UK Critical Infrastructure Sectors Brace for Enhanced Cyber Assessment Framework

The risks and attacks on critical infrastructure systems are rising around the world. Last month, the U.K.’s National Cyber Security Centre (NCSC), partnering with agencies within the U.S., Australia, Canada, and New Zealand, detailed how threat actors exploit tools and processes that are native to computer systems in critical infrastructure to gain persistent access and to avoid detection within these systems. 

“This kind of tradecraft, known as ‘living off the land,’ allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behavior, making it difficult to differentiate—even by organizations with more mature security postures,” the NCSC said in a public advisory.

With such threats against critical infrastructure rising, the NCSC recently announced the creation of an enhanced Cyber Assessment Framework (eCAF) for organizations within critical infrastructure industries. The eCAF is designed to help these organizations comprehensively assess and improve their ability to defend against, and respond to, cyberattacks. 

Since leaving the E.U., the U.K. is not directly implementing the EU’s Network and Information Security 2 Directive (NIS2), instead the U.K.’s eCAF efforts will bring the security of its critical infrastructure in line with the E.U.

The eCAF framework is in addition to the previous Cyber Assessment Framework (CAF) and is more demanding than the initial framework, requiring strict compliance with security best practices. According to NCSC, when met, eCAF’s requirements will make organizations within the energy, transportation, water distribution, healthcare, and digital infrastructure more resilient to “moderate capability attacks.”

eCAF Mandatory Compliance a Quick Turnaround for OT

Compliance with eCAF is currently voluntary but will become mandatory in March 2028. 

That 2028 date may seem distant, but experts such as Jonathan Sword, director at Warwick, England-based cybersecurity services firm Agility Cyber, say it’s not that far out considering the work ahead. 

"In the case of OT networks, changes can be glacial in speed. While four years seems like a long time, in OT environments which run for multiple decades, it is quite a fast-paced change."

—Jonathan Sword

“There is a sizable amount of work to be done to meet the targets,” says Sword. He said that within this timeframe organizations will need to conduct a gap analysis between where they stand today and what they must do to become eCAF compliant. They must also plan for how they will meet the necessary objectives to become compliant, and also how they will implement the required changes. 

“In the case of OT networks, changes can be glacial in speed,” adds Sword. “While four years seems like a long time, in OT environments which run for multiple decades, it is quite a fast-paced change,” he says.

The CAF requirements are structured around four overall security objectives: 

• Managing security risk

• Protecting against cyberattacks

• Detecting cyber security events

• Minimizing the impact of cyber security incidents 

Those four objectives are broken down into 14 additional cybersecurity targets or objectives, such as identity and access control, data security, security monitoring, and response. 

The enhanced CAF profile ensures that organizations can independently detect and respond to cyber threats more effectively and earlier within the attack lifecycle. The development of the enhanced profile was informed by modeling the most likely impactful government organization attacks against the MITRE Adversarial Techniques and Common Knowledge (ATT&CK) framework. 

Covered organizations will have to map their current security posture against capabilities necessary to meet eCAF compliance. 

Aiming a Critical Eye Toward eCAF 

While eCAF aims to enhance cybersecurity resilience, others contend the regulations may create an undue burden on organizations without actually improving security. 

“Governments do have a growing feeling that doing something is better than doing nothing, but there are a few things here that warrant some additional questions,” Wim Remes, operations manager at security services firm Spotit, contends.

Remes says many of the requirements translate back to product and technology procurement, which risks increasing an organization’s attack surface and may not deliver additional security. He also argues that eCAF’s principles align with an older way of doing things. “Holding on to old paradigms locks the companies in and doesn’t increase resilience —your desired outcome for a defensible infrastructure,” Remes says.

"Specific areas such as the cyber security posture of an OT device can be a new challenge for companies in the industry as historically the devices were bought, deployed, and left alone if they continued working."

—Wim Remes

For instance, Remes notes that the framework focuses on security monitoring rather than observability, which is more about collecting data from systems and analyzing that data for patterns, rather than collecting data in line with predefined alerting and reporting requirements associated with monitoring.

“Secure-by-design and secure configuration should have the priority here. They change how you look at your infrastructure and train your organization to think threat and resilience first,” Remes says.

Regardless, eCAF compliance will soon be required, and organizations will face challenges. This is especially so in OT/ICS environments due to their reliance on legacy systems and a lack of understanding of how the entire OT/ICS environment functions. 

“Specific areas such as the cyber security posture of an OT device can be a new challenge for companies in the industry as historically the devices were bought, deployed, and left alone if they continued working. This is at odds with [enhanced] CAF, which states the device’s cyber security should be considered throughout its lifecycle, including decommissioning,” says Sword.

Sword emphasizes another challenge will be security monitoring. 

“The act of opening up the visibility of the OT environment to a security monitoring operation is often encountered with severe pushback,” he says. “There is still a strong divide between IT and OT solutions, with the knowledge gap being tangible. There’s a hurdle to overcome in meeting the independent assurance requirements, as many security testing organizations simply don’t have the experience of working in OT/ICS environments, which translates into a lack of assurance at best and operational problems at worst,” Sword says. 

The challenges are high, yet hopefully, critical infrastructure firms grow more resilient through the compliance process. 

In an upcoming post on eCAF compliance, we will share expert advice on best meeting the challenges ahead.