Implementing the NIS Directive, Driving Cybersecurity Improvements for Essential Services

A review by the National Audit Office of the National Cyber Security Programme recommended a more robust performance framework, to understand the impact of the Programme and to focus activities going forward. The Directive on security of network and information systems (the NIS Directive) has placed responsibility for essential aspects of supply chains on Operators of Essential Services (OES). Our dependence on international supply chains also requires a performance framework to assist cybersecurity improvements in this area. The following sections describe work to investigate the implementation of the NIS Directive by Competent Authorities (CA) and OES and proposes a framework to monitor performance across interdependencies. This is to enable development of a more effective set of performance metrics to guide interventions and improvements in cybersecurity for critical infrastructure

Achieving cybersecurity improvements through Enterprise Systems Engineering

The Critical Infrastructures (CI) that provide essential services such as energy, water and transport have been undergoing a digital transformation to achieve more effective and efficient operations. These changes are increasing the potential attack surface and exposure to cybersecurity incidents. The EU Directive on Security of Network and Information Systems (NIS Directive) (National Cyber Security Centre, 2018) has brought a new emphasis on improving the cybersecurity of essential services. It has introduced mandatory incident reporting and a framework to raise the cybersecurity and resilience levels of CI. Rather than a dislocated approach to managing the system in parts, taking on responsibility for cybersecurity requires an integrated, whole-system governance approach, to discover the full end-toend picture and risk assess the potential gaps in security. The NIS Directive expects cybersecurity to be managed through the wider system of contractors and sub-contractors and vendors to the sector, all participating in a complex adaptive system. From whole organisations down to products, components and data flows, deciding the scope of critical systems that support essential services has integrated activity across different work areas such as operational technologies, enterprise IT and telecoms networks. Understanding the end-to-end system and whole enterprise interactions is necessary to achieve the outcome-based nature of the NIS Directive. This paper investigates the activities that have evolved to secure the broader and deeper supply chains as well as internal networks and systems of CI organisations. Enterprise Systems Engineering (ESE) is introduced as a tool to facilitate the shared cybersecurity requirements across organisations for securing essential services, streamlining whole system security behaviours of people, processes and technology towards a more resilient CI

EE-ISAC – Practical cybersecurity solution for the energy sector

A recent survey of cybersecurity assessment methods proposed by the scientific community revealed that their practical adoption constitutes a great challenge. Further research that aimed at identifying the reasons for that situation demonstrated that several factors influence the applicability, including the documentation level of detail, the availability of supporting tools, and the continuity of support. This paper presents the European Energy Information Sharing and Analysis Centre (EE-ISAC)—a cybersecurity platform for the energy sector that has been adopted by multiple organisations. The platform facilitates sharing information about cybersecurity incidents, countermeasures, and assessment results. Prospectively, it is envisaged to be integrated with the threat intelligence platform that enables real-time situational awareness. By considering both fault and attack scenarios together, threat awareness can be mapped onto operational contexts to prioritise decisions and responses. This paper analyses EE-ISAC’s approach based on the conceptual applicability framework developed during the research, to improve the applicability and usefulness of this platform for energy sector participants and to identify areas that require further development

Collaboration practices for the cybersecurity of supply chains to critical infrastructure

This work describes the collaboration practices of a community of interest in the UK that brings together cybersecurity professionals with a shared interest in improving supply chain cybersecurity for Operational Technology (OT) environments. This research emphasizes the need for collective responsibility between organizations and provides a set of principles for adopting a code of practice and partnership approach to supply chain cybersecurity. This work has enabled cybersecurity experience from several critical infrastructure sectors, including energy, rail, aviation, water, health, and food, to analyze the uptake and practical use of existing supply chain guidance, identifying gaps and challenges. The community has examined touch points with the supply chain and identified improvements related to the communication of cybersecurity requirements, technical and commercial engagement between customers and suppliers, and in the tailoring of implementations towards operational technology contexts. Communicating the context of securing cyber-physical systems is an essential perspective for this community. This work exemplifies a partnership framework and is translating experiences into useful guidance, particularly for OT systems, to improve cybersecurity levels across multiple contributors to critical infrastructure systems

Interorganizational cooperation in supply chain cybersecurity: a cross-industry study of the effectiveness of the UK implementation of the NIS Directive

