RIIO is the approach used by the Office of Gas and Electricity Markets (OFGEM) – a non-ministerial department of the UK government – to ensure the companies running the country’s gas and electricity networks have the appropriate financial resources to operate effectively and efficiently. RIIO stands for Revenues = Incentives + Innovation + Outputs.
OFGEM released RIIO-1 for the gas distribution and gas and electricity transmission price controls in 2013. These are due to finish in March 2021. RIIO-2 was released in July 2020.
As part of the RIIO-2, OFGEM included a set of cyber security resilience guidelines. These guidelines follow closely from many of the leading cyber security standards and are specifically targeted to the electricity and gas distribution networks.
The Verve Security Center platform is uniquely positioned to assist the electricity and gas network operators to meet these guidelines. Verve’s comprehensive platform for OT security brings together all of the technical requirements for RIIO-2 into a single, integrated platform. For those entities that have pre-existing tools, Verve’s open-API infrastructure enables us to integrate this data into a single asset-management function to provide efficiency and effectiveness to maintain the guidelines.
The below graphic explains how Verve Security Center delivers on each of the controls within the guidelines.
Table of Contents
A3.a Asset Management
RIIO-2 Cyber Resilience Outcome Description for A3.a Asset Management:
1. Create and maintain a register of all assets – The register of assets should be with an appropriate level of detail and format for all components that support the delivery of the essential service.
2.Prioritise assets – The assets are prioritised according to their importance for delivering the essential service.
3.Create and maintain a register of all assets – The register of assets should be with an appropriate level of detail and format for all components that support the delivery of the essential service.
4.Manage assets throughout their life-cycle – With the execution of appropriate policies and procedures, security of assets from creation through to eventual decommissioning or disposal.
A4.a Supply Chain
RIIO-2 Cyber Resilience Outcome Description for A4.a Supply Chain:
1.Identify all third-party connections – Third-party connections and data flows to a networks and systems, supporting your essential service are identified and documented.
2.Identify supply chain dependences – Supply chain dependencies for networks and systems supporting your essential services are identified and documented.
3.Assess & manage supply chain risks – Supply chain risks are assessed and managed, as part of the procurement process.
4. Include security requirements in all contracts – Security requirements and controls should be included in all contracts and managed according to policy. Cyber security requirements should be contractually defined, with a code of connection/conduct for suppliers. Special considerations should be given according to policy but not limited to:
Verve data and analysis can help to aid these procedures and awareness
5. Detect, respond and manage supply chain incidents – Consider the detection, response and management of incidents in your supply chain services and systems as part of your incident management processes.
Verve data and analysis can help to aid these procedures and awareness
6. Protect information lifecycle – Information shared with suppliers, that is essential to the operation of your essential service, should be appropriately protected. Information about the essential services, OT assets, remote connections and their configuration is of particular interest to any potential attacker. This information should be suitably protected across its lifecycle, wherever is it stored or processed, including when created by or in the possession of suppliers.
Verve data and analysis can help to aid these procedures and awareness
B2.a Identity Verification, Authentication and Authorisation
RIIO-2 Cyber Resilience Outcome Description for B2.a Identity Verification, Authentication and Authorisation:
You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential service.RIIO-2 Cyber Resilience Guidance:
1.Identify all authorised users –There should be clear documentation that captures and identifies all authorised users and their access requirements, which should align with asset registers (A3a refers).
2.Authenticate Authorised Users –Unless restricted by system or operational limitations, that every authorised user is individually identified and authenticated.
3.Restrict logical access – Appropriate controls should be in place to ensure that only authorised users can logically connect to networks and information systems.
4. Secondary Authentication Mechanisms – Implement additional authentication mechanisms for privileged access to sensitive systems on which your essential service depends.
Verve can ensure configurations that require MFA and other secondary authentication mechanisms are enabled on devices.
5. Remote Access – Ensure that each instance of remote user access to all your networks and information systems that support your essential service is individually authorised, authenticated and protected with secondary authentication mechanisms as Para 4.
Verve can monitor access into the network to identify anomalous connections and alert on remote connections that are new. Verve can also support the management of remote access solutions through network device management.
6. Access Review – The list of users and systems with access to essential service networks and systems should be reviewed on a regular basis or when change occurs e.g. significant change in system configuration or personnel.
B2.b Device Management
RIIO-2 Cyber Resilience Outcome Description for B2.b Device Management:
You should fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential service.
