Critical National Infrastructure (CNI) faces increased risk of cyber-attacks, the threat to essential services is extremely real, and organizations are faced with the daunting task of securing their Operational Technology (OT) environments.
Over the past few years, we have witnessed the impact from successful attacks against critical systems. From the ransomware attack against Norsk Hydro in March and WannaCry in 2017, to the attack on Ukraine’s electricity network in 2015, the financial and disruptive impact has been clearly demonstrated.
As a result, governments and organizations around the world are having to take the necessary legislative and practical steps to implement appropriate safeguards and policies to secure OT environments.
The NIS Directive: A step in the right direction
The NIS Directive was adopted by European parliament in 2016, and came into force in the UK in May 2018. It places legal obligations on operators of essential services (OESs), including energy, transport, health and water organizations and digital service providers (DSPs) to improve cybersecurity.
The services that fall under the NIS Directive play an essential role in the everyday life and functioning of society. Subsequently, they’ve become attractive targets to malicious actors. The legislation was seen as an opportunity to drive change and improvements in national cybersecurity and work towards securing essential services and digital infrastructure.
Organizations are required to implement security measures that manage risks to their networks including ensuring their suppliers have appropriate security measures. The legislation also requires organizations to report serious incidents to the appropriate regulatory authority.
The role of the Computer Security Incident Response Team (CSIRT) has been taken on by the National Cyber Security Centre (NCSC), which also provides guidance to help organizations implement the NIS Directive requirements.
NIS operates on a principle-based approach, allowing cybersecurity to become a part of an organization’s “business as usual,” rather than operating on a set of prescriptive rules. Organizations understand their business better than an outsider; therefore the principle-based approach allows organizations to make informed decisions on how best to tackle cybersecurity challenges.
Further, flexibility in policy allows for adaptability and innovation in security approaches, allowing organizations to address evolving risks and threats. Compliance is mandatory, and failure to adhere can result in large fines. However, compliance with the legislation is no substitute for maintaining strong cyber hygiene.
Has it been enough?
The infrastructure we rely on, in many cases, remains outdated and antiquated. A year on from NIS, OT environments remain plagued by the same basic cyber hygiene issues that have impacted IT infrastructure for years.
The convergence of OT and IT environments is only compounding this issue. By connecting OT technologies to the internet, organizations are exposing their once air-gapped systems to a wider range of threats, against many of which they remain ill-equipped to protect.
Alongside NIS, organizations need to identify and understand their overall cyber exposure. To do so organizations need to identify and assess all their assets with continuous visibility. This enables organizations to understand and proactively manage their overall cyber risk.
There is no doubt the NIS Directive has had a positive impact on the willingness of organizations to address cybersecurity issues. The legislation serves to formalize the security considerations that UK critical infrastructure organizations are required to make to secure their environments, and operates as a baseline to improve security. However, the low level of maturity in the critical infrastructure sector is a recognized issue in the UK and the rest of Europe.
Improving security in these sectors will take time. Nevertheless, legislative changes such as NIS, which drive stronger baseline security practices, signal a step in the right direction, and organizations should use NIS as a guide to minimize their cyber risk.