The organisation builds resilience against cyber attack into the design, implementation, operation and management of systems that support the delivery of essential services.
The services delivered by an organisation should be resilient to cyber attack. Building upon B.4 (the technical protection of systems), organisations should ensure that not only is technology well built and maintained, but consideration is also given to how delivery of the essential service can continue in the event of technology failure or compromise. In addition to technical means, this might include additional contingency capability such as manual processes to ensure services can continue.
Organisations should ensure that systems are well maintained and administered through life. The devices and interfaces that are used for administration are frequently targeted, so should be well protected. Spear phishing remains a common method used to compromise accounts with privileged access. Preventing the use of these accounts for routine activities such as email and web browsing significantly limits the ability for a hacker to compromise them.
It's important to be prepared to respond to significant disruption by having business continuity and disaster recovery planning in place. This should include a definition of your most critical resources and an understanding of the order of actions needed to restore service. Test that these plans work, for example through manually triggering failover testing, carrying out table-top scenario walk-throughs or red-teaming. You should be ready to adjust the security measures in place in response to changes in risk. For example, if threat intelligence indicates an increased likelihood of your organisation or sector being targeted you may decide to isolate operational networks until the threat has decreased. Alternatively, in the event of public disclosure of an unpatched vulnerability in equipment that you use, with reported use of exploits targeting the vulnerability, you may respond by elevating your protective monitoring, changing your configuration to avoid being susceptible, or taking other mitigating action in the period until a patch is made available and can be deployed.
Maintenance and repair
You should reduce the likelihood of failure or attack by taking all reasonable measures to maintain networks, information systems and necessary technologies in good working order. Exceptions should be appropriately managed.
In the event of an incident, it is more likely that an essential service will be able to continue where the networks and information systems that support it are segregated from other business and external systems. Separation of system architecture, remote access and privileged access are some key principles that can protect more critical systems from external disruption.
Some essential service sectors may apply the industrial automation and control system security standard IEC 62443, which applies a reference model that separates systems into different logical layers. The standard's architecture model segregates equipment into security zones.
Limitations of networks and information systems, or external services or resources, such as network bandwidth, processing capability, or data storage capacity, should be understood and managed with suitable mitigations to avoid disruption through resource overload.
Diversity and dependencies
Make appropriate use of diverse technologies, geographic locations and so on, to provide resilience. You should understand and manage external or lower-priority dependencies to ensure that alternative means are suitable for continuation of the essential service.
In the event of a disruptive event, you should be able to revert to backups of hardware and data that are known to be functioning and accessible. Operators should maintain secured offline, potentially off-site, backups of the operational data, equipment configurations, gold builds, etc. needed to recover from an extreme event.
Suitable alternative backups may include paper-based information and manual processes. Other essential backups may include personnel with appropriate knowledge and access to up-to-date documentation. Consider how to make it easy to recover following an incident or compromise.
Physical Resilience (Advice supplied by DCMS)
Your organisation should have adequate policies and measures to ensure the physical and environmental security of network and information systems. This can be achieved through measures such as physical access controls, alarm systems, environmental controls and automated fire systems etc.
When planning physical upgrades of equipment or software, your organisation should take steps to avoid unnecessary or unplanned interruptions to your essential service.
Your organisation should also ensure that it has adequate policies to protect supporting utilities such as electricity, fuel, heating, ventilation, and air conditioning. This can be achieved by having alternative sources, such as back-up generators or uninterruptible power supplies, active temperature monitoring, redundant cooling systems etc.
NCSC Denial of Service (DoS) guidance
IEC TS 62443-1-1
HMG Emergency preparedness
HMG Emergency Response and Recovery: Non statutory guidance accompanying the Civil Contingencies Act 2004
The Business Continuity Institute has some freely available introductory business continuity guidance and members can access more detailed resources
CCS: 5,17 Physical Security
ENISA Technical Guidelines for Digital Service Providers: SO8, SO9
< Back to Principle B4 Forward to Principle B6 >