NCSC CNI Guide: Preparing Your Organisation for Severe Cyber Threats

The National Cyber Security Centre has published comprehensive guidance for Critical National Infrastructure operators on preparing for and responding to severe cyber threats. This guidance, aligned with the Cyber Assessment Framework, provides a structured approach to building organisational resilience. This article examines how offline secure storage supports each element of the NCSC framework.

Understanding the NCSC Framework

The NCSC Cyber Assessment Framework is built around four high-level objectives that together provide comprehensive cyber resilience:

• Objective A: Managing Security Risk: Appropriate organisational structures, policies, and processes to understand, assess, and systematically manage security risks

• Objective B: Protecting Against Cyber Attack: Proportionate security measures to protect systems and data from cyber attack

• Objective C: Detecting Cyber Security Events: Capabilities to detect cyber security events affecting, or with the potential to affect, essential functions

• Objective D: Minimising Impact of Incidents: Capabilities to minimise the adverse impact of a cyber security incident on the operation of essential functions

Each objective contains detailed principles and indicators of good practice. Critically, the framework is outcome-focused rather than prescriptive, allowing organisations to select appropriate controls for their risk profile.

What Constitutes a Severe Cyber Attack

The NCSC defines severe cyber attacks as those with potential to cause:

• Significant disruption to essential services: Attacks that prevent the delivery of critical functions to the public or other organisations

• Substantial financial impact: Losses that threaten organisational viability or require significant recovery investment

• National security implications: Compromise of systems or data with broader security consequences

• Cascading effects: Incidents that propagate through supply chains or interconnected infrastructure

For CNI operators, the WannaCry attack of 2017 demonstrated how rapidly cyber incidents can escalate. NHS services were disrupted across England and Scotland, forcing staff to revert to manual processes while critical systems remained encrypted. The interconnectedness of modern infrastructure means that attacks on one organisation can quickly affect many others.

Objective A: Managing Security Risk with Physical Disconnection

The NCSC emphasises that security risk management must be owned at board level, with clear accountability for cyber resilience decisions. For organisations handling the most sensitive data, this creates a fundamental question: what level of risk exposure is acceptable?

Traditional security architectures accept network connectivity as a given, then attempt to manage the resulting risks through layers of controls. Physical disconnection through Offline Secure Storage changes this calculus entirely by removing the most critical data from the attack surface.

Key indicators of good practice under Objective A include:

1. 1.Understanding which data and systems are genuinely critical to essential functions

1. 1.Assessing threats and vulnerabilities with appropriate rigour

1. 1.Making risk-informed decisions about protective controls

1. 1.Maintaining oversight and review of security posture

For crown jewel data, the risk assessment often concludes that no level of network-based protection provides acceptable residual risk. Offline storage addresses this by eliminating network exposure entirely, a risk treatment option that demonstrates board-level commitment to protecting essential functions.

Objective B: Protection Through Physical Isolation

The NCSC framework includes multiple principles addressing protection, from access control and data security to secure configuration and staff awareness. A critical principle often overlooked is B.4: System Security, specifically the resilience of systems to cyber attack.

Physical disconnection provides protection that no software-based control can match:

• No remote attack vector: Systems without network interfaces cannot be attacked over networks, regardless of vulnerability status

• No credential compromise risk: Stolen credentials cannot grant access to systems that are not connected

• No lateral movement pathway: Attackers who compromise connected systems cannot reach air-gapped storage

• No zero-day exposure: Unknown vulnerabilities in connected systems do not create risk to offline assets

This is not about replacing other protective controls. Network perimeter security, endpoint protection, and access management remain essential for connected systems. Offline storage adds a layer of protection for data that warrants the highest level of assurance.

Objective C: Detection and the Limits of Monitoring

The framework rightly emphasises detection capabilities, including security monitoring, proactive security event discovery, and anomaly detection. However, sophisticated attackers increasingly evade detection, sometimes operating within networks for months before discovery.

The NCSC notes that state actors and advanced persistent threats specifically target critical infrastructure with techniques designed to avoid detection. For CNI operators, this creates an uncomfortable reality: detection capabilities, however sophisticated, cannot guarantee that compromise will be identified before damage occurs.

Offline secure storage complements detection strategies by ensuring that even if attackers achieve undetected access to networks, the most critical data remains beyond reach. This is not a substitute for detection, it is recognition that detection alone is insufficient for the highest-value assets.

Objective D: Withstanding and Recovering from Incidents

The fourth NCSC objective addresses incident response, business continuity, and recovery. Key principles include:

• D.1 Response and Recovery Planning: Documented plans to respond to and recover from incidents

• D.2 Lessons Learned: Processes to learn from incidents and improve resilience

The NCSC specifically addresses scenarios where severe attacks overwhelm normal recovery capabilities. In these circumstances, the ability to restore from known-good, uncompromised backups becomes critical.

Firevault Storage supports Objective D by providing:

• Immutable backup copies: Data stored offline cannot be modified by ransomware or other malware

• Guaranteed recovery point: Known-good data that enables restoration regardless of network compromise scope

• Air-gapped evidence preservation: Forensic data protected from tampering during incident investigation

• Business continuity assurance: Certainty that critical data survives even sophisticated, persistent attacks

The WannaCry Lesson: Interconnectedness and Resilience

The WannaCry incident highlighted several insights directly relevant to CNI operators:

• Speed of propagation: The virus spread through NHS networks with unprecedented speed, demonstrating how quickly attacks can escalate

• Interconnectedness vulnerability: Organisations that believed they were isolated discovered connections they had not anticipated

• Service delivery impact: Critical healthcare services were disrupted, with patients turned away from hospitals

• Basic hygiene gaps: Many affected systems lacked patches that had been available for months

The NCSC response elevated cyber as a board-level risk across the public sector. But the fundamental lesson remains: systems that are connected can be compromised, and recovery depends on having assets that attackers cannot reach.

Implementing Physical Disconnection for CNI

For CNI operators considering offline secure storage as part of their NCSC alignment strategy, implementation should address:

1. 1.**Asset identification**: Determine which data and systems are essential to critical functions and warrant air-gapped protection

1. 1.**Access workflow design**: Establish procedures for controlled access that balance security with operational requirements

1. 1.**Integration with incident response**: Incorporate offline assets into recovery playbooks and business continuity plans

1. 1.**Testing and assurance**: Regularly verify that offline storage functions as intended and supports recovery objectives

Firevault Platform provides the infrastructure to implement physical disconnection at enterprise scale, with Super Admin controlled access windows, comprehensive audit logging, and integration capabilities for existing backup workflows.

Regulatory Context and Future Direction

The NCSC guidance exists within a broader regulatory framework that is evolving rapidly. The Cyber Security and Resilience Bill will expand mandatory security requirements for CNI operators, while sector-specific regulators increasingly reference the Cyber Assessment Framework in their oversight.

Organisations that implement physical disconnection now position themselves ahead of regulatory requirements while addressing the genuine threat landscape that NCSC guidance reflects. As the NCSC notes, cyber represents a principal and growing disruptive threat to Critical Infrastructure. The question is not whether to enhance resilience, but how quickly and comprehensively to act.

Conclusion

The NCSC framework for CNI cyber resilience provides a comprehensive, outcome-focused approach to managing severe cyber threats. Physical disconnection through Offline Secure Storage supports all four objectives, from risk management decisions through to recovery assurance.

For organisations responsible for essential functions, the framework creates clear accountability for cyber resilience at board level. Demonstrating that appropriate measures are in place requires controls that match the severity of potential impact. For the data that would cause the most harm if compromised, Firevault provides the physical disconnection that makes those controls genuinely effective.