The organisation builds resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the delivery of essential services.
The services delivered by an organisation should be resilient to cyber-attack. Building upon B.4 (the technical protection of systems), organisations should ensure that not only is technology well built and maintained, but consideration is also given to how delivery of the essential service can continue in the event of technology failure or compromise. In addition to technical means, this might include additional contingency capability such as manual processes to ensure services can continue.
Organisations should ensure that systems are well maintained and administered through life. The devices and interfaces that are used for administration are frequently targeted, so should be well protected. Spear phishing remains a common method used to compromise management accounts. Preventing the use of management accounts for routine activities such as email and web browsing significantly limits the ability for a hacker to compromise such accounts.
It’s important to be prepared to respond to significant disruption; for this business continuity and disaster recovery planning is essential. This should include a definition of the most critical resources and an understanding of the order of dependencies, for restoration. Test that these plans can or should work, for example through manual failover, table-top scenario walk-throughs or red-teaming. You should be ready to adjust security level or priority in response to an identified or assumed serious incident, or a change in security risks.
Maintenance and repair
You should reduce the likelihood of failure or attack by taking all reasonable measures to maintain networks, information systems and necessary technologies in good working order. Exceptions should be appropriately managed.
In the event of an incident, it is more likely that an essential service will be able to continue where the networks and information systems that support it are segregated from other business and external systems. Separation of system architecture, remote access and privileged access are some key principles that can protect more critical systems from external disruption.
Some essential service sectors may apply the industrial automation and control system security standard IEC 62443, which applies a reference model that separates systems into different logical layers. The standard’s architecture model segregates equipment into security zones.
Limitations of networks and information systems, or external services or resources, such as network bandwidth, processing capability, or data storage capacity, should be understood and managed with suitable mitigations to avoid disruption through resource overload.
Diversity and dependencies
Make appropriate use of diverse technologies, geographic locations and so on, to provide resilience. You should understand and manage external or lower-priority dependencies to ensure that alternative means are suitable for continuation of the essential service.
In the event of a disruptive event, you should be able to revert to backups of hardware and data that are known to be functioning and accessible. Operators should maintain secured offline, potentially off-site, backups of the operational data, equipment configurations, gold builds, etc. needed to recover from an extreme event.
Suitable alternative backups may include paper-based information and manual processes. Other essential backups may include personnel with appropriate knowledge and access to up-to-date documentation. Consider how to make it easy to recover following an incident or compromise.
BS ISO/IEC 27002:2013 section 17
PD ISO/IEC TR 27019:2013 section 14
BS IEC 62443-2-1:2011 section 4.3.2