RIIO-2 Cyber Resilience Guidance:
1.Manage Devices – The underpinning principle is that only devices owned and managed, or approved and authorised, by your company should be connected to the networks and systems supporting your essential service.
2.Register Devices – It should be known what devices are authorised to connect to networks and systems supporting your essential service.
This is a procedural requirement that Verve can support to ensure those are the only devices that can connect as well as to audit the results
3. Detect Unknown Devices – It should possible to detect unknown devices connected to networks and systems supporting your essential service and to investigate such occurrences.
4. Privileged Access Management – Privileged access, management and configuration functions on networks and systems supporting your essential service should only be performed with dedicated devices that are owned and managed by your organisation.
5. Pre-Authorisation – Third party devices and networks are identified before they are connected to networks and systems supporting your essential service.
B2.c Privileged User Management
RIIO-2 Cyber Resilience Outcome Description for B2.c Privileged User Management:
You closely manage privileged user access to networks and information systems supporting the essential service.
RIIO-2 Cyber Resilience Guidance:
1.Privileged User Access – Individuals who require privileged levels of user access will require additional validation and authentication as per B2.a.
2.User Management – The identities of the individuals, whether within your organisation or third parties, with privileged access to networks and information systems to support your essential service systems are known and managed.
Verve can provide an audit of all user accounts with privileged access to be tied back to individual users. Verve can identify user accounts that have been dormant for over a certain period of time and even configure devices to ensure those accounts are unuseable untial enabled.
B2.d Identity and Access Management
RIIO-2 Cyber Resilience Outcome Description for B2.d Identity and Access Management:
You assure good management and maintenance of identity and access control for your networks and information systems supporting the essential service.
RIIO-2 Cyber Resilience Guidance:
1.Identity Management – There is a robust process to verify the identity of each user requesting access to networks and information systems supporting your essential service.
2.User Change Management – The joiners, movers and leavers process ensures you grant only the minimum required access rights to each user.
3.User Access Review – There is a regular review of user access rights and those which are no longer required are revoked, which should be aligned to a joiner, mover, leaver process.
4.Monitor Access – The company should log and monitor all user access.
B3.a Understanding Data
RIIO-2 Cyber Resilience Outcome Description for B3.a Understanding Data:
You have a good understanding of data important to the delivery of the essential service, where it is stored, where it travels, and how unavailability or unauthorised access, modification or deletion would impact the service. This also applies to any third parties storing or accessing data important to the delivery of essential services.
RIIO-2 Cyber Resilience Guidance:
1.Identify Critical Data – Understand and maintain the location, type, quantity and quality of data important to the delivery of the essential service.
Verve data and analysis can help to aid these procedures and awareness
2.Understand Critical Data – Understand the context, limitations and dependencies of your important data.
a) The availability, integrity, confidentiality and safety requirements of the data which is important to the operation of your essential service should be understood and documented.
Verve data and analysis can help to aid these procedures and awareness
3.Understand Data Links – Maintain a current understanding of the data links used to transmit data that is important to your essential service.
Verve data and analysis can help to aid these procedures and awareness
4.Identify Mobile Devices and Portable Media – Identify all mobile devices and media that may hold data important to the delivery of the essential service.
Verve data and analysis can help to aid these procedures and awareness
5.Manage Data Holdings – Remove or minimise unnecessary copies or unneeded historic data.
Verve data and analysis can help to aid these procedures and awareness
7.Review Lifecycles and Impact Assessments – Validate and review the impact assessments regularly.
Verve data and analysis can help to aid these procedures and awareness
B3.b Data in Transit
RIIO-2 Cyber Resilience Outcome Description for B3.b Data in Transit:
You should protect the transit of data important to the delivery of the essential service. This includes the transfer of data to third parties.
RIIO-2 Cyber Resilience Guidance:
1.Data Transfer – Identify all conduits for data transfer.
Verve can monitor netflow for connections between devices
2.Data Protection – Implement appropriate protection for data in transit.
3.Single Points of Failure – Identify communication paths where, due to failure, there is a significant risk of impact on the delivery of the essential services.
Verve can help identify data flows, but this will require procedural review for criticality of data flow
4.Resilient Communications – Provide alternative communication paths where there is a significant risk of impact on the delivery of your essential services.
B3.c Stored Data
RIIO-2 Cyber Resilience Outcome Description for B3.c Stored Data:
You should protect stored data important to the delivery of the essential service.
