4.a Supply Chain

RIIO-2 Cyber Resilience Outcome Description for A4.a Supply Chain:

1.Identify all third-party connections  –  Third-party connections and data flows to a networks and systems, supporting your essential service are identified and documented.

Verve monitors all network flows to systems, identifying third party connections and/or vendor connections. Verve can also monitor network devices to ensure proper configurations

2.Identify supply chain dependences  –  Supply chain dependencies for networks and systems supporting your essential services are identified and documented.

This is a process function, but Verve can maintain any data included in such as review and confirm items such as software patches via hashes

3.Assess & manage supply chain risks – Supply chain risks are assessed and managed, as part of the procurement process.

This is a process function, but Verve can maintain any data included in such as review and confirm items such as software patches via hashes

4. Include security requirements in all contracts – Security requirements and controls should be included in all contracts and managed according to policy.  Cyber security requirements should be contractually defined, with a code of connection/conduct  for suppliers. Special considerations should be given according to policy but not limited to:

This is a contracting and procedural function

5. Detect, respond and manage supply chain incidents  –  Consider the detection, response and management of incidents in your supply chain services and systems as part of your incident management processes.

This is a contracting and procedural function

6. Protect information lifecycle – Information shared with suppliers, that is essential to the operation of your essential service, should be appropriately protected. Information about the essential services, OT assets, remote connections and their configuration is of particular interest to any potential attacker. This information should be suitably protected across its lifecycle, wherever is it stored or processed, including when created by or in the possession of suppliers.

This is a contracting and procedural function

B2.a Identity Verification, Authentication and Authorisation

RIIO-2 Cyber Resilience Outcome Description for B2.a Identity Verification, Authentication and Authorisation:

You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential service.RIIO-2 Cyber Resilience Guidance:

1.Identify all authorised users –There should be clear documentation that captures and identifies all authorised users and their access requirements, which should align with asset registers (A3a refers).

Verve identifies all users and accounts on systems, including those dormant or unused accounts. Verve can ensure only approved users have access and can alert on new accounts created. Verve can also alert on new access of networks and devices.

2.Authenticate Authorised Users –Unless restricted by system or operational limitations, that every authorised user is individually identified and authenticated.

Verve can enable configuration of security on devices such as restricting users to authorized uses, enforcing named accounts, etc.

3.Restrict logical access  –  Appropriate controls should be in place to ensure that only authorised users can logically connect to networks and information systems.

Verve can monitor network and device configurations to ensure logical access is limited and no changes to access are enabled without an alert.

4. Secondary Authentication Mechanisms  –  Implement additional authentication mechanisms for privileged access to sensitive systems on which your essential service depends.

Verve can ensure configurations that require MFA and other secondary authentication mechanisms are enabled on devices.

5. Remote Access – Ensure that each instance of remote user access to all your networks and information systems that support your essential service is individually authorised, authenticated and protected with secondary authentication mechanisms as Para 4.

Verve can monitor access into the network to identify anomalous connections and alert on remote connections that are new. Verve can also support the management of remote access solutions through network device management.

6. Access Review – The list of users and systems with access to essential service networks and systems should be reviewed on a regular basis or when change occurs e.g. significant change in system configuration or personnel.

Verve gathers and monitors all accounts and access enabling efficient review of users and accounts

B2.b Device Management

RIIO-2 Cyber Resilience Outcome Description for B2.b Device Management:

You should fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential service.

RIIO-2 Cyber Resilience Guidance:

1.Manage Devices – The underpinning principle is that only devices owned and managed, or approved and authorised, by your company should be connected to the networks and systems supporting your essential service.

Verve can identify all new devices when connecting to the network. It can provide an alert on any device that tries to connect. Verve can also manage removable media that is tried to connect and manage those approved connections.

2.Register Devices – It should be known what devices are authorised to connect to networks and systems supporting your essential service.

This is a procedural requirement that Verve can support to ensure those are the only devices that can connect as well as to audit the results

3. Detect Unknown Devices – It should possible to detect unknown devices connected to networks and systems supporting your essential service and to investigate such occurrences.

Verve can identify all new devices when connecting to the network. It can provide an alert on any device that tries to connect. Verve can also manage removable media that is tried to connect and manage those approved connections.

4. Privileged Access Management  –  Privileged access, management and configuration functions on networks and systems supporting your essential service should only be performed with dedicated devices that are owned and managed by your organisation.

Verve can monitor for policy breaches on privileged access management

5. Pre-Authorisation  –  Third party devices and networks are identified before they are connected to networks and systems supporting your essential service.

Verve can identify all new devices when connecting to the network. It can provide an alert on any device that tries to connect. Verve can also manage removable media that is tried to connect and manage those approved connections.

B2.c Privileged User Management

RIIO-2 Cyber Resilience Outcome Description for B2.c Privileged User Management:

You closely manage privileged user access to networks and information systems supporting the essential service.

RIIO-2 Cyber Resilience Guidance:

1.Privileged User Access  –  Individuals who require privileged levels of user access will require additional validation and authentication as per B2.a.

Verve can ensure configurations that require MFA and other secondary authentication mechanisms are enabled on devices.

