The EU Network and Information Systems Directive (NIS Directive) came into force in August 2016. Member States had to transpose the Directive into their national laws by 9 May 2018. Member States must further identify operators of essential services by 9 November 2018. More detailed information on the legislation can be found here.
In the face of mounting worries that interlinked systems and networks, as well as an increasing link between IT systems and industrial control systems (ICS), could provide an avenue for cyber attacks, the legislation aims to bolster cyber security and resilience within the critical infrastructure sector (so called “essential services” but also “digital services”).
What the NIS Directive means for operators
The net effect of the legislation is that operators of essential services and digital service providers are subject to requirements to keep their networks and information secure under the new rules and to notify security incidents to “competent authorities” when they occur.
One challenge is that as a directive, the rules are being applied separately (and hence potentially differently) across the EU. Additionally, the new requirements, although defined and established now, are due to be implemented over the coming months when organisations are already contending with the new data protection regulations in the form of the EU General Data Protection Regulations.
NIS Directive in the UK
In the UK there is no single competent authority. Instead there are a number of separate organisations, mostly existing industry regulators – assisted by the National Cyber Security Centre (NCSC) – such as Ofcom, Ofwat etc. and the Information Commissioner’s Office (ICO) who are responsible for overseeing compliance and defining rules in the various sectors. This diversity in the definition of rules, standards and processes makes policing compliance a challenge.
UK published best practice
The NCSC has published a set of high-level guidance objectives, or Indicators of Good Practice, for CNI organisations to follow. These cover the following objectives:
- Managing security risk: Appropriate organisational structures, policies and processes to understand, assess and manage security risks to systems supporting essential services.
- Protecting against cyber attack: Proportionate security measures to protect services and systems from cyber attack.
- Detecting cyber security events: Ensure security defences are effective and detect cyber security events that could, or will, affect services.
- Minimising the impact of cyber security incidents: Minimise the impact of an incident on services including the restoration of services where necessary.
NCSC also has an associated Cyber Assurance Framework (CAF) for audit, review and assessment services.
Enforcement of the NIS Directive
The Department for Digital, Culture, Media and Sport (DCMS) is asking the competent authorities (regulators) to take a cautious approach to enforcement initially, to give organisations that are affected by the NIS Directive time to digest and update their cyber security defences. See DCMS guidance here.
So while fines under the NIS Directive, in particular for incidents that cause loss of life or actual physical harm, might be severe once the regime is fully up and running; initially they should be more modest, especially where operators have “assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack”.
How can Huntsman Security help your enterprise?
Huntsman Security has first-hand experience in meeting the high security, real-time visibility and assurance requirements in Critical Infrastructure. Our customers manage complex network structures, deal with extremely high data volumes and monitor a wide variety of data types and sources. The suitability of our technology for these high critical environments is proven.
- Governance and Risk – track how you are performing against major government, national and international standards
- Security analytics and real-time threat detection – detect threats based on known patterns or anomalous behaviour.
- Automated Threat Verification – take action through infrastructure interconnects to contain, quarantine or mitigate a threat which means that attacks or breaches are rapidly diagnosed and thwarted.
See our Industry web page for Critical Infrastructure.
Collateral with particular relevance to Critical Infrastructure
- The Essential Guide to Cyber Security following the NCSC’s 10 Steps
- Insider Threats: Why Behaviour is Key to Early Detection
- Video – Protective Monitoring
Or you can contact us now to arrange a conversation or face-to-face meeting.