In this article, we will expose the cyber-resilience challenge of Entra ID, explain why native features are incomplete and present the result of a PoC conducted on an open-source tool, Microsoft 365 DSC, to backup and recover Entra ID’s data.

The challenge of cyber-resilience in managed Cloud services

With Entra ID, the directory management strategy is in line with the Cloud paradigm. It means that the various network, storage, computer, OS and application layers are handled by Microsoft, leaving the customer to focus solely on his identity data.

This fundamental difference has an impact on the resiliency of the service. Indeed, the creation of snapshots to back up the integrality of the system, which is a common practice on AD, is not native on a managed service such as Entra ID. Thus, in order to face a disaster recovery scenario linked to malicious activities, we can only rely on native Microsoft functionalities: the identity lifecycle model, RBAC administration model and import/export capabilities.

The incomplete soft delete model

To ensure resilience, Cloud services are widely using a soft delete mechanism. Its main purpose is to recover data in the event of an accidental deletion. For example, in Azure Recovery Service Vault, the soft delete is the last safeguard in the event of intentional or unintentional deletion of the vault. Combined with immutability parameters, the vault cannot be erased regardless of admin permissions.

In Entra ID, the concept of soft delete exists but is insufficient to ensure data resilience for two reasons. On the one hand, there is neither role distinction between soft-delete and hard-delete nor Recovery role, i.e. the permissions required to delete an object are sufficient to allow for permanent deletion. On the other hand, the life cycle of objects in Entra ID (create, manage, delete) is governed by the same role:

• The role User Administrator can both create and hard-delete a user
• The role Cloud Application Administrator can register an application, configure all aspects of the application and hard-delete the application
• The role Cloud Device Administrator can add a device, configure all aspects of the device and unregister a device

The impact of a deletion on Entra ID

This design makes the User Administrator, Privileged Authentication Administrator, Cloud Application Administrator, Application Administrator, Cloud Device Administrator, Intune Administrator and Windows 365 Administrator roles all the more critical, as their compromise can lead to the permanent loss of identity data. The impact of such a deletion can be a loss of access to applications and data, a loss of permissions, and an inability to administrate.

Although the deletion of hybrid users synchronized with an on-premise AD is reversible, information such as role assignment will be lost, threatening the rights and access model. This is not the case for Cloud identities, which are generally part of the Control Plane. As part of the Enterprise Access Model, the Control Plane includes the most sensitive access, leading to a global compromise of an Information System.

In a disaster recovery scenario, some assets are more critical than others and should be backed up as a priority. These include:

• Control Plane users, groups and roles assigned
• Enterprise Applications (service principals) with critical permissions over Azure or Microsoft 365
• Administrative workstations

Comparison of backup open-source methods

To reduce the likelihood of Entra ID malicious data loss risk, the implementation of a backup solution seems essential, at least for the Control Plane in order to maintain control over your Information System and rebuild. We have therefore analyzed 3 open-source methods for ensuring data backup:

• Microsoft Graph PowerShell: this is the PowerShell library for Microsoft Graph APIs. You can build your own script(s) to export and import Entra ID objects attributes that fit with organization needs
• Microsoft Entra Exporter: this is a PowerShell module that export a local copy of some Entra ID attributes (Users, Applications, Service Principals, Roles, etc.) into JSON file
• Microsoft 365 Desired State Configuration (DSC): this is a PowerShell module for declarative configuration, deployment and management of Microsoft 365 services

Backing up Entra ID objects with Microsoft 365 DSC

In this part, we will explain how we tested the open-source solution Microsoft 365 DSC and share the results and conclusions we got.

Our PoC

Microsoft 365 DSC enables the management of the configuration and state of Microsoft 365 services following a declarative approach. By defining the desired state rather than specific steps, it simplifies the management of complex cloud configurations and ensures consistency across the environment.

In the context of a PoC, the test population deployed in our test tenant is as follows:

• 30 Cloud Only Users (randomly generated by Microsoft as part of the test’s tenant creation process)
• 10 Security Groups (randomly assigned to Users)

The purpose of this PoC is to identify the benefits and limitations of the solution through a series of tested and documented uses cases:

The process required configuring a service account with the right permissions (User.ReadWrite.All, Group.ReadWrite.All) in Entra ID to interact with Microsoft Graph API for data export and import.

These permissions enabled the service account to retrieve the necessary configuration and data from Entra ID and later re-import it.