The transposition of the EU Directive on Network and Information Security (NIS) by EU Member States involved assigning a set of responsibilities to operators, regulators and policy makers within a national cybersecurity strategy, in order to improve cybersecurity levels across critical infrastructures. This research investigates the perspectives and experiences of organisations affected by the NIS Directive focussing on three different sectors (Energy, Water & Aviation). The authors evaluate the response of different actors to NIS interventions and their challenges in meeting their assigned responsibilities, in particular their ability to oversee supply chain cybersecurity. It proposes further support for partnerships and cooperation across organisations to increase the effectiveness of NIS implementation. Based on results from semi-structured interviews and observations of industry working groups, an approach to supply chain oversight to achieve a balance between control and cooperation is recommended, to improve cybersecurity within industry sectors and across critical national infrastructures. Although our initial focus has been on working mainly with UK stakeholders, we argue that our recommendations have a more general application beyond those countries directly affected by the Directive

Multifocal clonal evolution characterized using circulating tumour DNA in a case of metastatic breast cancer.

Circulating tumour DNA analysis can be used to track tumour burden and analyse cancer genomes non-invasively but the extent to which it represents metastatic heterogeneity is unknown. Here we follow a patient with metastatic ER-positive and HER2-positive breast cancer receiving two lines of targeted therapy over 3 years. We characterize genomic architecture and infer clonal evolution in eight tumour biopsies and nine plasma samples collected over 1,193 days of clinical follow-up using exome and targeted amplicon sequencing. Mutation levels in the plasma samples reflect the clonal hierarchy inferred from sequencing of tumour biopsies. Serial changes in circulating levels of sub-clonal private mutations correlate with different treatment responses between metastatic sites. This comparison of biopsy and plasma samples in a single patient with metastatic breast cancer shows that circulating tumour DNA can allow real-time sampling of multifocal clonal evolution.We thank the Human Research Tissue Bank at Addenbrooke’s Hospital which is supported by the NIHR Cambridge Biomedical Research Centre. We acknowledge the support of Cancer Research UK, the University of Cambridge, National Institute for Health Research Cambridge Biomedical Research Centre and Cambridge Experimental Cancer Medicine Centre. Dr. Dawson was supported by an Australian National Breast Cancer Foundation and Victorian Cancer Agency Early Career Fellowship. Dr. Murtaza was supported by Science Foundation Arizona’s Bisgrove Scholars Early Tenure Track award.This is the final version of the article. It first appeared from Nature Publishing Group via http://dx.doi.org/10.1038/ncomms976

Enhanced pre-operative axillary staging using intradermal microbubbles and contrast-enhanced ultrasound to detect and biopsy sentinel lymph nodes in breast cancer: a potential replacement for axillary surgery.

OBJECTIVE: To compare the experience of four UK Centres in the use of intradermal microbubbles and contrast enhanced ultrasound (CEUS) to pre-operatively identify and biopsy sentinel lymph nodes (SLN) in patients with breast cancer. METHODS: In all centres, breast cancer patients had a microbubble/CEUS SLN core biopsy prior to axillary surgery and patients in Centres 1 and 2 had a normal greyscale axillary ultrasound. Data were collected between 2010 and 2016; 1361 from Centre 1 (prospective, sequential), 376 from Centre 2 (retrospective, sequential), 121 from Centre 3 (retrospective, selected) and 48 from Centre 4 (prospective, selected). RESULTS: SLN were successfully core biopsied in 80% (Centre 1), 79.6% (Centre 2), 77.5% (Centre 3) and 88% (Centre 4). The sensitivities to identify all SLN metastases were 46.9% [95% confidence intervals (CI) (39.4-55.1)], 52.5% [95% CI (39.1-65.7)], 46.4% [95% CI (27.5-66.1)] and 45.5% [95% CI (16.7-76.6)], respectively. The specificities were 99.7% [95% CI (I98.9-100)], 98.1% [95% CI (94.5-99.6)], 100% [95% CI (93.2-100%)] and 96.3% [95% CI (81-99.9)], respectively.The negative predictive values were 87.0% [95% CI (84.3-89.3)], 84.5% [95% CI (78.4-89.5)], 86.9% [95% CI (82.4-90.3)] and 86.2% [95% CI (78.4-91.5)], respectively. At Centres 1 and 2, 12/730 (1.6%) and 7/181 (4%), respectively, of patients with a benign microbubble/CEUS SLN core biopsy had two or more lymph node (LN) macrometastases found at the end of primary surgical treatment. CONCLUSION: The identification and biopsy of SLN using CEUS is a reproducible technique. Advances in knowledge: In the era of axillary conservation, microbubble/CEUS SLN core biopsy has the potential to succeed surgical staging of the axilla

