A recent report from the UK Joint Committee on the National Security Strategy has raised concerns about the cyber resilience of UK national infrastructure.
As the number of cyber threats targeting critical national infrastructure (CNI) continues to grow in both frequency and sophistication, protecting the energy, water, health and transportation networks we rely on has never been more important. Independent cyber security researcher Pete Cooper describes protecting CNI against cyber-attacks as a “wicked” problem, in that it is “both novel and complex”.
The Joint Committee report’s recommendations are in line with the EU’s Cyber Security Directive, now transposed into UK law via the NIS Regulations. With government scrutiny likely to increase in the coming years, it is essential that operators of essential services and digital service providers understand their obligations and make every effort to minimise security risk.
NIS Directive Summary
The EU NIS Directive is a cyber security directive providing legal measures designed to improve the resilience of network and information systems across the European Union. It requires EU member states to ensure that providers of critical infrastructure and services have appropriate security measures in place to manage cyber risk and maintain operational continuity.
The NIS Directive came into force in July 2016 and was transposed into UK law as The Network and Information Systems Regulations (NIS Regulations) on 10 May 2018, ensuring that its requirements will continue to apply in the UK post-Brexit.
Who does the NIS Directive apply to?
Operators of Essential Services (OES)
Operators of Essential Services are public or private sector organisations that are dependent upon network and information systems to provide an essential service to society that could be significantly disrupted by a cyber incident.
Example OESs include energy, transportation, and healthcare providers. Most banking and financial services firms are exempt from many aspects of the NIS Regulation, as high standards in finance are already enforced by the Bank of England and Financial Conduct Authority.
Relevant Digital Service Providers (RDSP)
Three types of Digital Service Provider are also included in the scope of the NIS Regulations. These are online marketplaces, online search engines and cloud computing services (including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) providers).
RDSPs that employ fewer than 50 people, have an HQ outside the UK, and/or have an annual turnover of under €10 million, are automatically excluded from the scope of the NIS Regulations.
NIS Directive implementation
In the UK, the Competent Authorities responsible for overseeing the implementation of the NIS Regulations include the Secretaries of State for Energy, Transport, Health and the Environment, as well as the Office of Communications and various devolved authorities such as the Department of Finance for Northern Ireland and the Welsh and Scottish Ministers.
The Joint Committee on the National Security Strategy’s report is critical of the decentralised nature of the UK government’s approach to CNI cyber defence, encouraging the appointment of a dedicated Cabinet minister focused specifically on this task.
“We are struck by the absence of political leadership at the centre of Government in responding to this top-tier
national security threat. It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our
critical national infrastructure.” – Margaret Beckett, MP, Chair of Cyber Security Committee
NIS Directive requirements
Growing scrutiny from the Joint Committee is likely to result in increased pressure on OESs and RDSPs, who must demonstrate that they are making proactive efforts to meet the NIS Directive’s 14 principles, which are split across 4 overarching objectives:
Objective A: Managing security risk
Ensuring that appropriate policies and procedures are in place to understand, assess and systematically manage risks to the networks and information systems that support essential services.
– A.1 – Governance
– A.2 – Risk management
– A.3 – Asset management
– A.4 – Supply chain
Objective B: Protecting against cyber attack
Implementing proportionate security measures to protect essential services and systems from cyber-attack.
– B.1 – Service protection policies and processes
– B.2 – Identity and access control
– B.3 – Data security
– B.4 – System security
– B.5 – Resilient network and systems
– B.6 – Staff awareness and training
Objective C: Detecting cyber security events
Having capabilities to ensure security measures remain effective and to detect cyber incidents that could affect essential services.
– C.1 – Security monitoring
– C.2 – Proactive security event discovery
Objective D: Minimising impact of cyber security incidents
Ensuring the ability to minimise the impact of security incidents on essential services, including restoration of those services.
– D.1 – Response and recovery planning
– D.2 – Lessons learned/improvements
Adherence to the 14 NIS principles is judged on how well a set of 39 outcomes are met, based on Indicators of Good Practice (IGPs). OESs are subject to regular audits, while RDSPs are instead subject to post-breach investigations.
Organisations that fail to take steps towards NIS Directive compliance may be fined up to £17 million, with the highest sanctions reserved for incidents resulting in immediate threat to life or significant adverse economic impact.
Achieving NIS Directive compliance
Among the recommendations of The Joint Committee report is that the government sharpen its focus on building the cyber security skills base. Creating an environment of continual improvement, where organisations work together to improve security reporting, manage supply chain risks and improve overall cyber resilience, is also proposed.
As an award-winning provider of security assessment, consultancy and managed detection and response services, Redscan is well placed to guide organisations through the complex requirements of the NIS Directive & NIS Regulations.
Redscan’s offensive and defensive security services can help organisations to better understand and comply with the principles of the NIS Directive. Our experts specialise in helping clients mitigate cyber security risks, improve resilience, rapidly detect and respond to breaches and assist with the increasingly important tasks of incident remediation and compliance reporting.