Often, these new methods of interacting with data have come about quick and fast where legacy systems whose hardware or software components could not keep up have been left 'unmanaged' within the data centre. Until now, infrastructures have broadly remained the same, and now with infrastructure as a service model maturing as commodity technology items, these unmanaged devices are becoming 'exposed' to the outside world. These systems were not designed for internet interactions outside their domains but now are being 'classified' with new mature technologies that require the unmanaged systems to be either patched or to have protocols to be updated.
To help with identifying those gaps for legacy technologies, Nathan provided real life examples on how to apply the Cyber Assessment Framework (CAF) to perform cyber resilient assessments. CAF is an organisation tool that is divided into 4 objects whose output is categorised in the familiar 'Not Achieved' or 'Partially Achieved' way. It allows you to take a thorough risk-based approach that is typically missed or neglected for these legacy operational systems. The benefits of the CAF systems is that the output itself is designed to identify the system 'requirements' which can then be used to manage constraints, functional or non-functional requirements, which then can be mapped to your required security level.
The risk assessment remains continuous and actually show that working to the 'status quo' is never a good idea. The CAF principals are not part of a typical design remit, and so an organisation can use the outputs in many ways, such as, implement policies or procedures or even helping to design the approach to monitoring telemetrics, which then can feed testing disaster recovery and resilience i.e. Design, Build, Asses. So whether you are securing electric grids, waterworks, oil pipes, smart buildings or any utilities-based control systems. CAF is versatile enough to work with the 19650 BIM standards or the IEC 62443 series of standards - and many more.
The guidance from NSCS on CAF can be downloaded from here