In May of this year, an important new European law will come into force which will affect providers of networking and operational technology (OT) systems in vital sectors such as energy, healthcare and finance across the continent.
The EU Directive on Security of Network and Information Systems (commonly known as the NIS Directive) seeks to improve the standards of security across Europe, and hold those who do not prepare for cyberattack properly, fully accountable.
The NIS Directive has been billed as the first true piece of cybersecurity legislation passed by the EU, and will work alongside another important piece of regulation – the General Data Protection Regulation (GDPR) – to focus efforts on reducing cybercrime in Europe. Like GDPR, the NIS Directive seeks to achieve this through a system of new structures and information sharing bodies, as well as rules and enforcement capabilities.
That said, despite the topical nature of the threats to network security, a quick look at Google Trends data suggests that while searches for information regarding GDPR have been steadily growing at a sustained pace over the last 12 months, the lesser known NIS Directive doesn’t even register as a term of interest. We know that the level of preparedness for GDPR is lower than it should be despite prominent coverage. It is therefore clear that the NIS Directive is, worryingly, going to catch many firms by surprise.
The May deadline is fast approaching, but it’s not too late to begin preparing for the NIS Directive’s implementation and in doing so give critical infrastructure the level of security it drastically requires.
Addressing the NIS challenge
The NIS Directive has multiple objectives. It mandates that EU members create national Computer Security Incident Response Teams (CSIRTs), and implement an authority or regulator which can enforce NIS standards and compliance. It also aims to foster better international collaboration around cybersecurity information and incident response, including sharing information on risks and incidents, especially the notification of personal data breaches.
The NIS is also focussed on improving security culture in two key areas. The first is improving safeguards in the “operators of essential services” and the second “providers of digital services”.
Operators of essential services covers network and OT security in the production and supply of energy, telecommunications, health and transport sectors. These are critical services – such as control systems in power distribution and manufacturing – which are increasingly connected for the purposes of data gathering, monitoring and automation, but also under steady attack from criminal actors and nation states.
Georg Peter, Head of the Technology Innovation in Security Unit at the European Reference Network for Critical Infrastructure Protection (ERNCIP), describes critical infrastructure in Europe as being under “daily attack”. These range from Denial of Service (DoS) attacks to complex attempts to gain control of or crash systems.
And attackers are getting more sophisticated: in 2015, a widely reported cyberattack was responsible for shutting substations attached to the Ukrainian power grid. Just over a year later a second and less well publicised attack occurred, using a fully automated malware that was capable of doing wider scale damage in less time than the first. At the end of 2017, researchers revealed they had discovered a yet more sophisticated malware called Triton which appears to target control systems for Schneider Electric equipment used in manufacturing and power plants.
Best security practice
By the May deadline, organisations should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate incidents and risks. However, the relatively low level of awareness regarding the NIS Directive does raise concerns that companies aren’t fully prepared, or even aware of the cost of non-compliance, despite the fact that the deadline is drawing near. There have been few, if any, studies on the level of industry preparedness for the new law, and anecdotally there seems to be a perception that it will be a burden on operators.
What do operators of essential services need to know? The language of the Directive itself is intentionally vague: this gives national regulators room to develop appropriate ways to harmonise its requirements with local laws and update those regulations as the threat landscape changes.
For example, the NIS obliges operators of essential services to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operation”. That security should regard the “state of the art”.
Practically, this means that specific regulations will be devised and implemented at the national level and evolve as the threat landscape does. Some countries, such as Latvia and Germany, have already integrated the NIS Directive requirements into existing laws and institutions. The UK, meanwhile, has published a consultation document for drawing up new regulations.
The directive also states that organisations must “take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences”.
The timescale is tight, but the main thrust of the directive is to enshrine good security practice around OT, which is already well understood by the industry. Throughout the security supply chain there’s a good understanding of what needs to be done to protect critical infrastructure, even if it hasn’t been implemented yet.
Fines for non-compliance with the NIS Directive will be also be set at the national level, and can be up to €20m or 4% of annual turnover – whichever is the greater amount. While for smaller organisations a fine of this size could put their financial future at risk, in reality these penalties should not be the motivating factor for compliance, as the cost of non-compliance far outweighs that of deploying proactive security measures.
That is why, rather than perceiving the NIS Directive as a regulatory burden, operators of essential services should welcome clear guidance as to what is acceptable and what their liability for cybersecurity is, giving them the confidence to make investments in proactive measures to mitigate attacks.
Service providers must now take this opportunity to evaluate their current network security, and begin to instil best security practice for themselves and throughout their supply chains. The NIS Directive should act as a tool to reassess whether or not their security controls meet the demands of the modern world.
And if they are not fit for purpose, it provides a clear mandate to bring them up-to-date.