The UK official National Cyber Security Centre (NCSC) has launched an updated version of the Cyber Assessment Framework. The last version was published in April 2024. According to the NCSC, the adoption of CAF has continued to spread. It’s now used by nearly all UK cyber regulators and GovAssure, the cyber security assurance scheme for assessing the UK’s critical national infrastructure (CNI). At the same time, the NCSC adds, the cyber threat to the UK’s CNI has continued to increase.
New sections cover how to go about building a deeper understanding of attacker methods and motivations to inform better cyber risk decisions; and for ensuring software used in essential services is developed and maintained securely. The new version has updates to the section on security monitoring and threat hunting to improve the detection of cyber threats; and offers more coverage of AI-related cyber risks. For a blog post about the updates visit the NCSC website: https://www.ncsc.gov.uk/blog-post/caf-v4-0-released-in-response-to-growing-threat.
Comments
James Neilson, SVP International at OPSWAT, says: “The NCSC’s updated CAF for UK CNI is a welcome step. Security teams within critical infrastructure sectors are often expected to manage unfamiliar systems, and few individuals possess deep expertise in both IT and OT, creating knowledge gaps in threat assessment and defence development.
“The updated CAF reflects a trend we’ve observed of cybercriminals increasingly using multi-layered threats designed to evade analysis and detection. An attacker’s aim is to evade and confuse, not overwhelm the network, meaning that threats are missed by legacy antivirus solutions and EDR stacks.
“We strongly recommend that critical infrastructure organisations review the NCSC’s updated CAF. However, they should also prioritise securing the data that moves in and out of their OT networks, an area often neglected by CNI organisations. IT systems, internet connectivity, and transient devices remain major attack surfaces for ICS/OT infrastructure. By controlling data flows and scanning files in transit, organisations can detect and neutralise hidden malicious payloads before they infiltrate critical systems.”
