The challenge
Strengthening cyber security assurance on design projects led this nuclear energy company to seek an independent Design Authority opinion on how to address the challenge. It was essential that the assignment took the plethora of cyber security standards and guidance into account, as well as a new regulatory position – the Office for Nuclear Regulation (ONR) was just introducing amendments to security guidance for nuclear businesses. Turning to Ascentor for support ensured expertise in both critical areas.
The solution
Ascentor was engaged as a specialist Design Authority bringing the experience of the ONR’s Security Assessment Principles (SyAPs) and of delivering cyber security into highly complex engineering projects that rely on Information Technology (IT) and Operational Technology (OT).
Ascentor appointed a consultant for 20 days to conduct a cyber security assessment and develop improvement recommendations. The consultant quickly identified that, in this case, the focus purely on IT and OT aspects was too narrow.
To achieve sustainable, long-term improvements in cyber security, Ascentor recommended taking a more holistic approach. This meant broadening the scope and engaging with a wider stakeholder group across the whole company including engineering and security managers, and the client’s directors.
Ascentor also fully engaged the client Design Authority throughout. This ensured that issues highlighted and remediation recommendations stayed in line with the objectives.
The result
Ascentor completed the work on time and to budget, including the agreed deviation to the original brief.
The consultant documented the findings and recommendations in a written report. He drew on Ascentor’s experience of the ONR SyAPs and other similar projects to weave valuable insights into the document. By maintaining close engagement with the client’s Design Authority, he ensured the recommendations were realistic and specific to the client’s business.
Ascentor used an open style of consulting (based on collaborative discussion and debate) that resulted in added value for both parties in the form of knowledge and skills transfer.
The work concluded with a series of presentations to the client directors. They were impressed with the in-depth knowledge of the challenges of delivering cyber security into complex environments and the clarity with which the messages were delivered. Having a unified message from the security stakeholders with a tangible way forward meant that the client took ownership of the actions and immediately began work on them, with the backing of the directors.