Multiorgan MRI findings after hospitalisation with COVID-19 in the UK (C-MORE): a prospective, multicentre, observational cohort study

Introduction: The multiorgan impact of moderate to severe coronavirus infections in the post-acute phase is still poorly understood. We aimed to evaluate the excess burden of multiorgan abnormalities after hospitalisation with COVID-19, evaluate their determinants, and explore associations with patient-related outcome measures. Methods: In a prospective, UK-wide, multicentre MRI follow-up study (C-MORE), adults (aged ≥18 years) discharged from hospital following COVID-19 who were included in Tier 2 of the Post-hospitalisation COVID-19 study (PHOSP-COVID) and contemporary controls with no evidence of previous COVID-19 (SARS-CoV-2 nucleocapsid antibody negative) underwent multiorgan MRI (lungs, heart, brain, liver, and kidneys) with quantitative and qualitative assessment of images and clinical adjudication when relevant. Individuals with end-stage renal failure or contraindications to MRI were excluded. Participants also underwent detailed recording of symptoms, and physiological and biochemical tests. The primary outcome was the excess burden of multiorgan abnormalities (two or more organs) relative to controls, with further adjustments for potential confounders. The C-MORE study is ongoing and is registered with ClinicalTrials.gov, NCT04510025. Findings: Of 2710 participants in Tier 2 of PHOSP-COVID, 531 were recruited across 13 UK-wide C-MORE sites. After exclusions, 259 C-MORE patients (mean age 57 years [SD 12]; 158 [61%] male and 101 [39%] female) who were discharged from hospital with PCR-confirmed or clinically diagnosed COVID-19 between March 1, 2020, and Nov 1, 2021, and 52 non-COVID-19 controls from the community (mean age 49 years [SD 14]; 30 [58%] male and 22 [42%] female) were included in the analysis. Patients were assessed at a median of 5·0 months (IQR 4·2–6·3) after hospital discharge. Compared with non-COVID-19 controls, patients were older, living with more obesity, and had more comorbidities. Multiorgan abnormalities on MRI were more frequent in patients than in controls (157 [61%] of 259 vs 14 [27%] of 52; p<0·0001) and independently associated with COVID-19 status (odds ratio [OR] 2·9 [95% CI 1·5–5·8]; padjusted=0·0023) after adjusting for relevant confounders. Compared with controls, patients were more likely to have MRI evidence of lung abnormalities (p=0·0001; parenchymal abnormalities), brain abnormalities (p<0·0001; more white matter hyperintensities and regional brain volume reduction), and kidney abnormalities (p=0·014; lower medullary T1 and loss of corticomedullary differentiation), whereas cardiac and liver MRI abnormalities were similar between patients and controls. Patients with multiorgan abnormalities were older (difference in mean age 7 years [95% CI 4–10]; mean age of 59·8 years [SD 11·7] with multiorgan abnormalities vs mean age of 52·8 years [11·9] without multiorgan abnormalities; p<0·0001), more likely to have three or more comorbidities (OR 2·47 [1·32–4·82]; padjusted=0·0059), and more likely to have a more severe acute infection (acute CRP >5mg/L, OR 3·55 [1·23–11·88]; padjusted=0·025) than those without multiorgan abnormalities. Presence of lung MRI abnormalities was associated with a two-fold higher risk of chest tightness, and multiorgan MRI abnormalities were associated with severe and very severe persistent physical and mental health impairment (PHOSP-COVID symptom clusters) after hospitalisation. Interpretation: After hospitalisation for COVID-19, people are at risk of multiorgan abnormalities in the medium term. Our findings emphasise the need for proactive multidisciplinary care pathways, with the potential for imaging to guide surveillance frequency and therapeutic stratification

Reducing the environmental impact of surgery on a global scale: systematic review and co-prioritization with healthcare workers in 132 countries

