The NCSC Cyber Assessment Framework (CAF) for the Energy Sector

The four CAF objectives

The CAF organises cyber security into four objectives that map onto a complete defensive lifecycle. Objective A covers managing security risk. Objective B covers protecting against cyber attack. Objective C covers detecting cyber security events. Objective D covers minimising the impact of incidents. Each objective contains principles, and each principle is assessed against contributing outcomes. The framework is deliberately outcome-focused so it can apply equally to a national grid operator and a regional gas distributor.

• Objective A: Managing security risk (governance, risk management, asset management, supply chain)
• Objective B: Protecting against cyber attack (architecture, access control, data security, resilient networks)
• Objective C: Detecting cyber security events (monitoring, proactive discovery)
• Objective D: Minimising the impact (response planning, lessons learned)

How energy competent authorities use the CAF

Ofgem and the energy competent authorities tailor the generic CAF with sector-specific profiles and indicators of good practice. They set target profiles that define the expected achievement level for each principle, recognising that a major transmission operator should reach a higher bar than a small operator. Assessment can be a self-assessment reviewed by the regulator or an independent audit. Where a principle is scored Not Achieved against a target, the regulator expects a remediation plan with timelines.

Applying the CAF to operational technology

The defining challenge in energy is that the CAF must be applied to OT and industrial control systems, not just corporate IT. Legacy SCADA, RTUs and protection relays often cannot run endpoint agents, support modern authentication or be patched on a normal cycle. The CAF accommodates this through compensating controls: network segmentation, monitoring at the IT/OT boundary, and strict access governance. Demonstrating CAF achievement in OT environments usually means evidencing architecture and monitoring rather than agent-based controls.

Common gaps energy operators discover

CAF assessments repeatedly surface the same weaknesses in energy. Asset management under Objective A is often incomplete because OT inventories are partial. Supply chain assurance is frequently the weakest principle. Detection under Objective C is limited where there is no monitoring across the OT estate. Response planning under Objective D often exists for safety incidents but not for cyber-driven disruption. Closing these gaps is where most operators spend their remediation effort.

• Incomplete OT asset inventories
• Weak supply chain assurance
• Limited detection coverage across OT networks
• Cyber incident response plans that are untested or IT-only

How Kyanite Blue helps you reach your CAF target profile

Kyanite Blue runs CAF gap assessments mapped to the energy sector profile, then builds the remediation roadmap that moves Partially Achieved outcomes to Achieved. We strengthen Objective B architecture and access control, and stand up the detection capability that Objective C demands. Sophos delivers managed detection and response across IT and the IT/OT boundary, giving you the round-the-clock monitoring and documented response evidence that competent authorities expect under Objectives C and D, without you having to staff a 24/7 security operations centre.

Frequently Asked Questions