Secure by Design ensures cyber security is no longer an afterthought

There are few threats as pernicious as cyber attacks. The constant threat of cyber-attack haunts individuals, organisations and governments alike.

There are few areas where robust protection from cyber attack is as crucial as the defence sector.

UK strategic command head General Jim Hockenhull recently revealed that the British military was hit by six million cyber-attacks in 2022.

Speaking at the Defence and Security Equipment International (DSEI) 2023 conference in London, General Hockenhull said the country’s intelligence and security services detected cyber assaults by hostile states and allied criminal gangs daily.

According to defencepost.com, he said: “The scale of complexity and challenge goes beyond anything I have seen in the last 40 years. We have a war in Europe, with Putin’s illegal invasion of Ukraine, and we have witnessed nuclear rhetoric reminiscent of earlier times.” To address the challenge, the UK government has drawn up a framework of 10 principles for cyber security, based on National Cyber Security Centre (NCSC) recommendations.

Meanwhile, the seemingly beleaguered UK Ministry of Defence (MoD) has released a new policy for managing the through-life cyber security of projects and programs, focused on the concept of Secure By Design (SbD).

The policy aims to prevent unauthorised access to sensitive information and supply a robust, future-proof method to protect UK defence sector IT. The new approach will lead to the delivery of more secure systems through clearer accountability, simplified processes aligned to the capability delivery strategy, more use of open security standards, better guidance, more flexibility, and empowered decision-making, according to a government defence blog.

And the policy will be bolstered by the recent announcement of a £880,000 themed competition, from the government’s Defence and Security Accelerator (DASA), entitled Reducing Cyber Risk Across Defence.

What is ‘Secure by Design’?

Secure by Design (SbD) incorporates security into the scoping and development of IT projects and programs as an ‘essential aspect’. It ensures data and information is protected from the outset, and then at every stage of development and delivery.

Unlike traditional approaches, it is not an added extra that is included retrospectively in a project’s lifecycle (pre- or post-launch).

SbD is inherently similar to the Software Development Lifecycle (SDLC) - now a widespread industry practice – which usually contains the following phases:

• Requirements

• Analysis

• Design

• Development

• Testing & Verification

• Deployment

• Maintenance & Evolution

Examples of SDLC include the ‘Waterfall’ model developed in the 1970s, or the ‘Agile SDLC’ model, first published in 2001. SbD is an integrated approach to security development and architecture, developed by the MoD for their internal projects.

How does this approach differ from before?

The MoD suggests its new Secure by Design approach holds senior responsible owners, capability owners and delivery teams accountable for delivering cyber secure systems.

It says that just as safety isn’t treated as an add-on or optional extra that can be traded out, neither should cyber security be.

Many IT projects, until recently, would be scoped and initiated by simply looking to meet a requirement and achieve the aim - within budget and on time. Cyber security elements were often added retrospectively to address an unforeseen security omission, or, to adhere to a security framework (i.e., ‘Accreditation’).

The cyber security industry is now beginning to address the issue of insecure applications and programs, by having security built in from the inception of developing projects. This approach ensures security is no longer seen as a blocker or ‘bolt on’.

The MoD SbD process will be a move from the previous accreditation service to a second line assurance function - which will perform independent assessments of MoD capabilities, on a case-by-case basis.

This means projects will need to continuously prove they are maintaining cyber security at current standards, instead of attaining a ‘one-off’ certification. So SbD will make MoD IT systems inherently more robust to attack and ensure more regular monitoring.

How will the MoD do this?

A 40-programme pilot scheme has been running since 2022, allowing the Secure by Design team to create policy, process guidance, and tooling throughout the process. All new MoD programmes must adopt the SbD approach.

There are five steps in the MoD SbD methodology.

Stage 1: Prepare

A self-assessment tool (taken from NIST SP 800-37 Rev 2) will enable projects to manage their maturity against security policies and technical guidance, tracking progress and identifying areas that need to be incorporated.

Cyber security is now listed by the government as a ‘key capability requirement’ – meaning projects need to incorporate, resource, and fund it, like any other requirement.

Stage 2: Control Frameworks, Designing for Security, Maturity Assessments

SbD will use the NIST (National Institute of Standards and Technology) 800-53 Rev 5 Cyber Security Framework (CSF) controls for projects that are near entering service. Projects already in service will be assessed against this framework, as they migrate from the traditional accreditation process to continual assurance under the SbD process.

If another CSF is more appropriate, or controls need to be adjusted or amended, others can be used. Appropriate risk management frameworks should always be used (such as NIST 800-37 Rev 2).

There will also be two main types of assurance used in SbD: ‘Programme’ (self-assessment) and ‘Independent’ (external assurance for high-risk programmes).

Stage 3: Testing

Projects must conduct continual security testing and risk assessments. These will include testing concepts and architecture, as well as functional security and NCSC Assured CHECK scheme penetration testing.

Stage 4: In-Service

All systems, services and products will need to maintain their cyber security posture throughout time in-service, as part of in-service planning. This includes resources, systems and techniques.

Stage 5: Disposal/Termination

Continuous assessment will help managers determine if a project has reached its productive limit or the end of its planned lifecycle. When this happens, decisions need to be made about how to handle the data and services used, including their security classification.

As with many nascent technologies and ideas, SbD is being implemented first in the UK defence sector, but it seems likely that the private sector will quickly follow suit. Companies working with the government will need to prove adherence to the new principles and the SbD framework.

One thing is for certain – businesses need to look upon SbD as an opportunity to rethink systems -- and build them better.

And if and when SbD becomes an assessed requirement of any project – especially in Critical National Infrastructure projects, for example -- AMR CyberSecurity is ready to help.

AMR CyberSecurity a CREST Certified, NCSC CHECK penetration testing service provider, has years of first-hand experience working within the UK MoD. It can provide assurance insights into projects and programs at any level of design and implementation, to ensure MoD Secure by Design principles are being adhered to.

AMR CyberSecurity consultants also hold relevant, current UK security clearances, enabling them to work on sensitive defence sector and Critical National Infrastructure projects.