EDF UK Achieves Cyber Essentials Plus Certification Using Amazon Inspector

With a focus on renewable energy, EDF serves five million homes and businesses in the United Kingdom. One of its flagship customers is Crown Commercial Services, a UK government agency that manages the procurement of common goods and services. Through its specialist risk-managed energy procurement service, central government and wider public sector organizations can access electricity and gas. 

Crown Commercial Services requires suppliers to adhere to CE+, a government-backed scheme for cyberattack protection. There are two levels of certification; to achieve the first level, Cyber Essentials, suppliers need to mitigate all CVEs with a criticality of 7 or above within 14 days. To achieve the CE+ certification, they must meet all first-level requirements and have their estates technically validated by a third party. 

“CE+ is an incredibly rigorous audit and process to go through, especially for an enterprise the size of EDF,” says Jamie Banks, enterprise product owner for AWS and DevOps at EDF. “However, Crown Commercial Services is an extremely valued customer and has a great reputation, so we knew we had to pass CE+. By gaining this accreditation, we could show Crown Commercial Services and our wider customer base how strong our security posture is.”

However, this task was far from simple. EDF has a massive AWS landscape with over 450 accounts, more than 1,000 Amazon EC2 instances, and thousands of Lambda functions. With a lack of time, resources, and visibility, EDF needed an efficient solution.

After extensive planning with business and technical stakeholders, it chose to build a monitoring and observability workflow on AWS and adopted Amazon Inspector, an automated and continual vulnerability management service.

“With Amazon Inspector, we could respond fast and get visibility into vulnerabilities across our entire estate quickly and in a controlled manner,” says Jamie. “Given our established history on AWS, we could start using the vulnerability management service straight away and track costs through our existing mechanisms. This, in turn, meant that we could roll out the solution quickly, safely, and efficiently.”

After turning on Amazon Inspector, EDF gained clear visibility across its AWS estate within a few hours. Although EDF could now identify CVEs much faster, it still needed to route the vulnerabilities to the correct teams for remediation. To establish this workflow, EDF experimented with different methods. 

First, the central platform team identified the scope of the work and delegated remediation responsibilities between engineering teams that were responsible for certain sets of accounts. Then, they started to consume security findings from Amazon Inspector into its project management software. When engineering teams learned how to use Amazon Inspector, they started to innovate and automate, setting up automated alerts that notified them if a vulnerability was detected in their accounts.

“We are now in a place where we have established a common automated process for reporting findings straight out of Amazon Inspector into our service management tools,” says Jamie. “For example, if a security vulnerability is identified in AWS, it is passed through to the service management tool, automatically assigned to the correct team, and logged as a vulnerability in the SecOps module. As tickets are closed, they are automatically updated, meaning we always have an up-to-date picture.”

Amazon Inspector first identifies all vulnerabilities, and then it feeds this information to AWS Security Hub, a cloud security posture management service that checks against current security best practices, aggregates alerts, and facilitates automated remediation. Using an AWS Lambda function, AWS Security Hub then passes this information to EDF’s service management tool, where it is assigned to a team for remediation. (See Figure 1.)

After establishing this workflow, EDF began remediating vulnerabilities and preparing for certification. It increased its patching schedule from monthly to weekly. EDF also used the AWS Cost and Usage Dashboards Operations Solution (CUDOS) Dashboard to manage deprecated AWS Lambda functions, along with several other security-related initiatives.

For components of its infrastructure that could not be remediated, EDF established a new network with restricted access and set up a firewall attached to AWS Transit Gateway, which connects Amazon Virtual Private Clouds (Amazon VPCs) and on-premises networks through a central hub. By isolating the nonremedial legacy estate, EDF can mitigate potential vulnerabilities and reduce the risk of an adverse impact spreading across its network.