Result of the PoC Microsoft 365 DSC

As a result of these tests, we were able to gather conclusive information on the solution’s benefits and limitations. On the positive side:

• Granular Configuration Selection: The solution allows precise targeting of configurations for backup, enabling users to select specific settings.
• Recovery without deletion: During recovery, current users and groups are retained, preventing accidental deletion.
• Overwrite of Outdated Attributes: Backed-up attributes replace the old ones.
• Language of the Data Storage: Data is stored in JSON format, making it easy to manipulate and modify backup files.
• Automation Capabilities: Once the necessary tools are installed, the solution is easy to automate.
• Monitoring and Alerts: Microsoft 365 DSC can be used to monitor data consistency and receive alerts in the event of suspicious changes
• Snapshot Versions management: It enables easy maintenance and administration of multiple snapshot versions
• Detailed Logging Functionality: It offers the possibility to generate highly detailed logs, providing records of all operations for enhanced oversight.

Despite these advantages, the study revealed several limitations:

• Incomplete Data in Backup: The backup process does not capture all attributes, leading to potential loss of important information.
• Backup Size Limit: The backup size is capped at 11MB, which may be insufficient for larger configurations or datasets.
• Deactivation Status Not Captured: Snapshots do not store deactivation statuses for users, potentially re-enabling disabled users during recovery.
• Unencrypted Data and Credentials: Security concerns arise from data and credentials being stored unencrypted, posing risks to sensitive information.
• Object IDs’ Loss: During imports, object IDs are lost, causing recreated objects to have new IDs, which can lead to duplicate entries in subsequent imports.
• Privileged Service Principal: The service principal involved has elevated privileges, increasing the risk of security vulnerabilities if not properly managed.

It is important to note that this tool does not really support “restoration” as it is possible to re-create objects, but it does not ensure service restoration and continuity. The reason being that it currently cannot restore links between new ID objects and applications, which is an issue native to Entra ID.

Our opinion about Microsoft 365 DSC

Microsoft 365 DSC is a great tool when it comes to basic uses and documentation as it is simple to use and to deploy on test environments. It is also quite efficient as a monitoring tool thanks to its version control and detailed logs. However, it is not adapted to large environments because of the limited scalability, the poor user experience and security issues related to configurations and credentials. It can also lead to inconsistencies or duplication as object IDs that can be referenced elsewhere are unrecoverable.

Additional solutions may be required such as scripting for handling configuration files and ensuring the consistency of the modifications, as well as well-defined encryption and backup processes. Therefore, we recommend always carefully evaluating the specific needs, planning additional developments and mainly using the solution for supervision and testing purposes.

Given the limitations of Microsoft’s open-source tools, it could be worthwhile to explore what third-party vendors, such as Semperis or Quest who are pure players on the subject, have to offer. These alternatives might address some of the challenges related to scalability, reliability and security, providing options that better suit larger environments. It is important to remain open to these possibilities and evaluate them based on the specific requirements of your organization.

Cet article Resilience Entra ID est apparu en premier sur RiskInsight.

Reminder of the state of the threat

ANSSI states in ÉTAT DE LA MENACE RANÇONGICIEL – À L’ENCONTRE DES ENTREPRISES ET INSTITUTIONS[1] published on 05/02/2020: «  Since 2018, ANSSI and its partners have observed that more and more cybercriminal groups with significant financial resources and technical skills favour the targeting of particular companies and institutions in their ransomware attacks. ».

Faced with this observation, it is more necessary than ever to secure information systems. This involves applying the fundamentals of security: applying patches, managing accounts and passwords, managing network segmentation etc. As a reminder, the application of these initial measures permits a significant reduction in the probability that an information system will be subject to a ransomware but can in no way guarantee that this will not happen.

Specificity of the industrial sector

However, even though new defensive solutions are continually being developed, the cost and complexity of deploying some of them ultimately make them little used. This is truer in an industrial environment, where their integration can be complex, as some systems are fixed in a functional configuration. Moreover, the budgets allocated to IT security in an industrial environment, although increasing in recent years, are still not sufficient for many sites.

Furthermore, an industrial information system shares a common base with a conventional information system and is therefore subject to the same attacks. Of course, attacks such as Stuxnet, Triton, or BlackEnergy (on a smaller scale) require additional skills. However, it is always worth remembering that the targets of interest for groups possessing this type of means are generally already subject to regulatory obligations (LPM in France, NIS directive etc.), which if respected, greatly limit the risks of a successful attack against them. However, these systems are not invulnerable, and must therefore also be prepared to respond to an attack.

Inevitable attack on industrial systems: how to minimise the impact and restart operations quickly?

It therefore appears that:

• Protecting oneself from the threat is often limited to the application of basic security measures if there is no regulatory obligation applicable to the target information system;
• Identifying the sources of threat and detecting an attack before it reaches its objective requires in most cases resources that are too important in relation to the budgets of current industrial information systems.

If the probability of an information system undergoing a successful cyber-attack, and more specifically a ransomware, is almost certain, the following question arises: “How can we prepare for a major cyber-attack, maintain critical activities in a degraded mode, while rapidly regaining confidence in the industrial information system? ».