RIIO-2 Cyber Resilience Guidance:
1.Data Policy – All copies of data important to the delivery of your essential services are necessary and approved.
Verve data and analysis can help to aid these procedures and awareness
2.Sharing Data – Only data which is required for an intended purpose should be copied to less secure or read-only storage.
Verve data and analysis can help to aid these procedures and awareness
3.Encryption – The cryptography in use should provide some degree of assurance in its ability to protect data at rest.
4.Backups – The company has suitable, secured backups of the data required to allow the essential services to operate or to restore the essential services within an acceptable timeframe. Please follow the B5.c Backups guidance for additional information.
B3.d Mobile Data
1.Identify Mobile Devices – It is known which mobile devices hold data important to the delivery of the essential service.
2.Mobile Data Policy – The requirements to protect data that is important to the delivery of the essential services and is stored on mobile devices are defined.
Verve data and analysis can help to aid these procedures and awareness
3.Mobile Data Security – Data stored on mobile devices that is important to the delivery of the essential services is appropriately secured.
Verve data and analysis can help to aid these procedures and awareness
B3.e Media Equipment Sanitisation
RIIO-2 Cyber Resilience Outcome Description for B3.e Media Equipment Sanitisation:
You should appropriately sanitise data from the service, media or equipment before disposal.
RIIO-2 Cyber Resilience Guidance:
1.Asset Inventories – All devices (including removable media, laptops and mobile devices) that store data important to the delivery of the essential services should be identified and catalogued. For additional information please refer to the A3.a Asset Management section.
2.Data Cleansing – There is a robust process to sanitise data important to the delivery of the essential services from all devices, equipment and removable media before disposal or redeployment as part of the asset management lifecycle.
Verve data and analysis can help to aid these procedures and awareness
B4.a Secure by Design
RIIO-2 Cyber Resilience Outcome Description for B4.a Secure by Design:
You design security into the network and information systems that supports the delivery of essential services. You minimise their attack surface and ensure that the delivery of the essential service should not be impacted by the exploitation of any single vulnerability.
RIIO-2 Cyber Resilience Guidance:
1.Secure by Design – Appropriate expertise is employed to design secure networks and information systems supporting your essential services.
a) The design of the OT systems should specify and implement a multi-layer security architecture that is segregated into zones based upon risk and function.
b) The design should also consider supporting and ancillary systems (e.g. Uninterruptable Power Suppliers, HVAC) to ensure they are appropriately secured.
c) Appropriate network segregation and access controls (logical and physical) should be implemented to protect the OT networks and zones against malfunction, mistake and malicious activity.
d) The use of remote access to the networks and systems should be carefully designed to restrict access to the minimum required assets and data.
2.Network Segregation – The networks and information systems supporting your essential services are segregated into appropriate security zones.
3.Network Data Flows – The networks and information systems are designed to have simple data flows internally between systems and interfaces with external systems and, where possible, between devices, to enable effective monitoring.
4.Resilient Networks – The networks and information systems supporting your essential service are designed to be easy to recover.
5.Attack Mitigation – Content-based attacks are mitigated for all inputs to operational systems that effect the essential service.
B4.b Secure Configuration
RIIO-2 Cyber Resilience Outcome Description for B4.b Secure Configuration:
You securely configure the network and information systems that support the delivery of essential services.
RIIO-2 Cyber Resilience Guidance:
1.Secure Configuration – The security configuration and maintenance requirements for all assets is defined and documented.
2.Asset Management – There is a set of records for assets which need to be configured and maintained to ensure the essential service is secure.
3.Configuration Management – The security configuration(s) are applied to all assets.
4.Secure Builds – Secure builds exist for systems, networks or endpoints that need to be configured to maintain the security of the essential service.
5.Secure Configuration Management – The security configuration of assets which need to be carefully configured is actively managed.
6.Change Management – There is an effective change management process that ensures all changes to network or system configuration are secure and comply with the security configuration requirements.
7.Software Management – Only approved software should be installed on networks and information systems supporting your essential service.
8.Account Permissions – Non-privileged accounts cannot change settings which would impact security.
This can be enabled through Verve’s secure configuration manager
9.Configuration Control – The networks and information systems supporting your essential service are regularly reviewed or monitored and validated to confirm the expected configurations and secure settings are applied.
