The EU Network and Information Systems Directive (NIS Directive) came into force in August 2016. Member States had to transpose the Directive into their national laws by 9 May 2018. Member States has to further identify operators of essential services by 9 November 2018. More detailed information on the legislation can be found here.
In the face of mounting worries that interlinked systems and networks, as well as an increasing link between IT systems and industrial control systems (ICS), could provide an avenue for cyber attacks, the legislation aims to bolster cyber security and resilience within the critical infrastructure sector (so called “essential services” but also “digital services”).
What the NIS Directive means for operators
The net effect of the legislation is that operators of essential services and digital service providers are subject to requirements to keep their networks and information secure under the new rules and to notify security incidents to “competent authorities” when they occur.
One challenge is that as a directive, the rules are being applied separately (and hence potentially differently) across the EU. Additionally, the new requirements, although defined and established now, are due to be implemented over the coming months when organisations are already contending with the new data protection regulations in the form of the EU General Data Protection Regulations.
The Critical NIS Cyber Security Principles
Whether your organisation is a UK, Australian or American operator of Critical Infrastructure there are two key cyber security principles that your organisation needs to defend its assets: C1 Security Monitoring and C2 Proactive Security Event Discovery
The organisation monitors the security status of the networks and systems supporting the delivery of essential services in order to detect potential security problems and to track the on-going effectiveness of protective security measures.
The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the delivery of essential services when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployed).
How the NIS Directive works in the UK
In the UK there is no single competent authority. Instead there are a number of separate organisations, mostly existing industry regulators – assisted by the National Cyber Security Centre (NCSC) – such as Ofcom, Ofwat etc. and the Information Commissioner’s Office (ICO) who are responsible for overseeing compliance and defining rules in the various sectors. This diversity in the definition of rules, standards and processes makes policing compliance a challenge.
NCSC published best practice
The NCSC has published an introduction to the NIS Directive and a set of high-level guidance objectives, or Indicators of Good Practice, for Critical Infrastructure organisations; this includes guidance for C1 and C2. Their advice covers:
- Managing security risk: Appropriate organisational structures, policies and processes to understand, assess and manage security risks to systems supporting essential services.
- Protecting against cyber attack: Proportionate security measures to protect services and systems from cyber attack.
- Detecting cyber security events: Ensure security defences are effective and detect cyber security events that could, or will, affect services.
- Minimising the impact of cyber security incidents: Minimise the impact of an incident on services including the restoration of services where necessary.
NCSC also has an associated Cyber Assurance Framework (CAF) for audit, review and assessment services.
Enforcement of the NIS Directive
The Department for Digital, Culture, Media and Sport (DCMS) is asking the competent authorities (regulators) to take a cautious approach to enforcement initially, to give organisations that are affected by the NIS Directive time to digest and update their cyber security defences. See DCMS guidance here.
So while fines under the NIS Directive, in particular for incidents that cause loss of life or actual physical harm, might be severe once the regime is fully up and running; initially they should be more modest, especially where operators have “assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack”.
How to comply with the NIS Directive cyber security principles
Huntsman Security has first-hand experience in meeting the high security, real-time visibility and assurance requirements of critical infrastructure organisations. Our customers manage complex network structures, deal with extremely high data volumes and monitor a wide variety of data types and sources. The suitability of our technology for these high critical environments is proven.
- Governance and Risk – track how you are performing against major government, national and international standards
- Security analytics and real-time threat detection – detect threats based on known patterns or anomalous behaviour.
- Automated Threat Verification – take action through infrastructure interconnects to contain, quarantine or mitigate a threat which means that attacks or breaches are rapidly diagnosed and thwarted.
See our Industry web page for Critical Infrastructure.
Collateral with particular relevance to Critical Infrastructure
- The Essential Guide to Cyber Security following the NCSC’s 10 Steps
- SIEM & Security Analytics brochure
- Insider Threats: Why Behaviour is Key to Early Detection
- Video – Protective Monitoring
Or you can contact us now to arrange a conversation or face-to-face meeting.