2.User Management – The identities of the individuals, whether within your organisation or third parties, with privileged access to networks and information systems to support your essential service systems are known and managed.

Verve can provide an audit of all user accounts with privileged access to be tied back to individual users. Verve can identify user accounts that have been dormant for over a certain period of time and even configure devices to ensure those accounts are unuseable untial enabled.

B2.d Identity and Access Management

RIIO-2 Cyber Resilience Outcome Description   for B2.d Identity and Access Management:

You assure good management and maintenance of identity and access control for your networks and information systems supporting the essential service.

RIIO-2 Cyber Resilience Guidance:

1.Identity  Management  –  There is a robust process to verify the identity of each user requesting access to networks and information systems supporting your essential service.

This is a procedural requirement that Verve can support to ensure those are the only devices that can connect as well as to audit the results

2.User Change Management – The joiners, movers and leavers process ensures you grant only the minimum required access rights to each user.

This is a procedural requirement that Verve can support to ensure those are the only devices that can connect as well as to audit the results

3.User Access Review – There is a regular review of user access rights and those which are no longer required are revoked, which should be aligned to a joiner, mover, leaver process.

Verve can provide an audit of all user accounts with privileged access to be tied back to individual users. Verve can identify user accounts that have been dormant for over a certain period of time and even configure devices to ensure those accounts are unuseable untial enabled.

4.Monitor Access – The company should log and monitor all user access.

Verve has a comprehensive log management capability that can monitor and alert on user access, new account creation, anomalous patterns of connection, etc.

B3.a Understanding Data

RIIO-2 Cyber Resilience Outcome Description for B3.a Understanding Data:

You have a good understanding of data important to the delivery of the essential service, where it is stored, where it travels, and how unavailability or unauthorised access, modification or deletion would impact the service. This also applies to any third parties storing or accessing data important to the delivery of essential services.

RIIO-2 Cyber Resilience Guidance:

1.Identify Critical Data – Understand and maintain the location, type, quantity and quality of data important to the delivery of the essential service.

These are all procedural requirements to identify and determine critical data

2.Understand Critical Data – Understand the context, limitations and dependencies of your important data.

a) The availability, integrity, confidentiality and safety requirements of the data which is important to the operation of your essential service should be understood and documented.

These are all procedural requirements to identify and determine critical data

3.Understand Data Links – Maintain a current understanding of the data links used to transmit data that is important to your essential service.

These are all procedural requirements to identify and determine critical data

4.Identify Mobile Devices and Portable Media – Identify all mobile devices and media that may hold data important to the delivery of the essential service.

These are all procedural requirements to identify and determine critical data

5.Manage Data Holdings – Remove or minimise unnecessary copies or unneeded historic data.

These are all procedural requirements to identify and determine critical data

7.Review Lifecycles and Impact Assessments – Validate and review the impact assessments regularly.

These are all procedural requirements to identify and determine critical data

B3.b Data in Transit

RIIO-2 Cyber Resilience Outcome Description for B3.b Data in Transit:

You should protect the transit of data important to the delivery of the essential service. This includes the transfer of data to third parties.

RIIO-2 Cyber Resilience Guidance:

1.Data Transfer – Identify all conduits for data transfer.

Verve can monitor netflow for connections between devices

2.Data Protection – Implement appropriate protection for data in transit.

Verve supports encrypting data in transit and at rest

3.Single Points of Failure – Identify communication paths where, due to failure, there is a significant risk of impact on the delivery of the essential services.

Verve can help identify data flows, but this will require procedural review for criticality of data flow

4.Resilient Communications –  Provide alternative communication paths where there is a significant risk of impact on the delivery of your essential services.

This is a design function

B3.c Stored Data

RIIO-2 Cyber Resilience Outcome Description for B3.c Stored Data:

You should protect stored data important to the delivery of the essential service.

RIIO-2 Cyber Resilience Guidance:

1.Data Policy – All copies of data important to the delivery of your essential services are necessary and approved.

This is a procedural requirement.

2.Sharing Data – Only data which is required for an intended purpose should be copied to less secure or read-only storage.

This is a procedural requirement that Verve can support.

3.Encryption  –  The cryptography in use should provide some degree of assurance in its ability to protect data at rest.

Verve uses encryption of all data at rest

4.Backups – The company has suitable, secured backups of the data required to allow the essential services to operate or to restore the essential services within an acceptable timeframe. Please follow the B5.c Backups guidance for additional information.

Verve’s complete suite includes backup functionality for critical OT devices ensuring that backups are regularly run and not failed.

B3.d Mobile Data

1.Identify Mobile Devices – It is known which mobile devices hold data important to the delivery of the essential service.

Verve can identify mobile devices that connect to the network

2.Mobile Data Policy – The requirements to protect data that is important to the delivery of the essential services and is stored on mobile devices are defined.

This is a procedural requirement

3.Mobile Data Security – Data stored on mobile devices that is important to the delivery of the essential services is appropriately secured.

This is a procedural requirement

B3.e Media Equipment Sanitisation

RIIO-2 Cyber Resilience Outcome Description for B3.e Media Equipment Sanitisation:

You should appropriately sanitise data from the service, media or equipment before disposal.