10.Automated Tools – The operation of automated decision-making technologies, including advanced control, if in use, are well understood.
Verve supports this by monitoring for unplanned changes on firmware or software.
B4.c Secure Management
RIIO-2 Cyber Resilience Outcome Description for B4.c Secure Management:
You manage your organisation’s network and information systems that support the delivery of essential services to enable and maintain security.
RIIO-2 Cyber Resilience Guidance:
1.Dedicated Management Devices – There should be dedicated devices used for the maintenance and security management of networks and information systems supporting your essential service. across the estate, which should be managed independently from corporate systems and networks.
2.Unauthorised Software Management – Effective technical, procedural and physical security measures are in place to prevent, detect and remove unauthorised software and malware on networks and information systems supporting your essential service.
3.Authorised Privileged Users – Networks and information systems supporting your essential service are only administered and maintained by authorised privileged users.
4.Maintain Technical Knowledge – Technical knowledge about networks and information systems supporting your essential service is reviewed and updated periodically.
5.Protect Technical Knowledge – Technical knowledge about networks and information systems supporting your essential service is appropriately stored and secured.
B4.d Vulnerability Management
RIIO-2 Cyber Resilience Outcome Description for B4.d Vulnerability Management:
You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service.
RIIO-2 Cyber Resilience Guidance:
1.Research Vulnerabilities – Publicly-known vulnerabilities relevant to the networks and information systems supporting your essential service are monitored and analysed to understand your exposure.
2.Horizon Scanning – It is expected that the company be made aware of a new vulnerability or threat, they have the ability to ascertain the associated risk within their environment, within a period defined by their policy.
3.Assess Vulnerabilities – Vulnerabilities in the networks and information systems supporting your essential service are assessed, prioritised and mitigated.
4.Track Vulnerabilities – Both publicly announced and privately notified vulnerabilities in the networks and information systems supporting your essential service are tracked.
5.Temporary Mitigations – Some vulnerabilities that are not exposed outside the system boundary/security zone of the networks and information systems supporting your essential service may have temporary mitigations for an extended period.
6.Obsolete Technology – Obsolete and/or unsupported networks and information systems supporting your essential service may have temporary mitigations for vulnerabilities while pursuing migration to supported technology.
Verve can both track these temporary mitigations and report on just those mitigated and not. In addition, Verve can be used to implement many of these mitigations such as ensuring application whitelisting is in lock-down mode, ensuring configurations are hardened, etc.
7.Vulnerability Checks – There are regular tests or assessments undertaken to fully understand the vulnerabilities in the networks and information systems supporting your essential service.
B5.a Resilience Preparation
RIIO-2 Cyber Resilience Outcome Description for B5.a Resilience Preparation:
You should be prepared to restore your essential service following disruption.
RIIO-2 Cyber Resilience Guidance:
1.Recovery Plan – The networks and information systems and supporting technologies required to restore your essential service are known, documented and in line with company, Business continuity, disaster recovery processes and risk management processes.
2.Recovery Dependencies – The interdependencies between the networks and information systems and the supporting technologies are understood and documented.
a) The company should identify and document interdependencies:
• Between the networks and systems supporting your essential service.
• On supporting technologies.
• On upstream and downstream third-party networks and systems.
• Internal and external service and support providers.
3.Recovery Order – The sequence and order in which supporting technologies, the networks and systems to restore the essential service are known and documented. This should be aligned with company risks, disaster recovery and business continuity processes.
a) There should be documentation identifying the order in which resources, supporting technologies and the networks and information systems supporting your essential service are needed to restore and operate your essential service. b) Escalation triggers and paths to facilitate restoration if required to overcome problems should be identified and documented.
B5.b Design for Resilience
RIIO-2 Cyber Resilience Outcome Description for B5.b Design for Resilience:
You should design the network and information systems supporting your essential service to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.
RIIO-2 Cyber Resilience Guidance:
1.Design for Resilience – The networks and information systems supporting your essential services are segregated into appropriate security zones.
2.Identify Limitations – Resource limitations should be identified and, where appropriate, mitigated either technically or with compensating controls.
Verve data and analysis can help to aid these procedures and awareness
B5.c Backups
RIIO-2 Cyber Resilience Outcome Description for B5.c Backups:
You hold accessible and secured current backups of data and information needed to recover.
RIIO-2 Cyber Resilience Guidance:
1.Backups – There are backups of all systems, software, configurations, data and other relevant information required to enable recovery of individual devices or entire networks and systems supporting your essential services.
