Guidance

B5. Resilient networks and systems

Created:  28 Jan 2018
Updated:  31 Oct 2018

Principle

The organisation builds resilience against cyber attack into the design, implementation, operation and management of systems that support the delivery of essential services. 

Description

The services delivered by an organisation should be resilient to cyber attack. Building upon B.4 (the technical protection of systems), organisations should ensure that not only is technology well built and maintained, but consideration is also given to how delivery of the essential service can continue in the event of technology failure or compromise. In addition to technical means, this might include additional contingency capability such as manual processes to ensure services can continue.

Organisations should ensure that systems are well maintained and administered through life. The devices and interfaces that are used for administration are frequently targeted, so should be well protected. Spear phishing remains a common method used to compromise accounts with privileged access. Preventing the use of these accounts for routine activities such as email and web browsing significantly limits the ability for a hacker to compromise them.

Guidance

Preparation

It's important to be prepared to respond to significant disruption by having business continuity and disaster recovery planning in place. This should include a definition of your most critical resources and an understanding of the order of actions needed to restore service. Test that these plans work, for example through manually triggering failover testing, carrying out table-top scenario walk-throughs or red-teaming. You should be ready to adjust the security measures in place in response to changes in risk. For example, if threat intelligence indicates an increased likelihood of your organisation or sector being targeted you may decide to isolate operational networks until the threat has decreased. Alternatively, in the event of public disclosure of an unpatched vulnerability in equipment that you use, with reported use of exploits targeting the vulnerability, you may respond by elevating your protective monitoring, changing your configuration to avoid being susceptible, or taking other mitigating action in the period until a patch is made available and can be deployed.

Maintenance and repair

You should reduce the likelihood of failure or attack by taking all reasonable measures to maintain networks, information systems and necessary technologies in good working order. Exceptions should be appropriately managed.

Segregation

In the event of an incident, it is more likely that an essential service will be able to continue where the networks and information systems that support it are segregated from other business and external systems. Separation of system architecture, remote access and privileged access are some key principles that can protect more critical systems from external disruption.

Some essential service sectors may apply the industrial automation and control system security standard IEC 62443, which applies a reference model that separates systems into different logical layers. The standard's architecture model segregates equipment into security zones.

Capacity

Limitations of networks and information systems, or external services or resources, such as network bandwidth, processing capability, or data storage capacity, should be understood and managed with suitable mitigations to avoid disruption through resource overload.

Diversity and dependencies

Make appropriate use of diverse technologies, geographic locations and so on, to provide resilience. You should understand and manage external or lower-priority dependencies to ensure that alternative means are suitable for continuation of the essential service.

Working backups

In the event of a disruptive event, you should be able to revert to backups of hardware and data that are known to be functioning and accessible. Operators should maintain secured offline, potentially off-site, backups of the operational data, equipment configurations, gold builds, etc. needed to recover from an extreme event.

Suitable alternative backups may include paper-based information and manual processes. Other essential backups may include personnel with appropriate knowledge and access to up-to-date documentation. Consider how to make it easy to recover following an incident or compromise.

Physical Resilience (Advice supplied by DCMS)

Your organisation should have adequate policies and measures to ensure the physical and environmental security of network and information systems. This can be achieved through measures such as physical access controls, alarm systems, environmental controls and automated fire systems etc.

When planning physical upgrades of equipment or software, your organisation should take steps to avoid unnecessary or unplanned interruptions to your essential service.

Your organisation should also ensure that it has adequate policies to protect supporting utilities such as electricity, fuel, heating, ventilation, and air conditioning. This can be achieved by having alternative sources, such as back-up generators or uninterruptible power supplies, active temperature monitoring, redundant cooling systems etc.  

 

References

NCSC Denial of Service (DoS) guidance

IEC TS 62443-1-1

IEC 62443-2-1

HMG Emergency preparedness

HMG Emergency Response and Recovery: Non statutory guidance accompanying the Civil Contingencies Act 2004

The Business Continuity Institute has some freely available introductory business continuity guidance and members can access more detailed resources

ISO/IEC/27001 A.11

CCS: 5,17 Physical Security

ENISA Technical Guidelines for Digital Service Providers: SO8, SO9

 

< Back to Principle B4                  Forward to Principle B6 >

Topics

Was this guidance helpful?

We need your feedback to improve this content.

Yes No