The answer to this question is covered by the last two pillars of computer security according to the NIST framework: respond and recover. An attempt to answer this question is presented in this article.

Note: the first part of this article “How to respond to an attack before it is too late?” is not necessary to implement the recommendations detailed in the second part “How to recover after an attack if it could not be contained? ». Although the implementation of network filtering measures is highly recommended, it may be interesting for sites where the implementation of such filtering measures takes too long to implement, to start with the preparation part of the remediation of a cyber-attack, which is easier to implement.

How to respond to an attack before it is too late?

Involving industrial teams

Before talking about the measures that can be put in place to respond to a digital security incident, it may be interesting to remember that industrial staff are used to crisis management.

Indeed, many industries regularly organise crisis management exercises (fire, chemical risk, natural disasters, etc.). On many sensitive sites, procedures are therefore already available to respond to this type of incident, under the direction of a dedicated manager. In addition, autonomous physical protection is generally available: pressure relief valve, non-return valve, sprinkler etc., although these are sometimes replaced by connected instrumented safety systems.

The context is therefore appropriate for adding a new procedure in order to respond to a computer attack. This will generally consist of isolating the industrial information system from the outside via a procedure known as the “red button”. In order to draw up the associated procedure, the involvement of site personnel will be essential, particularly to ensure that the application is not more harmful than the attack itself.

A prerequisite for the implementation of the isolation posture: the control of its flows and the implementation of network partitioning/filtering.

It is necessary to measure the impacts generated using the “red button”. To do this, it is necessary to list the interconnections of the industrial site with other systems.

List the interconnections with other information systems.

It may be interesting to start by listing the flows between the industrial information system and the outside. First of all, it is necessary to define what this system contains. In a basic case, it includes the PLCs, the supervision, as well as the equipment necessary for the interconnection of the first two.

Other equipment can then be added: an Historian server, client stations for supervision, a NAS, etc. This network, later called an industrial network, is generally connected with other networks in order to share information with the equipment of the latter.

It is possible to mention:

• Exchanges with the company’s ERP (whether an MES – Manufacturing Execution System is present or not), generally located on the office network;
• Exchanges with partners: regulation of electricity, water and gas networks, etc.;
• Exchanges with service providers: weather, cloud solutions for energy optimisation, predictive maintenance, etc.

These flows, although useful to simplify operations, can generally be temporarily cut off or replaced by alternative means (telephone call to indicate production levels for example).

Moreover, each industrial site is different, and therefore manages these interconnections differently. It is common to see MPLS networks dedicated to industrial sites when the company owns several of them. In other cases, the office network will be used to federate them. It is also true for the connection needs between these industrial networks and the Internet, which sometimes pass first through the office network, or benefit from a direct output.

List its internal flows

After listing the interconnections between the industrial network and the outside, the internal flows remain to be listed. Most of these flows should be strictly necessary for the proper functioning of the industrial process, such as those between supervision and PLCs. Cutting off these connections would therefore require stopping the industrial process, or at least making it safe.

It may then be interesting to separate the equipment and associated flows into several zones:

• Supervision;
• Field network;
• Others (supervision client stations, historian server, etc.).

Setting up these zones allows the exposure of these components to be drastically reduced. Indeed, only the supervision should have access to the field networks, while the “Others” category should only have access to the supervision.

Other zones may be necessary to implement such as:

• An administration zone: which could also be used to program the PLCs according to the distribution of roles and responsibilities on site;
• A DMZ: which can accommodate a relay server so that equipment outside the industrial site does not connect directly to the supervision system to retrieve production data, etc.

Depending on the services offered (WSUS server, antivirus server, Terminal Server for remote access etc.) other zones can of course be added.

Evaluate the real need for these flows

After listing all these flows, it is interesting to identify the real need for each of them. For example, is it necessary to be able to access e-mails from a supervision server?

In order to limit the exposure of the industrial network to the outside, it could also be necessary to take some equipment out of it. For example, if a database accessed from the office network is fed by the supervision, but not useful to it, hosting it directly on the office network may prove simpler than trying to limit access.

Once the necessary flows have been clearly identified, the associated filtering rules must be configured in detail (source IP address, destination IP address, destination port). This work generally requires a significant human investment, mainly from the teams in charge of the industrial site, as well as a significant material cost to acquire security equipment. However, it is a prerequisite for setting up the fallback postures described below. In an ideal case, application filtering (level 7 of the OSI model) could also be implemented.

This work, although essential to the implementation of isolation postures, is also one of the fundamental actions to be carried out within the framework of securing an information system (industrial or not). Indeed, each flow cut off is a flow that does not need to be monitored, as well as one that is less exploitable by an attacker.