2.Security of backups – Backups are appropriately secured and protected.
Verve’s backup solution is encrypted to ensure protection of stored data.
3.Availability of backups – Backups are accessible if an extreme event occurs.
4.Reliability of backups – Backups are routinely tested to ensure the backup process is functioning correctly and the backups are useable.
This is a procedural requirement to test the backup and restore procedure. Verve supports this through its backup solution which enables testing on individual devices or across a range of devices easily.
B6.a Cyber Security Culture
Verve data and analysis can help to aid these procedures and awareness
C1.a Monitoring Coverage
RIIO-2 Cyber Resilience Outcome Description for C1.a Monitoring Coverage:
You monitor the security status of the networks and systems supporting the delivery of essential services in order to detect & respond potential security issues and to track the ongoing effectiveness of protective security measures
RIIO-2 Cyber Resilience Guidance:
1.Define monitoring strategy – There is a monitoring strategy which defines the objectives and requirements for monitoring and this is informed by an understanding of your networks and information systems supporting your essential service.
This is the procedural requirement of defining logging requirements and strategy. Verve can work with customers to help define these standards and scopes.
2.Confirm scope and deploy monitoring – Monitoring data is collected from, at least, the critical networks and systems supporting your essential service.
Verve’s comprehensive OT SIEM includes full logging functionality. Verve gathers winlog, syslog, netflow, performance metrics on devices. All of this data is centralized into the Verve SIEM for further analysis and detections of events. The SIEM monitors the comprehensive MITRE ATT&CK framework as well as for anomalous patterns of behavior that may indicate a threat.
3.Validate successful monitoring – There is justified confidence that monitoring should detect the presence of known indicators of compromise on the networks and systems supporting your essential service.
These are procedural requirements to test the functionality of the SIEM functions
4.Ensure monitoring of privileged users – Monitoring is conducted of all privileged activity for the networks and information systems supporting your essential service for suspicious or undesirable activity.
Verve monitors all user accounts for changes and for escalation of privileges.
5.Focus monitoring of network gateways and critical devices – Extensive monitoring is performed of network gateways and host-based monitoring for critical devices, where possible.
Verve monitors all devices including those network gateways between networks as well as conduits between zones and can alert on traffic moving across zones where it was not approved.
6.Include monitoring as part of the critical asset lifecycle – All new systems are considered as potential monitoring data sources to maintain a comprehensive monitoring capability.
Verve data and analysis can help to aid these procedures and awareness
C1.b Securing Logs
RIIO-2 Cyber Resilience Outcome Description for C1.b Securing Logs:
Logging data should be held securely and read access to it should be granted only to accounts with a business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.
RIIO-2 Cyber Resilience Guidance:
1. Authorised Access – Only authorised personnel can view logging information.
Verve has a robust security infrastructure built in allowing user control all the way down to the individual data element and can be linked directly into Active Directory groups.
2.Monitored Access – Access to logging data is monitored and backed up appropriately.
Access to various elements of the Verve platform can be logged and monitored.
C1.c Generating Alerts
RIIO-2 Cyber Resilience Outcome Description for C1.c Generating Alerts:
Evidence of potential security incidents contained in your monitoring data should be reliably identified and should trigger security alerts.
RIIO-2 Cyber Resilience Guidance:
1. Detect and create security alerts – Alerts are generated on suspicious activity within the networks and information systems supporting your essential service.
Verve’s OT SIEM detects suspicious activity and alert on those detections. Verve can gather alerts from all devices listed where the logs are available to capture. Verve also integrates with a wide range of third-party tools such as AV to bring those alerts into Verve as well. In addition, Verve’s OT SIEM can bring in process alarm data from DCS systems.
2.Map alerts to assets in scope – Alerts should be resolved to assets in the networks and systems supporting your essential service.
All alerts are mapped back to assets in scope
3.Review security logs and alerts at regular intervals – As defined in the monitoring strategy, security logs are reviewed regularly and, if possible, alerts should be reviewed almost continuously, in real time.
Verve aggregates the data into the SIEM on a real-time basis. These alerts can be reviewed at any time by the procedure developed.
4.Prioritise, investigate and respond to security alerts – Security alerts relating to the networks and systems supporting your essential service should be prioritised, investigated and an appropriate action taken.
