The National Cyber Security Centre has shared four updates to the Cyber Assessment Framework (CAF), covering attacker methods and motivations, software maintenance, improved detection of cyber threats, and improved coverage of AI-related cyber risks.
These changes are necessary in order to “close the widening gap between the escalated cyber threats to critical services, and our collective ability to defend against them”, the NCSC shares, encouraging system owners to adopt the latest version (4.0) to help support organisational cyber security and resilience.
A new section has been added to the framework designed to improve understandings of attacker methods and motivations and to inform better cyber risk decisions. Understanding steps a threat actor may take to compromise essential systems means organisations can implement effective security measures, it states, setting out measures of success including a detailed understanding of methods and techniques available to well-resourced threat actors and how they might be used against systems.
Ensuring software used in essential services is developed and maintained securely has been expanded, with “achieved” status being granted to systems whose suppliers use an established secure software development framework, who consider the security of environments such as development and production to be “appropriate and proportionate within the context of capable and well-resourced threat actors”, and where the software development lifecycle is informed by an up-t0-date understanding of threats.
Also added are updates on security monitoring and threat hunting for improved detection, and improved coverage of AI-related cyber risks throughout the framework. Future iterations are said to help ensure CAF keeps pace with regulatory proposals in the upcoming Cyber Security and Resilience Bill.
Wider trend: NHS cyber security
In a recent panel discussion, we were joined by experts from across the health and care sector to explore different approaches to cyber security and how to overcome the main challenges involved with making healthcare organisations more secure. We also looked at practical steps that can be taken to help with staff awareness and training, along with short-term priorities and what the future might look like. As part of the discussion, we were joined by Keltie Jamieson, the CIO at Bermuda Hospitals Board, Nasser Arif, cyber security manager at London Northwest Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and Ryan Pullen, director of Stripe OLT Consulting.
The government has published its Cyber Growth Action Plan, aiming to support innovation across the cyber sector, and outlining up to £16 million in funding to help commercialise cyber research. As part of this, University of Bristol and Imperial College London’s Centre for Sectoral Economic Performance will be tasked with exploring the UK’s cyber sector and offering a roadmap for future growth, with the government noting that “this will culminate with a set of recommendations later this summer”.
NHS England has awarded a contract to digital engineering and cloud transformation partner, Mastek and cyber security consultancy firm, Templar Executives, to provide NHS boards and executives with Senior Information Risk Owner cyber security training. According to Mastek, the training will “build resilience across the healthcare system” while also helping to improve understanding of the cyber security landscape and making sure board members know what their responsibilities are in regards to governance, leadership and compliance.