Preparing fallback postures

Complete isolation of all the equipment in an industrial information system is not always desirable, even in the event of an attack. After having listed these flows, it may be interesting not to set up a single isolation posture, but several fallback postures, allowing in some cases to continue working almost normally.

Preventive fallback posture: isolate the plant in the event of an attack on an external network

After identifying the flows between the industrial network and the outside, it is possible to create an associated fallback posture in order to deactivate them if necessary. The objective of this posture is to cut all interconnections of the industrial network with the outside in order to prevent any propagation of an attack. A proven solution is to group these flows on a few dedicated Ethernet ports. Thus, it is sufficient to indicate in the associated procedures to disconnect the associated cables to activate the fallback posture. This also avoids having to intervene on the configuration of firewalls in the event of a cyber security incident.

In addition, it is also necessary to define the cases in which this posture should be activated. If it can be activated without posing any problem to production, or adding too much work to the site staff, the question may arise as to whether these flows are necessary.

If this posture does have an impact on the site’s industrial activities, a good balance must be found between triggering it too early (as soon as the antivirus software on an office workstation raises an alert), or too late (after the first industrial workstations have been encrypted). This will also depend on the context of the company and its resources (dedicated or non-dedicated security monitoring team, etc.).

Specificity (distributed sites, non-autonomous sites, etc.)

If all flows with the outside do not have the same destination, it may also be interesting to define several specific fallback positions. Indeed, if the service provider in charge of managing the site’s cameras warns that he is undergoing a ransomware attack, it seems more optimal to disconnect only the flows between this service provider and the factory network, rather than all the flows, including those to the ERP.

In the case where the industrial process is distributed over several sites (production and distribution plant in particular), the activation of the preventive fallback posture should not cut off the flows between these different sites. Indeed, specific links should be dedicated to this. If this is not the case, use of the office network to ensure these connections, for example, a project to overhaul the industrial network is probably to be expected (deployment of a dedicated VRF, or a SDWAN network for example).

Finally, it is always good to remember that each factory is different, so a local study will have to be carried out on each one to understand its specificities.

Last resort fallback position: switch off the information system in the event of a proven attack on the plant

Finally, it may be interesting to prepare a last resort fallback posture. This should consist of isolating each VLAN (if defined, preferably with a local HMI per VLAN to ensure a degraded mode) or each piece of equipment (turn off the switches) in order to prevent the attacker from continuing his actions, which in the most advanced cases of attack, could directly target the site’s industrial process.

The objective is then to secure the site or ensure its essential services. The activation of this posture implies working without an information system and should only be applied in the event of proven compromise of at least one piece of equipment on the site, since it leads to the same immediate result as a ransomware, if not worse.

An upstream work with the operators will be necessary in order to list all the actions to be carried out when this posture is activated and to define degraded modes. Indeed, this will generally require the activation of on-call duty in order to manually perform certain tasks: checking the correct operation of equipment, especially on remote sites, use of local HMIs, etc. Moreover, some industrial processes are no longer manually controllable today, and will therefore have to be stopped since no degraded mode is available.

In order to estimate the impacts of activating such a posture, it may be interesting to look at the impacts listed in the event of fire or a general power failure. Moreover, only a real test of this posture can ensure its operational impacts.

How to recover after an attack if it has not been contained?

In some cases, the activation of fallback postures may not be sufficient to protect the entire industrial information system, especially if they are activated too late. It is then essential to be able to proceed with the reconstruction of all or part of the said system in a sufficiently short time to limit the associated impacts.

The main prerequisites for restoring an industrial information system are listed below.

What must be backed up to be able to restore its PLCs?

In order to be able to restart the factory, it is necessary in most cases to start restoring PLCs, which requires two main elements.

Having an up-to-date copy of your PLC programs

PLCs are spared in most current attacks, probably because targeting Windows workstations is enough for attackers to achieve their intended objectives. However, attacks are likely to be increasingly targeted, and most PLCs currently in use are not secure (unencrypted and unauthenticated communications, default passwords, administration functionality that cannot be deactivated, etc.).

It is therefore necessary to save these programs, which is already generally the case, particularly on the programming station (sometimes belonging to a service provider) used when the device is commissioned. It should be noted that these backups should be stored on at least one off-line medium, so that they are not encrypted in the same way as the workstation hosting them.

These observations remain valid even for the new generations of PLCs, which, although benefiting from a level of security that is far superior to that of their predecessors, are not invulnerable.

Save a means of downloading these programs to the PLCs

Many PLCs require dedicated software to be programmed. This is even the case if you just want to download an already written program. It is therefore advisable to have a copy of these programs.

In some cases, a programming station disconnected from the network and reserved for this purpose can be a solution. It should be noted, however, that maintaining such a station in a safe condition can quickly become complex. If this solution is selected, this station could also host the copy of the PLC programs. Keeping a second backup set off-line (external hard disk for example) would however be an additional security measure.