RIIO-2 Cyber Resilience Guidance:

1.Asset Inventories – All devices (including removable media, laptops and mobile devices) that store data important to the delivery of the essential services should be identified and catalogued. For additional information please refer to the A3.a Asset Management section.

Verve gathers and maintains a comprehensive asset inventory, including removable media, laptops., etc.. It also is able to inventory all OT embedded devices such as those listed.

2.Data Cleansing – There is a robust process to sanitise data important to the delivery of the essential services from all devices, equipment and removable media before disposal or redeployment as part of the asset management lifecycle.

This is a procedural requirement

B4.a Secure by Design

RIIO-2 Cyber Resilience Outcome Description for B4.a Secure by Design:

You design security into the network and information systems that supports the delivery of essential services.  You minimise their attack surface and ensure that the delivery of the essential service should not be impacted by the exploitation of any single vulnerability.

RIIO-2 Cyber Resilience Guidance:

1.Secure by Design  –  Appropriate expertise is employed to design secure networks and information systems supporting your essential services.

a)  The design of the OT systems should specify and implement a multi-layer security architecture that is segregated into zones based upon risk and function.
b)  The design should also consider supporting and ancillary systems (e.g. Uninterruptable Power Suppliers, HVAC) to ensure they are appropriately secured.
c)  Appropriate network segregation and access controls (logical and physical) should be implemented to protect the OT networks and zones against malfunction, mistake and malicious activity.
d)  The use of remote access to the networks and systems should be carefully designed to restrict access to the minimum required assets and data.

Verve gathers and maintains a comprehensive asset inventory, including removable media, laptops., etc.. It also is able to inventory all OT embedded devices such as those listed.

2.Network Segregation – The networks and information systems supporting your essential services are segregated into appropriate security zones.

Verve’s services can support secure by design. Verve can also monitor for changes to that secure by design principle such as changes to firewall rules, etc.

3.Network Data Flows – The networks and information systems are designed to have simple data flows internally between systems and interfaces with external systems and, where possible, between devices, to enable effective monitoring.

Verve’s services can support secure by design. Verve can also monitor for changes to that secure by design principle such as changes to firewall rules, etc.

4.Resilient Networks –  The networks and information systems supporting your essential service are designed to be easy to recover.

Verve provides backup capabilities. In addition, our log management provides logs, syslog, netflow and performance metrics data to the OT operators for troubleshooting and IR. Our services teams can ensure secure by design architectures as well.

5.Attack  Mitigation  –  Content-based attacks are mitigated for all inputs to operational systems that effect the essential service.

Verve provides application whitelisting as part of its cybersecurity suite and can alert on potential malicious events through that. In addition, Verve’s OT SIEM provides host intrusion detection identifying critical detections against the Mitre Att&ck framework.

B4.b Secure Configuration

RIIO-2 Cyber Resilience Outcome Description for B4.b Secure Configuration:

You securely configure the network and information systems that support the delivery of essential services.

RIIO-2 Cyber Resilience Guidance:

1.Secure Configuration – The security configuration and maintenance requirements for all assets is defined and documented.

Verve monitors and ensures compliance with configurations. It can monitor for changes to alert into a ticketing system for unapproved changes that need to be resolved. These configurations can be then stored.

2.Asset Management – There is a set of records for assets which need to be configured and maintained to ensure the essential service is secure.

Verve’s asset inventory includes the security configuration data as well as the asset’s criticality as described in the requirement

3.Configuration Management – The security configuration(s) are applied to all assets.

Verve has a comprehensive change management functionality to identify when the asset goes out of compliance with the secure configuration. Verve can be used to harden devices to ensure proper configuration is enabled.

4.Secure Builds – Secure builds exist for systems, networks or endpoints that need to be configured to maintain the security of the essential service.

The design of the build is a procedural requirement. But Verve can monitor that configuration on running devices

5.Secure Configuration Management – The security configuration of assets which need to be carefully configured is actively managed.

Verve has a comprehensive change management functionality to identify when the asset goes out of compliance with the secure configuration. Verve can be used to harden devices to ensure proper configuration is enabled.

6.Change Management – There is an effective change management process that ensures all changes to network or system configuration are secure and comply with the security configuration requirements.

Verve has a comprehensive change management functionality to identify when the asset goes out of compliance with the secure configuration. Verve can be used to harden devices to ensure proper configuration is enabled.

7.Software Management – Only approved software should be installed on networks and information systems supporting your essential service.

Verve monitors all software implemented. Unapproved software can be identified and removed. New software additions can be alerted on if they fall out of a “whitelist”

8.Account Permissions  –  Non-privileged accounts cannot change settings which would impact security.

This can be enabled through Verve’s secure configuration manager

9.Configuration Control – The networks and information systems supporting your essential service are regularly reviewed or monitored and validated to confirm the expected configurations and secure settings are applied.

Verve has a comprehensive change management functionality to identify when the asset goes out of compliance with the secure configuration. Verve can be used to harden devices to ensure proper configuration is enabled. This can support a process of regular review of those secure configuration settings.

10.Automated Tools – The operation of automated decision-making technologies, including advanced control, if in use, are well understood.

