In the run up to GDPR implementation and the ensuing ‘regulatory fatigue’, there’s a real risk that businesses may have overlooked the fact that another important EU directive came into law on 9 May this year. If businesses haven’t yet realised the Network and Information Systems Regulations (known as the NIS Directive) applies to them, here’s what all organisations involved with critical national infrastructure need to know.
The NIS Directive’s prime focus is on protecting essential services which, if disrupted, have the power to cause significant damage to the economy, society and the welfare of citizens. The directive’s remit covers the network and information systems of essential services such as the supply of energy and water, and the provision of healthcare, transport and digital infrastructure.
It only takes a moment’s thought to realise how vital protecting these services is. Think about how day-to-day life would be affected if the telecommunications network went down, or our public transport systems suffered a widespread IT failure. Imagine what would happen if there was no clean water, no electricity or gas, no sewage treatment.
Our critical national infrastructure is increasingly under attack. In many cases, these essential services industries are vulnerable largely because they use industrial control systems to regulate temperatures and pressures, and to turn processes on and off automatically. Together with the huge demand for analytics to optimise processes, known as Industry 4.0., these systems are under pressure; they were designed with functionality in mind — not security and the risks of internet connectivity. Security becomes even more of a concern if Industry 4.0 is also used for command and control (where the analytics decide on which processes need to be changed and then automatically execute against this).
The security risks to essential services are sky high today. In the past few years there have been an increasing number of cyber-attacks on the industrial control systems that underpin manufacturing plants and critical national infrastructure. As events such as last year’s WannaCry ransomware attack prove, cyber attacks and computer network failure in essential services can cause serious and widespread disruption.
To protect a nation’s critical national infrastructure, all operators of essential services and digital service providers (DSPs) are required to take appropriate and proportionate technical and organisational measures to manage the risks to the security of their networks and information systems. This involves implementing essential and robust cyber security measures that will strengthen the individual enterprises and, collectively, the nation’s infrastructure.
Under the NIS Directive, critical infrastructure organisations failing to report network outages and breaches to regulators within 72 hours, or who do not comply with their security duties could face fines of up to £17 million. Although fines would be a last resort as the focus is on guiding organisations to improve their security.
In being vigilant against this, the first challenge that all organisations connected to the national infrastructure must overcome is to find out whether the services they provide fall under the scope of the NIS Directive.
The difficulty here is that the legislation needs to be interpreted — and this is no easy matter. The Directive is based on guidelines, not black and white rules, and deals in what’s “appropriate and proportionate” rather than specifics. The onus is on the organisation to understand the legislation, work out which functions of their organisation need to be compliant, and to put in place necessary measures. It’s vital that the right processes are in place to determine whether or not an incident needs to be reported to the relevant regulatory authority.
The second challenge for organisations subject to the NIS Directive is to identify their Competent Authority, and to familiarise themselves with the process for reporting any breach. Operators of essential services will primarily work with their regulatory authority to build resilience into their networks and security, turning to the NCSC for guidance where necessary. So again, there’s an onus on the organisation to establish the right channels of communication so that, in the event of a breach, they can report the incident as soon as they become aware of it.
The NIS Directive is a significant piece of legislation with wide-reaching consequences for the operators of essential services, as well as DSPs. The danger is that it can feel like self-administered legislation and, therefore, be considered of lesser importance than other regulation. This could leave organisations like yours open to unintentionally breaching the guidelines.
As a first step to avoiding this, organisations should review their cyber security measures to make sure they’ve correctly identified all areas of their operation that are affected by the NIS Directive.
To find out more about your NIS Directive responsibilities and how you can bring your cyber security measures in line with the new legislation, get in touch today.