The Government has confirmed that the EU Network and Information Security Directive (NISD) will be translated into UK law by 9 May. The approach will follow that set out in last year's consultation document with one major difference, the threat of penalties of four percent of global turnover has been removed and the limit set to a maximum of £17 million.
Now we know the details, organisations that operate essential services (OES) and critical infrastructure need to start implementing their plans to assure the cyber-resilience of those services and ensure they are complying with the directive. There's a real incentive to get it right quickly because there is no grace period and penalties are possible even in the first year.
We have also got more clarity about the role of the National Cyber Security Centre (NCSC), which will as act as a technical authority and source of best practice and assistance rather than policing compliance with the directive. It has already published the updated security objectives and principles which are now supported by new additional implementation guidance, details can be found on the NCSC website.
An understandable response would be to complain about the burdens of yet more regulation. However there are real benefits to be gained from taking a positive approach to implementing the NIS directive. It will help companies ensure their infrastructure and information systems are more resilient. As all companies should now recognise, the reputational and financial costs of cyber-security incidents are high and so there is a real need to get this right and maintain trust in our essential services. Equally, as organisations take action to comply with the directive and become more resistant to cyber-attacks, risks will be reduced as attackers are likely to go for softer targets elsewhere.
What should organisations be doing?
Even though some of the detail is still being developed there is now enough information available for organisations to start improving the cyber-resilience of the essential services they provide. It's vital that OES are seen to be taking it seriously and actively working towards compliance. The lessons from GDPR are that leaving this to the last minute is not a good idea as skills shortages can significantly impact progress as the deadline looms. A key challenge will be to train and develop the staff to support the capabilities required to meet the objectives. Also, it can be difficult to implement security measures in operational environments, which means operators may have to allow longer timescales for implementation. This runs the risk that measures may not be in place in time.
Scope and applicability
The starting point for all companies is to check whether the directive applies to them. This should be relatively straightforward as the criteria are clear, though some organisations with operations in multiple sectors or in different areas of the UK could find that parts of their organisation are covered by different competent authorities.
The one caveat to bear in mind is that the NIS directive might not apply to all of an organisation's operations. Companies should examine their services and determine which would be considered ‘essential services' under the directive. It is also important for companies to understand these services can be dependent on others, whether these are internal services or external third parties, and the OES will be responsible for the resilience of its suppliers and supply chain.
Gap and risk assessment
There is enough information now available from the NCSC to allow organisations to start identifying the gaps in their approach and understand the risks these pose. The NCSC will publish an assessment framework by spring 2018 which will help organisations in understanding the detail of the gaps. Many organisations have been working on this for some time and many have accreditations such as Cyber Essentials PLUS. This is a great start but the NCSC objectives and principles go much further. For example, NIS focuses on establishing an overall risk, security management and response capabilities going far beyond the technical measures in Cyber Essentials.
Incident response and reporting
A key element of the directive is the requirement to establish effective incident response and reporting capabilities. That means OES will have to be able to monitor networks and systems that support the essential services to identify possible cyber-events. They will also need to be able to respond to and investigate those events and report notifiable events to the competent authorities within 72 hours, alongside other reporting requirements that may exist under other regulations, such as GDPR and other licensed activities.
A great way to test and rehearse these incident responses and reporting capabilities is to conduct a cyber-wargame to ensure that the technical and operations teams can spot and investigate incidents. Cyber-wargames go much further than simple table top exercises which are often used to rehearse and test response and continuity plans. Cyber-wargames can be designed to include real life tests of the many capabilities required to detect, respond to and report cyber-incidents. Wargames should include verification that boards can respond quickly, make the right decisions and that all the parties involved, such as legal, compliance and PR can work together to ensure timely incident reporting whilst also driving the recovery and continuity of the essential services and providing support to customers and stakeholders.
Organisations will also need to recognise that this is not a one off process, they will have to put in place ongoing monitoring and maintenance of their NIS compliance. That means audit regimes should be updated and expanded to maintain governance. OES may find that external readiness reviews at key stages in the implementation programme are helpful in providing assurance to internal and external stakeholders.
By putting these measures in place now, organisations can ensure they comply with the directive but also benefit from the resilient infrastructure that will be critical to their future success.
NIS Directive at a glance
· Key dates
o Comes into UK legislation by 9 May 2018
o Assessment Framework published Spring 2018
o Sector Specific requirements to be developed by CAs
o Energy and utilities (Drinking water supply, electricity, oil and gas)
o Transport (Air, Maritime, Rail and Road)
o Digital Infrastructure
o Digital Service Providers
· Competent authorities
o BEIS, Ofgem, HSE
o DfT, CAA
o ICOContributed by Justin Lowe, cyber-security expert at PA Consulting Group.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.ng Group