Verve supports this by monitoring for unplanned changes on firmware or software.

B4.c Secure Management

RIIO-2 Cyber Resilience Outcome Description for B4.c Secure Management:

You manage your organisation’s network and information systems that support the delivery of essential services to enable and maintain security.

RIIO-2 Cyber Resilience Guidance:

1.Dedicated  Management  Devices  –  There should be dedicated devices used for the maintenance and security management of networks and information systems supporting your essential service. across the estate, which should be managed independently from corporate systems and networks.

Verve monitors user accounts to ensure only dedicated accounts have administrative access. Verve can ensure that those dedicated devices have more aggressive security configurations than other devices.

2.Unauthorised  Software  Management  –  Effective technical, procedural and physical security measures are in place to prevent, detect and remove unauthorised software and malware on networks and information systems supporting your essential service.

Verve can identify unapproved/unnecessary software and users can remove that software using the Verve platform. It can also enable application whitelisting to ensure no unapproved software runs on the device. Verve also has a robust vulnerability management capability which not only identifies known vulnerabilities but also

3.Authorised  Privileged  Users  –  Networks and information systems supporting your essential service are only administered and maintained by authorised privileged users.

This is mostly a procedural element, but Verve can support by ensuring limitation of administrative rights on accounts and monitoring for escalations in rights.

4.Maintain Technical Knowledge – Technical knowledge about networks and information systems supporting your essential service is reviewed and updated periodically.

Verve provides a rich set of technical knowledge on the networks, flows, endpoints, etc. This is updated in real time or every 15 minutes depending on the information. It is still key that organizational users familiarize themselves with this data on a regular basis.

5.Protect Technical Knowledge – Technical knowledge about networks and information systems supporting your essential service is appropriately stored and secured.

The Verve databases are securely stored and are encrypted when at rest. Beyond Verve’s databases though this becomes a procedural requirement

B4.d Vulnerability Management

RIIO-2 Cyber Resilience Outcome Description for B4.d Vulnerability Management:

You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service.

RIIO-2 Cyber Resilience Guidance:

1.Research Vulnerabilities –  Publicly-known vulnerabilities relevant to the networks and information systems supporting your essential service are monitored and analysed to understand your exposure.

Verve has a comprehensive vulnerability management function which identifies known vulnerabilities across OS and embedded devices. In addition, Verve can be used to remediate vulnerabilities through patching of all OS-based devices. 4. Maintain Technical Knowledge – Technical knowledge about networks and information systems supporting your essential service is reviewed and updated periodically. Verve integrates data from Mitre/NVD as well as ICS CERT. IN addition, users can integrate OEM approved patch lists to ensure compliance with vendor requirements into a single user interface cross vendor.

2.Horizon Scanning – It is expected that the company be made aware of a new vulnerability or threat, they have the ability to ascertain the associated risk within their environment, within a period defined by their policy.

Verve’s centralized vulnerability view allows OT security leaders to see their entire horizon of risk due to vulnerabilities across their footprint. Verve also provides full CVSS scores to help identify the greatest risks. Finally, Verve’s risk scoring can help prioritize which assets pose the greatest risk overall.

3.Assess  Vulnerabilities  –  Vulnerabilities in the networks and information systems supporting your essential service are assessed, prioritised and mitigated.

Verve assesses vulnerabilities on multiple dimensions including CVSS, attack vector and complexity as well as compensating controls on the asset. Verve can then be used to mitigate the vulnerability either through patching or compensating controls.

4.Track Vulnerabilities – Both publicly announced and privately notified vulnerabilities in the networks and information systems supporting your essential service are tracked.

Verve automatically tracks public vulnerabilities as well as those discovered by our researchers. In addition, customers can integrate OEM-released private vulnerabilities into the Verve database for tracking of those “non-public” ones.

5.Temporary Mitigations – Some vulnerabilities that are not exposed outside the system boundary/security zone of the networks and information systems supporting your essential service may have temporary mitigations for an extended period.

Verve can both track these temporary mitigations and report on just those mitigated and not. In addition, Verve can be used to implement many of these mitigations such as ensuring application whitelisting is in lock-down mode, ensuring configruations are hardened, etc.

6.Obsolete Technology – Obsolete and/or unsupported networks and information systems supporting your essential service may have temporary mitigations for vulnerabilities while pursuing migration to supported technology.

Verve can both track these temporary mitigations and report on just those mitigated and not. In addition, Verve can be used to implement many of these mitigations such as ensuring application whitelisting is in lock-down mode, ensuring configurations are hardened, etc.

7.Vulnerability  Checks  –  There are regular tests or assessments undertaken to fully understand the vulnerabilities in the networks and information systems supporting your essential service.

Verve was built with OT vulnerability management in mind. It is 100% safe for OT networks and doesn’t require risky vulnerability scans on these devices. Updated vulnerability information is gathered back every 15 minutes from devices in the network. This allows for a safe, efficient and effective vulnerability check on a regular basis.

B5.a Resilience Preparation

RIIO-2 Cyber Resilience Outcome Description for B5.a Resilience Preparation:

You should be prepared to restore your essential service following disruption.

