Ben Worthy, ICS/SCADA security consultant for Airbus CyberSecurity, shares the five critical steps that organisations must take to ensure they are compliant with the EU’s Network and Information Systems (NIS) Directive.
UK critical infrastructure organisations could soon be liable for fines of up to £17 million if they fail to implement robust protections against cyber attacks.
The UK’s plans to implement the EU Network and Information Systems (NIS) Directive will apply to energy, transport, water, digital infrastructure, and health organisations from May 2018.
The National Cyber Security Centre (NCSC) has published initial guidance to help firms prepare, but a sense of confusion still abounds. To help with this, we outline the five important steps that infrastructure organisations should consider as they seek to comply and improve their overall security.
Understand if you will be affected
The government recently outlined the thresholds for determining which providers fall under the legislation. For example, it only applies to drinking water providers that supply 200,000 or more people.
However, infrastructure organisations will also have a responsibility to drive compliance into their supply chains, so suppliers may soon be contractually obliged to comply as well.
Set up an incident response plan
A large part of the proposed legislation deals with the reporting of cyber breaches to regulators in a timely way. But organisations also need to ensure that their services can get back up and running again quickly after an attack.
This means putting a clear incident response plan in place within your organisation, so that you know who’s responsible for which tasks in the event of an attack.
This should also cover back-up and recovery strategies, which will allow you to go back to your last good state before an incident, and isolate affected systems for quarantine and forensics. Without this, you won’t be able to trace back an attack and understand how it occurred.
Monitor your network
Spotting an intrusion on your network can be extremely challenging in operating technology (OT) environments. While some OT network monitoring services exist, they have limited application due to the necessity for network zones, or segmentation. This means that you need to set up sensors and alarming systems at a number of different layers within the network in order to monitor for malicious activity.
Set up a cybersecurity management system
A CSMS is a set of processes, work programmes, and checklists that create an audit trail to demonstrate your risk mitigation strategy.
Off-the-shelf products are available, but will need to be tailored to suit the demands of an infrastructure organisation (or you can create a bespoke one). Cybersecurity consultants can help you to set these up and ensure they are fit for purpose.
Improve cybersecurity awareness
Hackers prey on individuals in positions of trust, because all too often they’ve proven to be the weak link in an organisation’s cyber defence. Cybersecurity training can dramatically reduce the chances of commonly used techniques, like spear phishing or social engineering, being successful.
As operating systems have become increasingly connected to the internet, it has offered considerable improvements in areas such as safety, efficiency and data-driven decision-making. But it has also increased the potential for damaging cyber attacks which have real implications for physical safety.
Internet of Business says
The forthcoming NIS Directive is a positive first step to encourage infrastructure organisations to put a determined cyber security strategy in place. While the threat of being hit with a fine of up to £17 million is daunting, it will undoubtedly focus people’s minds and help to improve resilience against attack.
IoTBuild is coming to San Francisco, CA on March 27 & 28, 2018 – Sign up to learn all you need to know about building an IoT ecosystem.