The UK government recently announced its implementation plan for the EU directive on the Security of Networks and Information Systems (NIS), designed to improve the ability of member states to defend against and respond to cyber-attacks.
The NIS Directive aims to improve information security standards by enhancing capabilities at a national level, improving cooperation across the Union and ensuring that operators of essential services have appropriate technical and organisational controls in place to minimise security risk.
Recent events such as the global WannaCry ransomware attack, the 2016 attacks on US water utilities and the 2015 attack on Ukraine’s electricity network highlight the growing cyber threat to vital national infrastructures and have led to this increased legislation to protect economies, societies and individuals’ welfare.
What is the NIS Directive?
Directive 2016/1148, the directive on the security of Networks and Information Systems (NIS Directive), is the first piece of EU-wide legislation designed specifically to enhance cyber security. The NIS Directive was adopted by the European Parliament on 6 July 2016 and EU states have until May 2018 to transpose it into domestic law. In the UK, a consultation process is currently underway and the directive will take effect regardless of Brexit.
“As our reliance on technology grows, the impact of failure in those systems and the opportunities for those who would seek to compromise our systems and data increase. We need to secure our technology, data and networks in order to keep our businesses, citizens and public services protected.”
Matt Hancock, Minister for Digital, Department for Culture, Media and Sport (DCMS)
Which organisations does the NIS Directive apply to?
The NIS Directive requires member states to ensure operators in critical infrastructure are prepared to manage the risks posed by the increasing number of cyber threats that seek to compromise them. It also covers threats that have the potential to disrupt IT continuity, such as power or hardware failures and environmental hazards.
Member states are required to designate one or more NIS competent authorities (CAs), which will be responsible for implementation of the Directive and ensuring compliance with its provisions. The NIS Directive splits affected organisations into two categories; OESs and DSPs.
An Operator of Essential Services (OES) is a public or private sector organisation that provides an essential service to society or the economy, whereby the provision of that service is dependent upon network and information systems and has the potential to be significantly disrupted by a cyber incident.
Sectors that fall under the above definition include energy, transportation, water and healthcare. Banking and financial market infrastructures are exempt from many aspects of the directive, as high standards are already enforced by CAs including the Bank of England and Financial Conduct Authority. It is the responsibility of member states to identify all OESs by November 2018.
The NIS Directive also affects three specific types of Digital Service Provider (DSP) – online marketplaces, online search engines and cloud computing services, whose activities play an important role in digital infrastructure. Such organisations include any company offering Infrastructure as a Service’ (IaaS), ‘Platform as a Service’ (PaaS), ‘Software as a Service’ (SaaS).
The responsibility is on DSPs themselves to determine whether they fall within the directive. DSPs that employ fewer than 50 people, or with an annual turnover of under €10 million, are automatically excluded from its scope.
All OESs will be required to comply fully as soon as legislation becomes law, while the directive takes a ‘lighter touch’ approach with DSPs, who should ensure a level of security commensurate with the degree of risk posed to the security of the digital services they provide.
What are the requirements of the NIS Directive?
Under the NIS Directive, operators of essential services must comply with a range of principles outlined by their governing nation state. These principles are designed to manage risk, protect critical infrastructure and minimise the potential impact of cyber incidents. Operators must also report breaches, without undue delay, to the relevant Computer Security Incident Response Team (CSIRT).
The UK government has recently released its proposed set of high level security principles which require OESs and DSPs to have the following in place:
• Appropriate structures, policies and processes to support effective governance, risk management, asset management and supply chain security
• Proportionate security measures to protect essential services, such as ensuring including internal network and system resilience, implementing identity and access control, maintaining data security and conducting staff training
• Appropriate capabilities to detect threats, including security monitoring and anomaly detection
• Appropriate capabilities to respond to, recover from, and remediate cyber incidents
The NIS Directive does not specify a timeframe within which incidents should be reported, however to be consistent with other legislative reporting requirements, the UK government proposes that this should be no later than 72 hours after having become aware of an incident.
In January 2018, the UK’s National Cyber Security Centre (NCSC) will publish cross-sector guidance to supplement these principles, and will also produce a Cyber Assessment Framework to establish the extent to which requirements are being achieved.
What are the consequences for failing to meet NIS Directive requirements?
Member states are required to lay down their own fines and sanctions to ensure that NIS requirements are met, so long as they are effective, proportional and dissuasive.
The UK government has proposed two bands of penalties:
• Band one – a maximum €10m or 2% of global turnover – for lesser offences, such as failure to cooperate with the competent authority, failure to report a reportable incident, or failure to comply with an instruction from the competent authority.
• Band two – a maximum of €20m or 4% (whichever is greater) – for failure to implement appropriate and proportionate security measures
In its consultation paper, the UK government states that these penalties have been created for ‘the most egregious incidents’, to represent the scale of the impact that loss or disruption of an essential service could have. However, it is also stated that an OES or DSP’s attempts to implement improvements will be a clear mitigation for any subsequent penalty, meaning organisations that are proactive in their approach to information security are likely to be looked upon favourably.
How can organisations start preparing for NIS Directive compliance?
OESs and DSPs that fall within the scope of the NIS Directive will be subject to a broad range of requirements as soon as it becomes law in May 2018. However the good news is that many of these incoming requirements are in line with those of the General Data Protection Regulation, an incoming piece of legislation designed to improve the way that all EU organisations process personal data. This means that even if the final NIS requirements are yet be ratified, organisations can start preparing now.
A cyber security assessment such as a pen test or vulnerability assessment can be a useful starting point for any organisation wanting to identify and receive help remediating vulnerabilities across its environment. In the longer term, organisations need capabilities in place to continuously monitor their network environment to detect threats and breaches as early as possible and facilitate rapid incident response and reporting.
The challenges of in-house threat detection
The sheer cost and complexity of developing a proactive threat monitoring capability in-house can be a significant challenge, particularly where critical infrastructure is built on industrial control systems that require a specialist skillset.
ThreatDetect™, Redscan’s award-winning managed detection and response service helps organisations offering essential services to overcome the challenges of threat detection by providing enterprise-grade security for a cost-effective monthly subscription. Combining leading CSOC expertise, cutting-edge technology, and up-to-the-minute industry intelligence, ThreatDetect hunts for threats and breaches across an organisation’s network and endpoints 24/7 to provide enhanced threat visibility and significantly improve cyber security posture.