RIIO-2 Cyber Resilience Guidance:

1.Recovery  Plan  –  The networks and information systems and supporting technologies required to restore your essential service are known, documented and in line with company, Business continuity, disaster recovery processes and risk management processes.

Verve provides a robust documentation of the networks and information systems to support the recovery plan. It also supports backups which are a key component of that recovery plan and monitors for that backup status to ensure that those backups are recent and effective.

2.Recovery Dependencies – The interdependencies between the networks and information systems and the supporting technologies are understood and documented.

a)  The company should identify and document interdependencies:

• Between the networks and systems supporting your essential service.
• On supporting technologies.
• On upstream and downstream third-party networks and systems.
• Internal and external service and support providers.

Verve provides a robust documentation of the networks and information systems to support the recovery plan. It also supports backups which are a key component of that recovery plan and monitors for that backup status to ensure that those backups are recent and effective.

3.Recovery Order – The sequence and order in which supporting technologies, the networks and systems to restore the essential service are known and documented. This should be aligned with company risks, disaster recovery and business continuity processes.

a)  There should be documentation identifying the order in which resources,  supporting technologies and the networks and information systems supporting your essential service are needed to restore and operate your essential service. b)  Escalation triggers and paths to facilitate restoration if required to overcome problems should be identified and documented.

Verve provides a robust documentation of the networks and information systems to support the recovery plan. It also supports backups which are a key component of that recovery plan and monitors for that backup status to ensure that those backups are recent and effective.

B5.b Design for Resilience

RIIO-2 Cyber Resilience Outcome Description for B5.b Design for Resilience:

You should design the network and information systems supporting your essential service to be resilient to cyber security incidents.  Systems are appropriately segregated and resource limitations are mitigated.

RIIO-2 Cyber Resilience Guidance:

1.Design for Resilience – The networks and information systems supporting your essential services are segregated into appropriate security zones.

Verve identifies different zones and systems within the network and aggregate assets and flows based on these zones. In addition, Verve provides integrated coverage not only for the traditional DCS/ICS devices but also HVAC, building controls, PACS, etc.

2.Identify Limitations – Resource limitations should be identified and, where appropriate, mitigated either technically or with compensating controls.

This is a procedural requirement

B5.c Backups

RIIO-2 Cyber Resilience Outcome Description for B5.c Backups:

You hold accessible and secured current backups of data and information needed to recover.

RIIO-2 Cyber Resilience Guidance:

1.Backups  –  There are backups of all systems, software, configurations, data and other relevant information required to enable recovery of individual devices or entire networks and systems supporting your essential services.

Verve provides support for backups of all systems including OS as well as conifgurations of key networking, relays, RTUs, etc. This includes monitoring backups to ensure they are timely and effective.

2.Security of backups – Backups are appropriately secured and protected.

Verve’s backup solution is encrypted to ensure protection of stored data.

3.Availability of backups – Backups are accessible if an extreme event occurs.

This is partially a procedural requirement, but Verve’s backup solution can ensure its backups are available in various network attack or downtime scenarios.

4.Reliability of backups – Backups are routinely tested to ensure the backup process is functioning correctly and the backups are useable.

This is a procedural requirement to test the backup and restore procedure. Verve supports this through its backup solution which enables testing on individual devices or across a range of devices easily.

B6.a Cyber Security Culture

These are procedural and training requirements

C1.a Monitoring Coverage

RIIO-2 Cyber Resilience Outcome Description for C1.a Monitoring Coverage:

You monitor the security status of the networks and systems supporting the delivery of essential services  in  order  to  detect  &  respond potential security issues and to track the ongoing effectiveness of protective security measures

RIIO-2 Cyber Resilience Guidance:

1.Define monitoring strategy – There is a monitoring strategy which defines the objectives and requirements for monitoring and this is informed by an understanding of your networks and information systems supporting your essential service.

This is the procedural requirement of defining logging requirements and strategy. Verve can work with customers to help define these standards and scopes.

 

2.Confirm scope and deploy monitoring – Monitoring data is collected from, at least, the critical networks and systems supporting your essential service.

Verve’s comprehensive OT SIEM includes full logging functionality. Verve gathers winlog, syslog, netflow, performance metrics on devices. All of this data is centralized into the Verve SIEM for further analysis and detections of events. The SIEM monitors the comprehensive MITRE ATT&CK framework as well as for anomalous patterns of behavior that may indicate a threat.

3.Validate successful monitoring – There is justified confidence that monitoring should detect the presence of known indicators of compromise on the networks and systems supporting your essential service.

These are procedural requirements to test the functionality of the SIEM functions

4.Ensure monitoring of privileged users  –  Monitoring is conducted of all privileged activity for the networks and information systems supporting your essential service for suspicious or undesirable activity.

Verve monitors all user accounts for changes and for escalation of privileges.

5.Focus monitoring of network gateways and critical devices – Extensive monitoring is performed of network gateways and host-based monitoring for critical devices, where possible.

Verve monitors all devices including those network gateways between networks as well as conduits between zones and can alert on traffic moving across zones where it was not approved.

6.Include monitoring as part of the critical asset lifecycle  –  All new systems are considered as potential monitoring data sources to maintain a comprehensive monitoring capability.