Furthermore, if new generations of PLCs are used, with the latest security features enabled, other elements should be backed up such as: PLC program passwords, certificates used for certain communications (or a means of regenerating them) etc.

These prerequisites are also valid for network equipment (firewalls, switches etc.).

What needs to be backed up to be able to restore essential computer hardware?

Identifying what is really needed

Restoring SCADA system, and associated client workstations, is generally equivalent to restoring a Windows system and associated programs. Several questions must be asked to identify the items to be backed up:

• What equipment is needed? An engineering workstation, a SCADA server, a few operator workstations?
• Is it possible to reinstall the SCADA system from scratch (new installations of Windows and the supervision software) and then deposit a backup of the SCADA configuration? Is this feasible in a sufficiently short time?
• Would not a complete copy of the SCADA server disk be simpler? It would indeed be sufficient to insert the saved disk to reboot.
• Are changes regularly made to the supervision software? If yes, is it necessary to back them all up? In this case, it seems complex to make a complete copy of the disk each time.

Backing up intelligently

In many cases, backups of Windows workstations are made in the same way as those of PLC programs, by copy/paste. It could then be interesting to look at automatic backup mechanisms. However, these are probably to be avoided for factories starting from scratch and not having enough budget to install them serenely. Indeed, implementing this type of solution in a secure manner is generally more complex than making a simple bit-by-bit copy of a hard disk.

Do not neglect documentation and training

However, it is not enough to have complete backups available. It is also necessary to draw up detailed operating procedures for restoring these backups. Indeed, if a crisis were to occur, the stress of the teams and the potential unavailability of some of the knowledge could lead to handling errors in the absence of documentation.

These procedures are not intended to enable a complete restoration of all systems, but at least to enable the essential elements previously identified to be restarted:

• An engineering workstation with the associated PLC programming software;
• A SCADA server;
• Two to three operator workstations;
• The plant’s essential PLCs.

In addition, it is generally recommended to have at least two sets of backups, one to be stored near the equipment concerned, the other to be stored on another physical site, with access limited to a limited number of people. It may be tempting to store an additional set of backups online, but it should be noted that in the event of a cyber-attack, and activation of fallback procedures, it is complex to download these backups and deposit them on the systems to be restored.

Finally, it is essential to test all these procedures to ensure that they are exhaustive. A test could, for example, be the opportunity to realise that the backup of the SCADA configuration does not include the licence key, or that the passwords configured when the complete disk was copied have since been modified without keeping the history.

Conclusion

Crisis management is an important component of the business for many industrial system operators. These same people are also the most experienced in their perimeter. However, they are generally not IT experts. Pragmatic measures, adapted to their context, will therefore be far more useful than a generic 200-page guide containing all the good practices to be applied to an information system.

As in development with the KISS principle (Keep it simple, stupid), fallback postures, as well as restoration procedures, should be kept simple to understand, and stupid to apply.

Furthermore, although the application of a strict network filtering policy can only be advised, it is not strictly necessary for the implementation of backup and recovery actions. Thus, even if the probability of a successful attack is increased, it will still be possible to restore critical systems.

Finally, it should be noted that more and more industrial processes are nowadays operating in a just-in-time mode. In this type of context, the preservation of the industrial system from an attack, or the ability to restore it quickly, would not be sufficient to maintain the level of production if the management of orders or distribution, for example, are unavailable. Cyber resilience must therefore be considered at the company level, and not only at the level of the industrial site.

Key elements

To respond to an attack before it is late, it is necessary:

• To involve the industrial teams (without which it is highly likely that the computer will survive the attack, but without the factory continuing to fulfil its primary mission);
• To control its flows and implement network partitioning/filtering in order to be able to set up fallback postures:
  • Preventive, in order to isolate the factory in the event of an attack on an external network without having too significant an impact on the industrial process;
  • As a last resort, in order to shut down the information system in the event of a proven attack on the factory before the attacker modifies the industrial process.
• To test these fallback postures, in order to ensure that their activation is not worse than the attack.

And in the case where the attack could not be contained, the following elements are generally necessary in order to recover from the said attack:

• Possess an up-to-date copy of your PLC programs;
• Save a means of downloading these programs to the PLCs;
• Have at least one copy of all critical backups on an off-line medium (external hard disk for example);
• Identify its essential computer equipment (in particular so as not to restore the history server before the supervision server, etc.);
• Backing up intelligently, sometimes a bit-by-bit copy of the hard disk is more efficient than an automatic copy on a dedicated server, generally encrypted at the same time as the system whose backups it hosts;
• Don’t neglect documentation and training (otherwise a forgotten license key, or someone on holiday could quickly sign the end of the restore…).