Part of this is procedural, ie respond to alerts in a timely fashion, etc. But Verve enables this by simplifying the prioritization of alerts based on the criticality of the asset as well as the overall risk score of the alert
C1.d Identifying Security Incidents
RIIO-2 Cyber Resilience Outcome Description for C1.d Identifying Security Incidents:
You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.
RIIO-2 Cyber Resilience Guidance:
1. Threat intelligence information should be selected – Threat sources are selected and reviewed from a variety of sources appropriate to the likely threats and the company’s business needs.
Verve can integrate with a wide variety of threat intelligence sources, including our own threat and vulnerability information for OT systems.
2.Updates are received for all signatures – All signature based protective technologies are received for the networks and systems supporting your essential service, within the company policy.
Verve can integrate updates for signatures and bring those into the Verve SIEM platform.
3.All new signatures and Indications of Compromise (IoCs) are applied within an appropriate time – Updates are implemented, based on risk and according to company policy
Verve’s integrations make timely inclusion of new indicators rapid.
4.The effectiveness of using threat intelligence should be assessed – Threat information to identify security issues in the networks and information systems supporting your essential service is assessed.
Verve data and analysis can help to aid these procedures and awareness
C1.e Monitoring Tools & Skills
RIIO-2 Cyber Resilience Outcome Description for C1.e Monitoring Tools & Skills:
Monitoring staff skills, tools and roles, including any that are out-sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential services they need to protect.
RIIO-2 Cyber Resilience Guidance:
1. Determine Monitoring Coverage – The requirements for monitoring coverage and to support and enable incident response are defined and appropriate tools and techniques identified.
Verve provides comprehensive coverage for monitoring. This requirement is that the operator review the appropriate monitoring coverage for their environment
2.Establish Monitoring Team – Personnel are in place who are responsible for the analysis, investigation and reporting of monitoring alerts covering both security and system performance.
a) The monitoring personnel could be employees or third parties on premises or provided as part of a managed service. b) Monitoring personnel should have appropriate security vetting and background checks.
Verve can integrate updates for signatures and bring those into the Verve SIEM platform.
3.Develop Reporting Chain – Monitoring personnel should report to an appropriate part of the organisation.
a) Monitoring personnel should report into the appropriate part of the organisation that is able to provide the necessary resources and authority to investigate security monitoring data, alerts and incidents. This could be, for example, IT, OT, Operations, Information Security and potential third parties.
Verve data and analysis can help to aid these procedures and awareness
4.Define Roles and Skills – Monitoring personnel have defined roles and skills/competence requirements that, together with other personnel such as operators, system administrators and third parties, are able to cover all parts of the monitoring and investigation process.
a) Appropriate roles should be defined and assigned to perform the analysis, investigation and reporting activities. b) The personnel should have appropriate training in OT and security knowledge to perform their role.
Verve data and analysis can help to aid these procedures and awareness
5.Operational Awareness – Monitoring personnel should be aware of essential services assets in scope and can identify and prioritise alerts or investigations that relate to them.
a) Monitoring personnel should be sufficiently aware of the essential services and the networks in scope and information systems supporting them to effectively identify, prioritise and investigate alerts, engaging other personnel or third parties where necessary.
Verve data and analysis can help to aid these procedures and awareness
6.Document Processes – Monitoring personnel follow documented processes, procedures and workflows for the analysis, investigation and reporting of monitoring alerts.
a) Standard workflows and playbooks should be defined and documented to cover the analysis, investigation and reporting activities (internal and external). b) A workflow should exist to ensure that reportable regulatory events, can be identified and reported to the Competent Authority (CA), within 72 hours of becoming aware of the incident.
Verve data and analysis can help to aid these procedures and awareness
7.Freedom to Investigate – Monitoring personnel are empowered to look beyond the fixed process to investigate and understand non-standard threats.
a) This could be achieved by developing their own investigative techniques and making new use of data in order to continually enhance monitoring capabilities. b) As incidents may vary and novel, difficult to detect, techniques may be employed by adversaries, personnel conducting monitoring investigations should be permitted to conduct their own investigations which go beyond the documented workflows and playbooks where appropriate. · ISO/IEC 27019 – Section 12.4 Logging and monitoring
Verve data and analysis can help to aid these procedures and awareness
C2.a System Abnormalities for Attack Detection
RIIO-2 Cyber Resilience Outcome Description for C2.a System Abnormalities for Attack Detection:
You should define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.