This is a procedural requirement

C1.b Securing Logs

RIIO-2 Cyber Resilience Outcome Description for C1.b Securing Logs:

Logging data should be held securely and read access to it should be granted only to accounts with a business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.

RIIO-2 Cyber Resilience Guidance:

1. Authorised Access – Only authorised personnel can view logging information.

Verve has a robust security infrastructure built in allowing user control all the way down to the individual data element and can be linked directly into Active Directory groups.

 

2.Monitored Access – Access to logging data is monitored and backed up appropriately.

Access to various elements of the Verve platform can be logged and monitored.

C1.c Generating Alerts

RIIO-2 Cyber Resilience Outcome Description for C1.c Generating Alerts:

Evidence of potential security incidents contained in your monitoring data should be reliably identified and should trigger security alerts.

RIIO-2 Cyber Resilience Guidance:

1. Detect and create security alerts – Alerts are generated on suspicious activity within the networks and information systems supporting your essential service.

Verve’s OT SIEM detects suspicious activity and alert on those detections. Verve can gather alerts from all devices listed where the logs are available to capture. Verve also integrates with a wide range of third-party tools such as AV to bring those alerts into Verve as well. In addition, Verve’s OT SIEM can bring in process alarm data from DCS systems.

2.Map alerts to assets in scope – Alerts should be resolved to assets in the networks and systems supporting your essential service.

All alerts are mapped back to assets in scope

3.Review security logs and alerts at regular intervals – As defined in the monitoring strategy, security logs are reviewed regularly and, if possible, alerts should be reviewed almost continuously, in real time.

Verve aggregates the data into the SIEM on a real-time basis. These alerts can be reviewed at any time by the procedure developed.

4.Prioritise, investigate and respond to security alerts – Security alerts relating to the networks and systems supporting your essential service should be prioritised, investigated and an appropriate action taken.

Part of this is procedural, ie respond to alerts in a timely fashion, etc. But Verve enables this by simplifying the prioritization of alerts based on the criticality of the asset as well as the overall risk score of the alert

C1.d Identifying Security Incidents

RIIO-2 Cyber Resilience Outcome Description for C1.d Identifying Security Incidents:

You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.

RIIO-2 Cyber Resilience Guidance:

1. Threat intelligence information should be selected – Threat sources are selected and reviewed from a variety of sources appropriate to the likely threats and the company’s business needs.

Verve can integrate with a wide variety of threat intelligence sources, including our own threat and vulnerability information for OT systems.

 

2.Updates are received for all signatures – All signature based protective technologies are received for the networks and systems supporting your essential service, within the company policy.

Verve can integrate updates for signatures and bring those into the Verve SIEM platform.

3.All new signatures and Indications of Compromise (IoCs) are applied within an appropriate time – Updates are implemented, based on risk and according to company policy

Verve’s integrations make timely inclusion of new indicators rapid.

4.The effectiveness of using threat intelligence should be assessed  –  Threat information to identify security issues in the networks and information systems supporting your essential service is assessed.

This is primarily a procedural requirement

C1.e Monitoring Tools & Skills

RIIO-2 Cyber Resilience Outcome Description for C1.e Monitoring Tools & Skills:

Monitoring staff skills,  tools and roles, including any that are out-sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential services they need to protect.

RIIO-2 Cyber Resilience Guidance:

1. Determine Monitoring Coverage  – The requirements for monitoring coverage and to support and enable incident response are defined and appropriate tools and techniques identified.

Verve provides comprehensive coverage for monitoring. This requirement is that the operator review the appropriate monitoring coverage for their environment

 

2.Establish Monitoring Team – Personnel are in place who are responsible for the analysis, investigation  and  reporting  of  monitoring alerts covering both security and system performance.

a)  The monitoring personnel could be employees or third parties on premises or provided as part of a managed service. b)  Monitoring personnel should have appropriate security vetting and background checks.

Verve can integrate updates for signatures and bring those into the Verve SIEM platform.

3.Develop Reporting Chain – Monitoring personnel should report to an appropriate part of the organisation.

a)  Monitoring personnel should report into the appropriate part of the organisation that is able to provide the necessary resources and authority to investigate security monitoring data, alerts and incidents. This could be, for example, IT, OT, Operations, Information Security and potential third parties.

The rest of these requirements are procedural and organizational in nature

4.Define Roles and Skills – Monitoring personnel have defined roles and skills/competence requirements that, together with other personnel such as operators, system administrators and third parties, are able to cover all parts of the monitoring and investigation process.

a)  Appropriate roles should be defined and assigned to perform the analysis, investigation and reporting activities. b)  The personnel should have appropriate training in OT and security knowledge to perform their role.

The rest of these requirements are procedural and organizational in nature

5.Operational  Awareness  –  Monitoring personnel should be aware of essential services assets in scope and can identify and prioritise alerts or investigations that relate to them.

a)  Monitoring personnel should be sufficiently aware of the essential services and the networks in scope and information  systems supporting them to effectively identify, prioritise and investigate alerts, engaging other personnel or third parties where necessary.