Abstract Background Healthcare cannot achieve net-zero carbon without addressing operating theatres. The aim of this study was to prioritize feasible interventions to reduce the environmental impact of operating theatres. Methods This study adopted a four-phase Delphi consensus co-prioritization methodology. In phase 1, a systematic review of published interventions and global consultation of perioperative healthcare professionals were used to longlist interventions. In phase 2, iterative thematic analysis consolidated comparable interventions into a shortlist. In phase 3, the shortlist was co-prioritized based on patient and clinician views on acceptability, feasibility, and safety. In phase 4, ranked lists of interventions were presented by their relevance to high-income countries and low–middle-income countries. Results In phase 1, 43 interventions were identified, which had low uptake in practice according to 3042 professionals globally. In phase 2, a shortlist of 15 intervention domains was generated. In phase 3, interventions were deemed acceptable for more than 90 per cent of patients except for reducing general anaesthesia (84 per cent) and re-sterilization of ‘single-use’ consumables (86 per cent). In phase 4, the top three shortlisted interventions for high-income countries were: introducing recycling; reducing use of anaesthetic gases; and appropriate clinical waste processing. In phase 4, the top three shortlisted interventions for low–middle-income countries were: introducing reusable surgical devices; reducing use of consumables; and reducing the use of general anaesthesia. Conclusion This is a step toward environmentally sustainable operating environments with actionable interventions applicable to both high– and low–middle–income countries

How can we design a socio-technical, interorganisational response to ensure better cybersecurity for critical infrastructure?

The monitoring and control of critical infrastructures enables greater efficiencies and more effective operation. However, growing complexities across these interconnected systems brings a higher risk of cyber-attack. This thesis explores the organisational and regulatory aspects of improving the cybersecurity of Critical Infrastructure, proposing a cooperative socio-technical response across public and private actors. Alongside a transforming energy sector, to integrate renewable generation and electrify heat and transport, a significant cybersecurity response is also required. This research provides a thorough investigation of cybersecurity concerns of energy utilities to explain their organisational and sectoral context. A case study of public-private partnership in the European energy sector serves to demonstrate private actors fostering public values to protect grid networks and energy services. This evidence-based analysis of the formation of an ISAC demonstrates the qualities that built a trusted network and deepened cooperation among energy sector participants both within Europe and globally. It recommends a new approach going forward for the ISAC to integrate their actions into the changing regulatory landscape and cross-border requirements of the continental synchronous grid area. A study of interorganisational cooperation within the context of securing supply chains to critical infrastructure contributes a cross-industry comparison of the UK’s implementation of the NIS Directive. This compares experiences in Energy, Water & Aviation evaluating their response to NIS interventions and the extent of their ability to oversee supply chain cybersecurity. It recommends an approach to supply chain oversight to achieve a balance between control and cooperation, that enhances the existing UK NCSC guidance. These insights can be more broadly applied now that NIS2 proposes all member states include supply chain responsibilities in their NIS expectations. Central to this work was the need to establish an orient function, as a foundation for energy operators to orient themselves among the interdependencies of critical infrastructure, to better understand their place and responsibility to secure assets and services, for their own business and for the energy system as a whole. The multi-actor collaborative approach proposed, and validated in practice groups, establishes a necessary Orientation function and enables a clearer understanding of cybersecurity risk by all participants.The monitoring and control of critical infrastructures enables greater efficiencies and more effective operation. However, growing complexities across these interconnected systems brings a higher risk of cyber-attack. This thesis explores the organisational and regulatory aspects of improving the cybersecurity of Critical Infrastructure, proposing a cooperative socio-technical response across public and private actors. Alongside a transforming energy sector, to integrate renewable generation and electrify heat and transport, a significant cybersecurity response is also required. This research provides a thorough investigation of cybersecurity concerns of energy utilities to explain their organisational and sectoral context. A case study of public-private partnership in the European energy sector serves to demonstrate private actors fostering public values to protect grid networks and energy services. This evidence-based analysis of the formation of an ISAC demonstrates the qualities that built a trusted network and deepened cooperation among energy sector participants both within Europe and globally. It recommends a new approach going forward for the ISAC to integrate their actions into the changing regulatory landscape and cross-border requirements of the continental synchronous grid area. A study of interorganisational cooperation within the context of securing supply chains to critical infrastructure contributes a cross-industry comparison of the UK’s implementation of the NIS Directive. This compares experiences in Energy, Water & Aviation evaluating their response to NIS interventions and the extent of their ability to oversee supply chain cybersecurity. It recommends an approach to supply chain oversight to achieve a balance between control and cooperation, that enhances the existing UK NCSC guidance. These insights can be more broadly applied now that NIS2 proposes all member states include supply chain responsibilities in their NIS expectations. Central to this work was the need to establish an orient function, as a foundation for energy operators to orient themselves among the interdependencies of critical infrastructure, to better understand their place and responsibility to secure assets and services, for their own business and for the energy system as a whole. The multi-actor collaborative approach proposed, and validated in practice groups, establishes a necessary Orientation function and enables a clearer understanding of cybersecurity risk by all participants