Last year saw a worrying trend in the cybersecurity attack arena as critical infrastructure came under fire, with many suggesting in 2018 these attacks could escalate.
Various defense departments warned of nation-state campaigns targeting operational technology (OT) within the energy sector and nuclear facilities across the globe. In tandem, malware strains such as Industroyer, materialized with claims that they are specifically targeted at critical systems.
We’ve also witnessed events that illustrate the repercussions when attacks are successful – such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network. Any successful compromise will have a detrimental effect on the UK’s economy with the potential to have an impact on citizen’s safety.
Recognizing the threat, the UK government is looking to implement the European Union Network and Information Security (NIS) Directive to help make sure UK operators in electricity, transport, water, energy, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats.
What is the NIS Directive?
Having been adopted by the European Parliament back in 2016, the UK Government has until 9 May 2018 to transpose the NIS Directive into domestic legislation. As part of this process, it undertook a Public Consultation during the summer of 2017 with the results published in January.
In the UK, the legislation will cover companies and organizations deemed to be operators of essential services, (OESs) and digital service providers (DSPs.) These OESs and DSPs must implement security measures that will manage risks to their network and information systems and, should any serious incidents occur, these must be notified to the relevant Competent Authorities (a final definitive list is yet to be published). The National Cyber Security Centre (NCSC) will adopt the role of the Computer Security Incident Response Team (CSIRT).
It will be the responsibility of OESs and DSPs to ensure that their suppliers have appropriate security measures in place.
Rather than a single cybersecurity standard, there are 14 ‘security principles’ that apply to four core areas – managing security risk, defending systems against cyber-attack, detecting cybersecurity events and minimizing the impact of cybersecurity incidents.
As further guidance, the NIS Cyber Assessment Framework (CAF) will be published in April 2018, which doesn’t leave a lot of time to implement ahead of the 9 May deadline. Instead, plans must be implemented now that can then be adapted, if necessary, once the official framework is published.
Does NIS go far enough?
As you’d expect, there will be implications for non-compliance with the NIS Directive. While it’s unlikely that the authorities will test to make sure that organizations have implemented the framework correctly, procedural and technical failures are likely to be self-evident.
Of course, as has been proven with other directives, compliance doesn’t always equate to security. While ensuring that the organization is compliant will go a long way to reduce financial repercussions, it should not be the only objective. Understanding the network, identifying what’s important, and then implementing practices to reduce risk must be the motivator rather than a check-box exercise.
Time to batten down the hatches
The reality is that the infrastructure we all rely on is outdated and antiquated. In tandem, it is increasingly being targeted and even exploited by those with a modicum of skill and motivation. The recent examples of malware discovered within OT environments has highlighted that critical infrastructure has the same basic cyber hygiene issues that have plagued the IT world for years.
To compound the issue, it’s almost impossible to quickly update an OT environment to address a major vulnerability. The convergence of OT with the world of IT also means that these outdated systems are increasingly connected to the internet, exposing them to even more threats.
Ultimately, all these factors contribute to increased levels of exposure and risk. Identifying the organization’s overall Cyber Exposure is foundational to understand the overall cyber risk.
This involves identifying and assessing every asset across all computing platforms with live visibility. From this viewpoint, organizations can understand their true level of exposure and proactively manage and reduce cyber risk.
Having identified where weaknesses exist and/or networks exposed, the likelihood of exploitation must be weighed against the potential risk. It may be decided that an issue with a high likelihood of occurring but would result in a lower impact be prioritized over something that has a higher impact but is highly unlikely to occur.
Knowing what systems the UK relies on, and keeping those systems up-to-date and protected from exploitation, isn’t something that should be left to chance. After all, we cannot stop cybercrime altogether any more than we can eliminate theft or burglary in society at large. However, those tasked with protecting critical infrastructure must be smart about the steps they take to significantly reduce the risk.
While regulation for regulations sake is unnecessary, what the NIS Directive will do is formalize the security considerations needed to keep the UK’s critical infrastructure, and by association the economy and UK citizens, safe. Will it be enough? Time will tell.