The rest of these requirements are procedural and organizational in nature

6.Document Processes – Monitoring personnel follow documented processes, procedures and workflows for the analysis, investigation and reporting of monitoring alerts.

a)  Standard workflows and playbooks should be defined and documented to cover the analysis, investigation and reporting activities (internal and external). b)  A workflow should exist to ensure that reportable regulatory events, can be identified and reported to the Competent Authority (CA), within 72 hours of becoming aware of the incident.

The rest of these requirements are procedural and organizational in nature

7.Freedom to Investigate – Monitoring personnel are empowered to look beyond the fixed process to investigate and understand non-standard threats.

a)  This could be achieved by developing their own investigative techniques and making new use of data in order to continually enhance monitoring capabilities. b)  As incidents may vary and novel, difficult to detect, techniques may be employed by adversaries,  personnel  conducting  monitoring  investigations  should  be  permitted  to conduct  their  own  investigations  which  go  beyond  the  documented  workflows  and playbooks where appropriate. ·     ISO/IEC 27019 – Section 12.4 Logging and monitoring

The rest of these requirements are procedural and organizational in nature

C2.a System Abnormalities for Attack Detection

RIIO-2  Cyber  Resilience  Outcome  Description  for  C2.a  System  Abnormalities  for Attack Detection:

You should define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.

RIIO-2 Cyber Resilience Guidance:

1. Understanding Normal Behaviour – There should be a good understanding of normal behaviour of the critical networks and systems supporting your essential service to permit effective detection of abnormal behaviour which may indicate malicious activity.

Verve has a robust anomaly detection functionality built-in. This allows us to develop baseline behavior across a range of different dimensions and analyze this behavior to identify potentially risky anomalies from the baseline. Verve’s ability to baseline includes network connections, users,software and process changes, services that are running, volumes of activity, various devce performance metrics, etc.

 

2.Develop  Abnormality  Descriptions  –   System abnormality descriptions should be developed from past attacks, threat intelligence and consideration of the nature of likely attacks on your networks and information systems supporting your essential service.

Verve can leverage a wide-range of abnormal behaviors to build our indicators of compromise, from various threat feeds.

2.Identify and Investigate Abnormal Behaviour – The system abnormality descriptions should be used to identify potential malicious activity on your networks and information systems supporting your essential service.

Verve can leverage a wide-range of abnormal behaviors to build our indicators of compromise, from various threat feeds.

C2.b Proactive Attack Discovery

RIIO-2 Cyber Resilience Outcome Description for C2.b Proactive Attack Discovery:

You should use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.

RIIO-2 Cyber Resilience Guidance:

1. Exception Monitoring  –  The critical networks and systems supporting your essential service are routinely monitored and searched for abnormalities indicative of malicious activities.

Verve has a wide range of detections for standard security discovery. This includes coverage for the MITRE ATT&CK framework as well as a range of other security detections Verve has built over time for industrial control systems. Verve can be used for threat hunting by developing potential threat scenarios and reviewing patterns of behavior to identify potential risks.

 

2.Alert Generation – Alerts are generated when abnormalities are detected and that these are addressed through the security alert and incident response investigation processes

Verve has a comprehensive alerting capability to develop prioritized alerts on various levels of security risk.

D1.a Response Plan

This is a procedural set of requirements

D1.b Response and Recovery

RIIO-2  Cyber  Resilience  Outcome  Description  for  D1.b  Response  and  Recovery Capability:

You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions.

RIIO-2 Cyber Resilience Guidance:

1. Identify Response Team Members – The members of the incident response team and supporting resources are identified and will be made available, if required.

a)  All appropriate roles and resources (e.g. office space, communications,) are identified within the incident response plans. This may consist of a core team, which could be extended with other appropriate internal and/or external personnel. b)  The core team should include personnel familiar with the operation and management of the essential services and the networks and information systems supporting your essential service. c)  The incident response team leader should have associated manual of authority, in order to make and take decisions. d)  The incident response team roles and responsibilities should be formalised  (e.g. by inclusion in job descriptions) to ensure personnel are made available when required.

This is a set of procedural requirements

2.External Support Arrangements – There are arrangements in place to augment your incident response capability with external support, if required.

a)  The incident response plans should identify potential external support to respond to an incident. The external support may include, but is not limited to:

  • National Technical Authority;
  • Specialist cyber security incident response and digital forensics providers;
  • Law enforcement.
    b)  Where external support is deemed to be required, clear terms of engagement should be drafted in order to give preference to contending priorities such as maintaining chain of custody or restoration of services.
    c)  Special arrangements should be pre-agreed with vendors such as OEMs, in order to gain
    commitment during times of incident response, irrespective if there are multiple external entities affected.

d)  Where external support may be required, the company should ensure appropriate contractual arrangements are in place.
e)  The processes to activate augmentation of the incident response capability should be defined and documented, including both during normal working hours and out-of-hours contact arrangements.

This is a set of procedural requirements

3.Documented  Triage  Process  –  Those identifying a potential incident and those performing triage for an incident, are following a documented and established procedure.

a)  There should be a defined and documented procedure to enable first responders to triage events. The procedure could include, but not be limited to:

  • Decision trees;
  • Criteria;
  • Incident severity classification;
  • Escalation procedure if additional expertise is required to triage the event.