[1] www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

A new version of the threat assessment was published at the beginning of the year: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-001.pdf

Cet article Cyber resilience in an industrial environment est apparu en premier sur RiskInsight.

Why Digital Operational Resilience Act (DORA)?

DORA is part of an EU-wide “Digital Finance Package”, aimed at making sure the financial sector can leverage opportunities brought by technology and innovation whilst mitigating the new risks associated. This package involves regulation on crypto assets, blockchain technology, and digital operational resilience.  

With the Digital Operational Resilience Act, the EU aims to make sure financial organisations mitigate the risks arising from increasing reliance on ICT systems and third parties for critical operations. Organisations need to be able to “withstand, respond and recover” from the impacts of ICT incidents, thereby continuing to deliver critical and important functions and minimising disruption for customers and for the financial system. This means establishing robust measures and controls on systems, tools and third parties, having the right continuity plans in place, and testing their effectiveness.  

This global, large scope regulation is coming in to rationalise an increasingly fragmented regulatory landscape on the topic, with a number of local regulatory initiatives in member states and smaller scope EU guidelines on related topics (e.g. testing requirements, management of ICT third party dependencies, cyber resilience). Setting up a global regulatory framework will ensure there are no overlaps or gaps in regulation and maintain good conditions for competition in the single market.  

DORA also fits into a worldwide trend in regulation on resilience for the financial sector, pioneered by the Bank of England’s (FCA and PRA) consultation papers on operational resilience and impact tolerances, and followed by principle-based papers on operational resilience from the Bank of International Settlements (BIS) and the Federal Reserve.  

DORA in a nutshell: what does it change?

Contrary to the FCA/PRA, the Federal Reserve and the BIS, DORA focuses on solely resilience to ICT-related incidents and introduces very specific and prescriptive requirements. It is not just a set of guidelines but rather criteria, templates and instructions that will shape how financial organisations manage ICT risk. It demonstrates that EU regulators want to be very hands-on on the topic, with a lot of reporting, communication and assessments that need to happen frequently, enabled by standardised MI and reporting.  

DORA introduces requirements across five pillars:  

• ICT risk management 
• ICT incident reporting 
• Digital Operational resilience testing 
• ICT third-party risk management  
• Information and intelligence sharing 

Some of the requirements are straight-forward and largely built on what is already being done in organisations (for example, the risk management framework that needs to be developed is similar to industry standards like NIST); but some are also challenging and will mean organisations need to launch some work to be compliant. We have summarised the requirements and these key challenges to start addressing now for each of the 5 pillars.  

1. ICT risk management

Why? Ensure specific measures and controls are in place to limit the disruption to the market and to consumers caused by incidents, and ensure accountability of the management body on ICT risk management.   

Key requirements: Firms will need to follow governance principles around ICT risk, with a focus on accountability of the management body. They will need to identify their risk tolerance for ICT risk, based on the risk appetite of the organisation and the impact tolerance of ICT disruptions. They will also need to have a risk management framework in place that includes identification of critical and important functions, risks associated and a mapping of the ICT assets that underpin them; as well as specific protection, prevention, detection, response and recovery plans and capabilities, continuous improvement processes and metrics, and a crisis communication strategy with clear roles and responsibilities.  

Biggest challenge: As part of the continuous improvement processes, DORA introduces compulsory training on digital operational resilience for the management body but also for the whole staff, as part of their general training package.  

2. ICT incident reporting

Why? Harmonise and centralise reporting of incidents to enable the regulator to react fast to avoid spreading of the impact, and to promote collective improvement and firms’ knowledge of current threats to the market. 

Key requirements: DORA introduces a standard incident classification methodology with a set of specific criteria (number of users affected, duration, geographical spread, data loss, severity of impact on ICT systems, criticality of services affected, economic impact) with thresholds that are yet to be published. Following this methodology, incidents classified as major will have to be reported to the regulator within the same business day, following a certain template. Follow-up reporting will also be required after a week, and after a month. These reports will all be anonymised, compiled, and released regularly to the whole community.  

Biggest challenge: Firms will need to change their incident classification methodology to fit with the requirements. They will also need to set up the right processes and channels to be able to notify the regulator fast in case a major incident occurs. Based on what gets classified as “major”, this might happen frequently. To help organisations prepare, we anticipate that the incident classification methodology will align with the ENISA Reference Incident Classification Taxonomy.  

3. Digital Operational Resilience testing

Why? Ensure that financial entities test the efficiency of the risk management framework and measures in place to respond to and recover from a wide range of ICT incident scenarios, with minimal disruption to critical and important functions, in a way that is proportionate to their size and criticality for the market. 

