By Chris Flynn, Arcanum Junior Consultant.
The 2018 Network and Information Systems Regulations have been in force for a quite a while now though it would seem that the breadth of both the regulations and the businesses that are affected may not have been fully understood.
Who do NIS Regulation Apply to?
The NIS apply to operators of essential services (OES) involved in critical national infrastructure (CNI). These businesses play a vital role in our society providing our supplies of water, gas and electricity; ensuring provision of our national healthcare and; providing both passenger and freight transport. Their reliability and security are absolutely essential to our everyday activities.
This list of OES companies is not as straightforward to compile as one might expect – there are a great number of businesses and organisations (international, EU and UK) involved directly in the provision of road, rail, air, gas, oil, water, electricity, healthcare and digital infrastructure. A quick analysis of this list of sub-sectors very soon shows that a great number of businesses are affected by NIS and also highlights the amount of support required to ensure compliance.
What is expected of Operators of Essential Services?
OES are expected to have systems of proper Governance, Risk Management and Asset Management as well as proper control and management of their Supply Chain.
The NCSC is providing technical support and guidance to other government departments, Devolved Administrations, CAs and OES through:
• Set of cyber security principles for securing essential services
• Collection of supporting guidance
• Cyber Assessment Framework incorporating indicators of good practice
• Implementation guidance and support to CAs to enable them to:
– adapt the NCSC NIS principles for use in their sectors
– plan and undertake assessments using the CAF and interpret the results
The NCSC rightly states that, “The implementation of the NIS Directive is an opportunity to put mechanisms in place that drive real improvements to national cyber security”. The NCSC’s approach to the change is a principles-based approach – an “effective as a way of driving improvements to cyber security in the context of the NIS Directive”.
With strict penalties for non-compliance ranging from £1 – 17 million and the nation’s CNI security on-the-line I believe that whilst help is available the OES may need a little more support to realise the consequences of not protecting themselves against the cyber threat. We have seen in contemporary conflict zones how the ability to secure one’s CNI is of the utmost importance to national security and how a lack of control in these areas can quickly change the political environment.
The Benefits of Protection
An incident affecting any of these systems has the potential to cause significant damage to the UK’s infrastructure, economy, or result in substantial financial losses. It is clear to security professionals the world over that the magnitude, frequency and impact of network and information system security incidents is increasing. Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have.
From a purely business point of view one should bear in mind the importance of the security of data and information systems in today’s marketplace. Businesses the world over lose revenue every day from cyber attacks and data losses but, possibly more importantly, they lose the goodwill of their customers and thereby opportunities of future interactions with these customers.
CNI Protection Example – US Dept of Homeland Security (DHS)
The US DHS set up the National Cybersecurity Assessments and Technical Services (NCATS) in 2015. This organisation conducts penetration tests and cyber hygiene assessments of US CNI. As stated on their website, “All services are available at no cost to federal agencies, state and local governments, critical infrastructure, and private organizations generally.” US DHS have publicised the cyber security threat to the OES and assisted their security preparations by providing regulation as well as scans, tests and reports free of charge.
NCATS ensure that governmental organisations and businesses are better prepared for cyber threats by conducting the following:
• Cyber Hygiene Vulnerability Scanning & Report
• Phishing Campaign Assessment (6 Weeks) & Report
• Risk and Vulnerability Assessment (1-2 Weeks) Including:
– Network mapping and vulnerability scanning
– Phishing engagements
– Web application or database evaluations
– Full penetration test
• Validated Architecture Design Review including:
– Architecture Design Review
– System Configuration and Log Review
– Network Traffic Analysis
Given that this service is offered by the US DHS for free it can be deduced that companies and organisations will more readily take up the proposal, not only making those organisations aware of their short-comings but also publicising the cyber threat to a very wide audience.
It is a well-respected fact that implementation of change in any business requires not only the knowledge to design the change but also, and arguably more importantly, the total buy-in and support from the hierarchy. Support from governmental level is key and the nature of that assistance will very likely affect the effectiveness of the implemented policy and the overall system security.
In what is a big regulatory change for swathes of the UK’s CNI and their security policies, could it be those companies listed as CNI require a government-backed programme to assist in NIS compliance? Could our CNI require the EU or the UK Government to better assist them in full NIS compliance and therefore a safer and better protected service for our country? Food for thought in an increasingly contested and uncertain cyberspace.