While the GDPR may have received most of the attention in the 2018 news cycle, it certainly isn’t the only piece of legislation that will impact your organization this year. The Directive on Security of Network and Information Systems, or NIS Directive for short, was first introduced by the European Union (EU) in 2016. Its goals? To set standards for cybersecurity preparedness, promote collaboration between member states and ensure that critical infrastructure that is vital to the economy is properly protected.
We have entered an era where cybersecurity – or lack thereof – concerns us all.
The reasoning behind the directive is quite understandable: we have entered an era where cybersecurity – or lack thereof – concerns us all. The elaborately planned BlackEnergy3 malware-based cyberattack in Ukraine had a devastating effect on businesses and consumers alike in the winter of 2015. This attack on the grid left parts of the country without power for a duration of time. Another infamous example was the NotPetya malware, which spread quickly in the summer of 2017 and impacted operational technology (OT) networks/systems. The economic impact was staggering: damages totaled over $10 billion. Companies in different industries were affected by NotPetya, including DLA Piper, FedEx, Merck, Mondelez International and Moller-Maersk.
In situations like these, there are no quick solutions after the fact. Attacks on OT can only be resolved by recovering and restoring system configurations from before the breach. It’s not just a matter of turning the affected systems off and on again. Disruption of business operations is inevitable. Key services can and will grind to a halt when new threats succeed in targeting them effectively. This makes the EU-wide push for improved cybersecurity a very welcome development – but your organization will have to be part of it.
What you need to know moving forward
The NIS Directive focuses on several key outcomes, such as demonstrating active cybersecurity risk management, enhanced threat detection and incident reporting. It also proposes various measures to improve cybersecurity that may be essential to preserving the continuity of the services you provide. Details on the NIS Directive can be found here; we've summarized some of the most pressing considerations below.
Watch out for differing interpretations of the NIS Directive
Unlike the GDPR, which stands as a regulation, this particular legislation was introduced as a directive. The difference is important: a directive gives member states far more discretion in how they interpret and implement the law. If your organization operates across the EU, you need to be aware of these different interpretations and how they might impact your business from country to country.
Remember that scope is determined locally
The law applies to organizations that deliver essential services within the EU. It divides them into two categories: Operators of Essential Services (OES) and Digital Service Providers (DSP). The member states are responsible for determining which businesses are in scope. In general, organizations that focus on energy, transport, financial infrastructure, healthcare, water and digital infrastructure are classified as OES. Online marketplaces, cloud computing services and search engines are classified as DSP, although that category is not defined as explicitly as the former.
It is worth noting that the scope is not limited to organizations based in the EU itself. If you are located in the US but provide essential services in the EU, you will still be subject to the NIS Directive. Conversely, being in scope doesn’t necessarily mean the law applies to your entire organization – only those business units that are involved in providing critical services.
Compliance is not optional
While the NIS Directive is intended to promote collaboration between businesses and member states, there are still consequences to noncompliance. Fines are determined by local legislation and will vary accordingly. To illustrate: the UK has capped fines at £17 million while the Netherlands has a €5 million maximum. Country-specific details can be found in the local law text that each country will implement.
The 7 key steps to NIS readiness
Now that most member states have translated the NIS Directive into legislation at the national level, the next step is to classify organizations as OES or DSP. The deadline was set for November 9, 2018.
Regardless of how your organization is categorized, your responsibilities remain the same.
Regardless of how your organization is categorized, your responsibilities remain the same. The directive identifies two primary obligations. Firstly, you must take appropriate technical and organizational measures to manage threats to your networks and information systems. Secondly, you must notify the authorities—the National Cyber Security Centre (NCSC) in the United Kingdom—of any significant intrusion or security incident without undue delay.
To meet these obligations, there are several aspects of cybersecurity you must focus on.
1. Threat detection
In order to comply with the NIS Directive, you must have mature or advanced threat detection systems in place that are capable of identifying anomalous events and security risks proactively. Although the law text itself does not define a clear technical requirement in this regard; based on our experience we can help define suitable detection capabilities for your organization and support dialogue with the authorities if additional clarification is required.
2. Incident management
Mature or advanced incident management capabilities should likewise be pursued, allowing you to minimize the impact of cybersecurity breaches and restore services quickly.
3. Incident reporting
Your organization must adopt standardized incident reporting mechanisms to ensure that significant cybersecurity incidents are reported to CSIRT within 72 hours of the event.
4. Real-time incident simulations
To demonstrate compliance, your organization must regularly carry out real-time incident simulations and keep a record of the results for future reference.
5. Accurate logging data
Your organization must also maintain a record of logging data that will allow authorities to assess the security of your networks and information systems.
6. Evidence of implementation
In addition to updating your security policies to reflect the requirements of NIS-informed local law, you must be able to provide evidence that said policies have been implemented effectively.
7. Security audits
Finally, your organization must keep a record of all security audits for future references. It is important that these audits are carried out in accordance with local law (by certified institutions, if necessary).
Don’t underestimate the impact
When it comes to data security, there’s no such thing as double jeopardy. Imagine if hackers were to breach your network. In addition to making off with a wealth of user data, they also manage to cripple vital infrastructure, taking key services offline for long stretches of time. In this scenario, your organization may be held liable and hit with fines twice – both under the GDPR and the NISD. This is especially relevant in the context of Operators of Essential Services.
When it comes to data security, there’s no such thing as double jeopardy.
This clearly illustrates the stakes involved: cybersecurity compliance can have a significant impact on your bottom line and your public image. The NIS Directive requires our full attention, and two issues in particular may prove especially challenging.
Lowering incident response times sufficiently
Under the NIS Directive, each member state is instructed to establish at least one Computer Security Incident Response Team (CSIRT). These CSIRTs monitor incidents at a national level, provide early warnings to stakeholders, respond to ongoing incidents and deliver dynamic analysis. As an OES or DSP, your organization is required by law to report cybersecurity incidents to your local CSIRT within 72 hours. That means you must not only be able to detect breaches quickly, but also deliver that information on similarly short timescales. For many organizations, this is easier said than done.
Previous research by Accenture has found that most security teams are improving their detection capabilities, but there is still room for improvement; more details on the study can be found in the State of Cyber Resilience 2018.
Promoting security throughout your supply chain
As an Operator of Essential Services or a Digital Service Provider, you are likely to possess a complex supply chain. When hundreds of third party suppliers all interface with your network and information systems, your threat landscape increases commensurately. In order to meet the demands of the NIS Directive, you will have to be able to mitigate the risks involved in your supply chain and propagate your cybersecurity standards throughout your entire value network.
Why you should take a holistic approach to cybersecurity
The message behind the NIS Directive is clear: implementing an effective cybersecurity framework is an essential part of doing business in the twenty-first century. When that many people rely on your services, the infrastructure that makes those services possible must be secure against threats – both from without and within.
But the scope of that cybersecurity framework isn’t limited to the scope of the NISD. Nor is it limited to the scope of the GDPR, for that matter. It should comfortably include both – and more. What your organization needs is a truly holistic, consistent approach to cybersecurity for both your IT and OT environments. An approach that goes beyond ticking the boxes and focuses on identifying, understanding and mitigating tomorrow’s vulnerabilities.
We understand the challenges inherent in finding the gaps in your cybersecurity armor. And we know how to help you close them. Our extensive experience with data security and cyberdefense in a wide range of operational environments has already allowed us to assist our clients in their cybersecurity transformations. That same experience will light the way on your journey to NIS Directive readiness.
What your organization needs is a truly holistic, consistent approach to cybersecurity for both your IT and OT environments.