Key requirements: With DORA, all firms must put in place a comprehensive testing programme, including a range of assessments, tests, methodologies, practices and tools, with a focus on technical testing. The most critical firms will also have to organise a large-scale threat-led live penetration test every 3 years (red team type exercise), performed by independent testers, covering critical functions and services and involving EU-based ICT third parties. The scenario will have to be agreed by the regulator in advance and firms will receive a compliance certificate upon completion of the test. More guidance for these tests, as well as the criteria which defines a critical firm, will be published in 2021. 

Biggest challenge: It is likely that critical firms will need to organise this threat-led penetration test by the end of 2024 and this type of test requires a lot of preparation. The fact that it needs to involve critical ICT third parties will also mean they need to be involved in the preparation. Firms that believe they will be in scope (might be firms already in the scope of NIS regulation) should start thinking about the scenario as soon as possible to enable validation with the regulator at least 2 years before the deadline.  

4. ICT third party risk management

Why? Ensure that financial organisations have an appropriate level of controls and monitoring of their ICT third parties, especially the ones that underpin critical functions; and set up specific oversight on providers that are critical to the market as a whole.  

Key requirements: With this regulation, the EU introduces requirements on both financial organisations and critical ICT providers.  

• Financial organisations will need to have a defined multi-vendor ICT third-party risk strategy and policy owned by a member of the management body. They will need to compile a standard register of information that contains the full view of all their ICT third-party providers, the services they provide and the functions they underpin; and report on changes to this register to the regulator once a year. They will need to assess ICT service providers according to certain criteria before entering a contract (e.g. security level, concentration risk, sub-outsourcing risks), and they will need to plan for an exit strategy in case of failure of a provider. DORA also contains guidelines for contract contents and reasons for termination of contract, which has to be linked to a risk or evidence of non-compliance at the provider level.  
• Under a new Oversight Framework, critical providers will be the subject of annual assessments against resilience requirements such as availability, continuity, data integrity, physical security, risk management processes, governance, reporting, portability, testing… These assessments will be performed directly by the regulator and will result in penalties for non-compliance.  

Biggest challenge: Collating information on all ICT vendors (not only the most critical), with the services provided and functions they underpin for the register of information will be a very big task for large financial organisations that typically rely on thousands of big and small providers and legacy contract management systems that make it difficult to mine data from.  

5. Information and intelligence sharing

Why? Promote sharing of information and intelligence on cyber threats between financial organisations to enable them to be better prepared.  

Key requirements: DORA introduces guidelines on setting up information sharing arrangements between firms for cyber threats, including confidentiality requirements and the need to notify the regulator.  

Biggest challenge: We do not see any particular challenge in this space as many organisations already have such agreements in place. It will be an opportunity to make local initiatives, networks or associations visible and encourage more companies to become part of them.  

What happens next?

DORA is currently going through the EU legislative process and it is expected to take 6-12 months before it becomes law. A few questionable topics might lead to some debates and slow down the process, especially on third-party management: restrictive criteria for organisations to terminate contracts, banned non-EU based critical third parties, penalty system and financing of the Oversight framework by the critical providers. There are also details that still need to be published to clarify some of the requirements (e.g. templates, criticality criteria and thresholds…), which might also create some debates.  

Once DORA is passed, firms should have one year to get into compliance with most of the requirements (i.e. probably by the end of 2022 – but this one-year deadline is short and we anticipate it may shift to 18 months following market feedback) and 3 years to organise a large-scale penetration test if required (i.e. probably by the end of 2024).  

In order to be ready, we recommend organisations take the following steps in 2021:  

• Perform a maturity assessment against the DORA requirements, with associated gap analysis and mitigation plan to reach compliance by the end of 2022 
• Begin thinking about a scenario for the large-scale penetration test, aiming to get it validated by the regulator by mid-2022 
• Start work on consolidation of the register of information for all ICT third party providers 

Cet article Decrypting DORA: what does it mean for Resilience of financial organisations? est apparu en premier sur RiskInsight.

Testing is an important part of operational resilience and can take many shapes and forms, from disaster recovery testing for ensuring service continuity to end-to-end crisis simulations examining decision-making. It enables to proactively manage risk, embed crisis management framework, and allows to continuously improve capabilities such as business continuity (BC), crisis management (CM), disaster recovery (DR), and cyber resilience (CR). Needless to say, training plays an important role in such a testing programme.

“Better awareness nurtures an organisational culture that embraces operational resilience and, as a result, improves the company’s preparedness to deal with adversity.”

From firm to firm, good testing programmes vary in nature, scale and complexity. Depending on how a firm is structured and what it does, testing is addressed at different organisational levels and locations, with involvement of external parties (i.e. critical suppliers). In reality, given little guidance from the regulators on what ‘good’ looks like, programmes are often fragmented and can cause a real headache.