This is a set of procedural requirements

4.Response Team Skills – The response team members have the skills, knowledge and authority required to respond appropriately, to limit the impact on your essential service.

a)  The company should ensure that all response team members have the appropriate knowledge and skills to perform their incident response roles. This may require training to develop specialist skills required for incident response, as well as incident response exercises and rehearsals. b)  The company should give the incident response team the authority needed to respond in an appropriate and timely manner to incidents.

This is a set of procedural requirements

5.Incident Response Information – The information required to enable informed response decisions is known and can be made available to the incident response team.

a.  To ensure that response decisions can be made, the appropriate information should be made available to the incident response teams which may include, but is not limited to:

  • Incident response plan and supporting procedures;
  • Playbooks and workflows;
  • Monitoring and alert information;
  • System information and network diagrams;
  • Asset register with a list of critical sites and systems;
  • Escalation path and authorisation requirements;
  • Supporting tools;
  • External contact information;
  • Communication plans;
  • Criteria to close out incidents.

This is a set of procedural requirements

6.Alternative Operating Mechanisms – Alternative operating mechanisms are available to allow continued delivery, possibly at a reduced level, of your essential service where primary systems are not available.

a.  Where the delivery of the essential service is impacted and where deemed appropriate, the organisation should establish alternative operating mechanisms which can be readily activated to enable continued delivery of the service.
b.  Alternative operating mechanisms may require delivery at a reduced level and/or the use of alternative service providers.
c.   Where the delivery of the essential service has not been impacted, in order to reduce the attack surface and likelihood of compromise, the organisation may choose to limit connectivity and or information exchange using ancillary mechanisms to and from the OT environment.

References and Further Guidance:

  • NIST SP 800-53 Rev. 4 Appendix D: CA-2 Security Assessments, CA-7 Continuous Monitoring, PM-14 Testing, Training, and Monitoring, IR-4 Incident handling, IR-5 Incident Monitoring, IR-8 Incident Response Plan, CP-2 Contingency Plan, CP-3 Contingency Training, IR-3 Incident Response Testing, PE-6 Monitoring Physical Access, RA-5 Vulnerability Scanning, SI-4 Information System Monitoring
  • ISA 62443-2-1:2009 Sections 4.4.3.1, 4.2.3.10, 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4
    ISO/IEC 27001:2013 Sections A.6.1.1, A.16.1.1, A.16.1.2

This is a set of procedural requirements

D1.c Testing and Exercising

This is a procedural set of requirements

D2.a Incident Root Cause Analysis

RIIO-2 Cyber Resilience Outcome Description for D2.a Incident Root Cause Analysis:

Your organisation should identify the root causes of incidents you experience, wherever possible.

RIIO-2 Cyber Resilience Guidance:

1. Develop policies – The company should have a policy for investigating the root cause of incidents.

These are procedural and training requirements

2.Regularly perform root cause analysis  –  Root cause analysis should be routinely conducted following an incident as part of the incident investigation and response process.

a)  The purpose of the analysis should be clear to all stakeholders and just enough to balance lessons learned and not hindering restoration of services. b)  Where required by law enforcement entities, evidence should be kept in a state where chain of custody is maintained. c)  Forensic analysis should be compared against last known good states. d)  The company should consider whether the team conducting incident root cause analysis should be independent. e)  The company should have call-off contracts with external specialists to lead or augment the root cause analysis team. f)   OEMs should be involved throughout the process to assist and direct the process where required.

These are procedural and training requirements

3.All available relevant data should be made available to the team carrying out the root cause analysis.

a)  This should include, but not be limited to:

  • Incident response plan and supporting procedures;
  • Restoration prioritisation;
  • Logs, monitoring and alert information;
  • System information and network diagrams;
  • Asset register with a list of critical sites and systems;
  • Forensic information e.g. device images, memory dumps, packet captures;
  • Incident handling logs and records;
  • Physical and logical access records.

b)  The root cause analysis team will likely require specialist investigation technologies, techniques,  processes to help with the investigation. These should have minimal linkages and connections with company systems until such time that they are required. These are privileged technologies that should not be accessible by others outside of the analysis team. c)  The root cause analysis process should ensure a comprehensive analysis.

These are procedural and training requirements

4.Issue root cause analysis reports – For each incident analysed, a report should be issued to appropriate stakeholders and authorities detailing the findings and recommendations. Where appropriate, an annual report should be produced summarising trends and making further recommendations if appropriate.

References and Further Guidance:

  • OG86 – Appendix 2 D1 Response and Recovery Planning
  • ISO27002 – Section 17.1.3

Guidance Flow:

These are procedural and training requirements

Mapping Verve to other Security Standards

Data Sheet

CIS Controls Mapping to Verve

Grab this chart to see how the CIS Top 20 Controls are applied through Verve’s cyber security technology and services.

Learn More
Data Sheet

NERC CIP Mapping to Verve Industrial

See how Verve Industrial’s capabilities map back to the NERC CIP industry standards for complete cyber security coverage.

Learn More
Whitepaper

Achieve CMMC Security Maturity

Download the whitepaper to learn how the CMMC applies to both IT and OT systems, what compliance entails and how to meet requirements.

Learn More