Critical infrastructure security - getting to grips with EU NIS Directive
Critical infrastructure security - getting to grips with EU NIS Directive

May 2018 is set to be an important month for professionals within the security industry. Despite the high levels of interest and awareness generated regarding the General Data Protection Regulation (GDPR) last year, a perhaps even more important piece of legislation is set to be deployed in only a few months' time; that is the Network and Information Security (NIS) Directive.

What is the NIS Directive?
The NIS Directive aims to improve security processes for ‘operators of essential services' and ‘providers of digital services'. Operators of essential services refers to network and operational technology (OT) security in the production and supply of services critical to the function of our modern society, including energy, telecommunications, health and transport sectors. 

Its importance was confirmed in 2017, when the UK's National Cyber Security Centre (NCSC) revealed that attacks that could cripple critical infrastructures are expected in the near future. Furthermore, US-CERT also recently issued an alert warning critical national infrastructure firms are now at an increased risk of attack. By encouraging organisations to implement good security practice around OT, the directive will help ensure our homes remain lit, and our hospitals, transport networks and communication technologies remain operational. 

An attack against any of these infrastructures could have detrimental effects to our daily lives, making legislations such as the NIS Directive that much more significant. The worst-case scenario, which is looking increasingly likely, is a manipulation of, or complete loss of control of physical industrial systems and infrastructure. In certain conditions, this could result in the loss of energy or power, environmental damage, and most worryingly of all, the loss of human life.

How does legislation ensure security?
Non-compliance with the NIS Directive will bring severe consequences for operators of essential services. Fines could be as large as €20m, or four percent of annual turnover, whichever is the greater amount. This may seem like an additional burden for smaller operators, and a fine of this scale could seriously jeopardise their financial future. That said, while the penalties are severe, this shouldn't be the only motivating factor for ensuring OT security.

Instead, compliance with new cyber-security legislations presents an opportunity for operators of essential services to increase the standards of their security processes. The proliferation of internet-connected technologies has meant that many industries have connected traditionally offline systems to the internet, perhaps without considering the ramifications or risks this creates. The NIS Directive aims to give businesses the confidence to make investments in proactive measures to mitigate attacks.

Preparing for the deadline
May is fast approaching. Organisations must begin to equip themselves with the technical and organisational capabilities to prevent, detect, respond to and mitigate incidents and risks. Specific regulations will be implemented at the national level and evolve alongside the threat landscape. Many countries have already integrated all NIS Directives into existing laws and institutions, including Latvia and Germany. In the UK, a consultation document has been published for penning new regulations. 

But as ever, there is no silver bullet to guarantee complete security. The best solution is for those in charge of critical infrastructures to make certain they have enough barriers in place to safeguard critical assets. Proactive regimes that balance defensive and offensive countermeasures, as well as regular retraining around security techniques such as penetration testing and “red teaming”, are essential to keep defences honed. 

Time is beginning to run out, so service providers must now evaluate their current security controls, and instil best security practice for themselves and throughout their supply chains. If their security processes are weak, the incentives are there to ensure they are compliant with legislation such as the NIS Directive.

Contributed by Jalal Bouhdada, founder and principal ICS security consultant for Applied Risk 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.