RIIO-2 Cyber Resilience Guidance:
1. Understanding Normal Behaviour – There should be a good understanding of normal behaviour of the critical networks and systems supporting your essential service to permit effective detection of abnormal behaviour which may indicate malicious activity.
Verve has a robust anomaly detection functionality built-in. This allows us to develop baseline behavior across a range of different dimensions and analyze this behavior to identify potentially risky anomalies from the baseline. Verve’s ability to baseline includes network connections, users,software and process changes, services that are running, volumes of activity, various devce performance metrics, etc.
2.Develop Abnormality Descriptions – System abnormality descriptions should be developed from past attacks, threat intelligence and consideration of the nature of likely attacks on your networks and information systems supporting your essential service.
Verve can leverage a wide-range of abnormal behaviors to build our indicators of compromise, from various threat feeds.
2.Identify and Investigate Abnormal Behaviour – The system abnormality descriptions should be used to identify potential malicious activity on your networks and information systems supporting your essential service.
Verve can leverage a wide-range of abnormal behaviors to build our indicators of compromise, from various threat feeds.
C2.b Proactive Attack Discovery
RIIO-2 Cyber Resilience Outcome Description for C2.b Proactive Attack Discovery:
You should use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.
RIIO-2 Cyber Resilience Guidance:
1. Exception Monitoring – The critical networks and systems supporting your essential service are routinely monitored and searched for abnormalities indicative of malicious activities.
Verve has a wide range of detections for standard security discovery. This includes coverage for the MITRE ATT&CK framework as well as a range of other security detections Verve has built over time for industrial control systems. Verve can be used for threat hunting by developing potential threat scenarios and reviewing patterns of behavior to identify potential risks.
2.Alert Generation – Alerts are generated when abnormalities are detected and that these are addressed through the security alert and incident response investigation processes
Verve has a comprehensive alerting capability to develop prioritized alerts on various levels of security risk.
D1.a Response Plan
Verve data and analysis can help to aid these procedures and awareness
D1.b Response and Recovery
RIIO-2 Cyber Resilience Outcome Description for D1.b Response and Recovery Capability:
You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions.
RIIO-2 Cyber Resilience Guidance:
1. Identify Response Team Members – The members of the incident response team and supporting resources are identified and will be made available, if required.
a) All appropriate roles and resources (e.g. office space, communications,) are identified within the incident response plans. This may consist of a core team, which could be extended with other appropriate internal and/or external personnel. b) The core team should include personnel familiar with the operation and management of the essential services and the networks and information systems supporting your essential service. c) The incident response team leader should have associated manual of authority, in order to make and take decisions. d) The incident response team roles and responsibilities should be formalised (e.g. by inclusion in job descriptions) to ensure personnel are made available when required.
Verve data and analysis can help to aid these procedures and awareness
2.External Support Arrangements – There are arrangements in place to augment your incident response capability with external support, if required.
a) The incident response plans should identify potential external support to respond to an incident. The external support may include, but is not limited to:
- National Technical Authority;
- Specialist cyber security incident response and digital forensics providers;
- Law enforcement.
b) Where external support is deemed to be required, clear terms of engagement should be drafted in order to give preference to contending priorities such as maintaining chain of custody or restoration of services.
c) Special arrangements should be pre-agreed with vendors such as OEMs, in order to gain
commitment during times of incident response, irrespective if there are multiple external entities affected.
d) Where external support may be required, the company should ensure appropriate contractual arrangements are in place.
e) The processes to activate augmentation of the incident response capability should be defined and documented, including both during normal working hours and out-of-hours contact arrangements.
Verve data and analysis can help to aid these procedures and awareness
3.Documented Triage Process – Those identifying a potential incident and those performing triage for an incident, are following a documented and established procedure.
a) There should be a defined and documented procedure to enable first responders to triage events. The procedure could include, but not be limited to:
- Decision trees;
- Criteria;
- Incident severity classification;
- Escalation procedure if additional expertise is required to triage the event.
Verve data and analysis can help to aid these procedures and awareness
4.Response Team Skills – The response team members have the skills, knowledge and authority required to respond appropriately, to limit the impact on your essential service.
a) The company should ensure that all response team members have the appropriate knowledge and skills to perform their incident response roles. This may require training to develop specialist skills required for incident response, as well as incident response exercises and rehearsals. b) The company should give the incident response team the authority needed to respond in an appropriate and timely manner to incidents.
