The EU Network and Information Systems (NIS) Directive, which comes into force on 10 May 2018 will result in legislation in the UK to protect essential services from cyber threats. The directive covers many sectors that provide essential services to the public and the UK economy, such as energy and utilities, transport, health and digital platforms. Operators of essential services (OES) are likely to need to make a step change in their cyber resilience preparedness to ensure they are compliant to the NIS security principles and guidance and avoid the significant fines being proposed for non-compliance.
The EU Network and Information Systems (NIS) Directive is a step change in cyber resilience of essential services
Awareness of the NIS Directive, and its implications, is still low across the affected industries, as it has been eclipsed by its ‘bigger brother,’ the GDPR. The Directive may come as a shock to some companies as the legislative timetable leaves little time for implementation before it comes into force on 10 May 2018.
Back in August, the Government revealed its thinking on the directive and released a consultation for industry. The Government is currently reviewing the consultation responses and is expected to publish the detail of its approach around the end of this year.
Around the same time, the Government’s National Cyber Security Centre will be publishing the generic cross-sector implementation guidance for OES. Meanwhile, the relevant lead government departments or authorities (designated as Competent Authorities) will be defining the sector specific interpretation on the generic guidance in early 2018. This means that although the direction of the Government’s thinking is clear, the detail of what will actually be in the legislation will not be known until early 2018, leaving OES only a few months to comply.
What will operators of essential services need to do?
OES immediately need to assess their compliance to the National Cyber Security Centre’s (NCSC) 14 security principles. Firstly they should confirm what services fall within the legislation. Then they need to put in place the appropriate cyber resilience measures to protect networks and information systems that provide or support essential services, along with incident reporting mechanisms. The consultation document outlines four high-level security areas covering 14 high-level security principles:
- Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services
- Proportionate security measures are in place to protect essential services and systems from cyber-attack or system failures
- Appropriate capabilities to ensure network and information system security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services
Capabilities exist to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary.
OES will be expected to have these in place for their essential services by 10 May 2018 with additional timescales for implementing detailed implementation requirements, as NCSC or the competent authorities publish them.
There are potentially serious penalties for non-compliance
Owing to the potentially significant impacts of cyber incidents on essential services, the government is proposing that a ‘high bar’ penalty approach is set for non-compliance that is similar to GDPR. For example, fines of up to 20M Euros or 4% of global turnover for major breaches (such as failure to implement appropriate and proportionate security measures) and 2% for minor breaches (such as failure to report an incident or failure to cooperate with a competent authority).
Key challenges for OES
Although OES will have already done much to protect their critical infrastructures, NIS will require further work to make these essential services even more resilient.
Two key areas will be a challenge for ES operators:
1)Better understanding of threats and vulnerabilities: One of the many challenges facing OES is how to tell whether systems are secured and whether there are any vulnerabilities lurking in them. Often, it isn’t possible to perform penetration testing on live systems as this could potentially cause disruption to the systems, so other techniques are called for. This is where a Threat Hunting approach can be very useful. This involves a proactive approach of searching through networks and systems to detect and isolate advanced threats that evade existing security solutions.
>2)Incident response and reporting: Another key challenge that OES will face in their NIS programme is ensuring that their incident response capabilities are up to scratch. The Government has proposed that a similar approach to GDPR will be followed where organisations will identify and report incidents to the National Cyber Security Centre (NCSC) “without undue delay and as soon as possible, at a maximum of no later than 72 hours after having become aware of an incident”. Whilst many OES will already have incident response and reporting capabilities in place, experience from GDPR implementation programmes shows organisations need to enhance these capabilities to meet the timelines required.
A great way of testing out an organisation’s response capabilities is to conduct a cyber war game. This is much more than running a simple table top exercise and would involve thoroughly testing the incident response procedures and decision-making processes. A wide range of staff should be involved including operations security, legal, regulatory, communications and business leadership.
Come and join us at the Cyber Security Summit & Expo on 16 November 11:20 – 12:05 in Theatre 1 to learn more about the NIS directive and how threat hunting and cyber war gaming can help ensure preparedness for NIS.