Principles for creating a successful testing programme

2. Start with threats

Every test needs to link to threat(s) resulting in one or several plausible major incident scenarios (and impacts). Anticipate and understand new threats through market watch and leverage audit reports and risk assessments when building or reviewing your programme.

 

3. Focus on Important Business Services (IBS)

Align testing of existing contingency arrangements to important business services and key processes. This ensures preparedness when a situation of high business impact occurs and avoids challenges arising from lack of end-to-end vision.

4. Diversify testing

The most likely and most impactful scenarios should be examined with different stakeholder groups through different types of testing. This ensures that the theory works in practice and different reflexes are embedded in the organisation’s DNA.

To achieve more benefits, go beyond standalone contingency plans and comms tooling testing and examine a combination of them with internal and external, business and technical stakeholders.

 

The radar above is an indicative example of what a good testing programme would consist of. The threat categories considered are random and could be selected differently as long as diversification is maintained (mix-and-match).

 

Crisis simulation

Crisis simulations examine a hypothetical disaster situation with defined parties and multi-cells of stimulus. They allow to rehearse the establishment and communication of recovery requirements and carry out relevant activities effectively. Crisis simulation can be a tabletop exercise (level 1), a hands-on simulation (level 2), a multi-cell hands-on crisis simulation (level 3) or an international hands-on multi-cell multi-party simulation (level 4).

Work area recovery testing

Work area recovery testing checks whether full end-to-end business processes can be run offsite, ensuring that all elements of a process can be completed during a test and not just the technical aspects. They can involve a team (level 2) or a number of geographically dispersed teams (level 3) working from recovery sites or home. Both third parties (i.e. outsourced teams) and internal teams should be considered.

IT disaster recovery plan and cyber range testing

IT DRP and Cyber range testing practically examines each step in a specific disaster recovery plan or tests cyber forensics capabilities. This ensures the possibility to recover data, restore critical IT system after an interruption of its services, critical IT failure or complete disruption due to cyber attacks or IT disruptions. This testing can happen as a standalone (level 2) or as part of a crisis simulation (level 3-4).

Business recovery plan walkthroughs

Business Recovery Plan walkthroughs for group/business divisions/business units are undertaken following a major revision of a plan or team and are designed to increase the understanding of the recovery processes, roles and responsibilities, and question the suitability and completeness of the plan. Normally this would be carried out as a review-and-challenge session with the plan owner and a BC expert (level 1) or to test the efficiency of the specific measures and planned workarounds (level 2).

Communication cascade tests

Communication cascade tests establish whether contact details are accurate, determine whether cascade roles and responsibilities are understood by staff, and establish whether or not the documented procedures are robust. They can be completed in one of three ways – either a standalone live test (e.g. text cascade; level 2), as part of a crisis simulation exercise (level 2-4), or an audit involving review of plans and interview of staff with key responsibilities (level 1).

5. Stay current

Review your testing programme at least once a year in order to adapt to the changing threats landscape and ultimately ensure operational resilience. Make sure your crisis management framework and contingency plans are regularly improved based on the testing outcomes and changes in the business.

6. Engage and drive

Involve different parties in shaping and running your testing programme (e.g. cyber, risk, Ops, DPO, legal, business resilience champions, etc.). Use MI to share progress and alignment with the 3-year operational resilience vision.

 

What next: how do you structure your testing programme?

While it is not possible to prescribe a testing programme without better understanding the organisation of interest and deep-diving into the specifics of a threat landscape, it is clear that investing time and resources is worthwhile from operational resilience and regulatory standpoints.

“Having recently gone through a pandemic, it is a high time to keep the momentum and continue fostering the right culture and correct reflexes for the next major crisis.”

A few concluding tips

• Make it realistic: Where maturity allows, aim for more complex and realistic tests as they are essential to effectively respond to real events and increase end-to-end resilience. This means engaging more internal and external parties in the ‘live’ exercises.
• Leverage internal and market crises: Continuously monitor events happening on the market (major incidents and crises) as well as your internal major incidents to feed your testing program, prioritise your threats and devise your scenarios making it more tangible for your stakeholders.
• Engage early: Share the vision for testing with key stakeholder groups so they understand the journey on which you want to bring the organisation. This will enhance collaboration and, therefore, outcomes.
• Facilitate remotely: Remote working arrangements should not put your whole testing programme on hold – use collaborative solutions or leverage tools from the market for carrying out the exercises. This is especially relevant for cyber range testing and follow-the-sun testing. Experience shows that digital workplace solutions introduce a more democratic participation and is an excellent way to record interactions.
• Continuously improve: Reflect on tests by producing post-test reports and defining an action plan to drive and track improvements. Involve key stakeholders throughout so they understand the gravitas of the outcomes and help with driving positive changes.

Cet article Test, test and increase your Resilience: how to build your testing programme est apparu en premier sur RiskInsight.