Verve data and analysis can help to aid these procedures and awareness
5.Incident Response Information – The information required to enable informed response decisions is known and can be made available to the incident response team.
a. To ensure that response decisions can be made, the appropriate information should be made available to the incident response teams which may include, but is not limited to:
- Incident response plan and supporting procedures;
- Playbooks and workflows;
- Monitoring and alert information;
- System information and network diagrams;
- Asset register with a list of critical sites and systems;
- Escalation path and authorisation requirements;
- Supporting tools;
- External contact information;
- Communication plans;
- Criteria to close out incidents.
Verve data and analysis can help to aid these procedures and awareness
6.Alternative Operating Mechanisms – Alternative operating mechanisms are available to allow continued delivery, possibly at a reduced level, of your essential service where primary systems are not available.
a. Where the delivery of the essential service is impacted and where deemed appropriate, the organisation should establish alternative operating mechanisms which can be readily activated to enable continued delivery of the service.
b. Alternative operating mechanisms may require delivery at a reduced level and/or the use of alternative service providers.
c. Where the delivery of the essential service has not been impacted, in order to reduce the attack surface and likelihood of compromise, the organisation may choose to limit connectivity and or information exchange using ancillary mechanisms to and from the OT environment.
References and Further Guidance:
- NIST SP 800-53 Rev. 4 Appendix D: CA-2 Security Assessments, CA-7 Continuous Monitoring, PM-14 Testing, Training, and Monitoring, IR-4 Incident handling, IR-5 Incident Monitoring, IR-8 Incident Response Plan, CP-2 Contingency Plan, CP-3 Contingency Training, IR-3 Incident Response Testing, PE-6 Monitoring Physical Access, RA-5 Vulnerability Scanning, SI-4 Information System Monitoring
- ISA 62443-2-1:2009 Sections 4.4.3.1, 4.2.3.10, 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4
ISO/IEC 27001:2013 Sections A.6.1.1, A.16.1.1, A.16.1.2
Verve data and analysis can help to aid these procedures and awareness
D1.c Testing and Exercising
Verve data and analysis can help to aid these procedures and awareness
D2.a Incident Root Cause Analysis
RIIO-2 Cyber Resilience Outcome Description for D2.a Incident Root Cause Analysis:
Your organisation should identify the root causes of incidents you experience, wherever possible.
RIIO-2 Cyber Resilience Guidance:
1. Develop policies – The company should have a policy for investigating the root cause of incidents.
Verve data and analysis can help to aid these procedures and awareness
2.Regularly perform root cause analysis – Root cause analysis should be routinely conducted following an incident as part of the incident investigation and response process.
a) The purpose of the analysis should be clear to all stakeholders and just enough to balance lessons learned and not hindering restoration of services. b) Where required by law enforcement entities, evidence should be kept in a state where chain of custody is maintained. c) Forensic analysis should be compared against last known good states. d) The company should consider whether the team conducting incident root cause analysis should be independent. e) The company should have call-off contracts with external specialists to lead or augment the root cause analysis team. f) OEMs should be involved throughout the process to assist and direct the process where required.
Verve data and analysis can help to aid these procedures and awareness
3.All available relevant data should be made available to the team carrying out the root cause analysis.
a) This should include, but not be limited to:
- Incident response plan and supporting procedures;
- Restoration prioritisation;
- Logs, monitoring and alert information;
- System information and network diagrams;
- Asset register with a list of critical sites and systems;
- Forensic information e.g. device images, memory dumps, packet captures;
- Incident handling logs and records;
- Physical and logical access records.
b) The root cause analysis team will likely require specialist investigation technologies, techniques, processes to help with the investigation. These should have minimal linkages and connections with company systems until such time that they are required. These are privileged technologies that should not be accessible by others outside of the analysis team. c) The root cause analysis process should ensure a comprehensive analysis.
Verve data and analysis can help to aid these procedures and awareness
4.Issue root cause analysis reports – For each incident analysed, a report should be issued to appropriate stakeholders and authorities detailing the findings and recommendations. Where appropriate, an annual report should be produced summarising trends and making further recommendations if appropriate.
References and Further Guidance:
- OG86 – Appendix 2 D1 Response and Recovery Planning
- ISO27002 – Section 17.1.3
Guidance Flow:
Verve data and analysis can help to aid these procedures and awareness