09 May 2018 NIS Directive: Changes approaching in the EU
Written into law
The Directive on the Security of Network Information Systems (NIS) represents the first pan-European law covering requirements for cybersecurity. It aims to achieve a common security posture for European countries by means of strengthening 1) cybersecurity capabilities at a national level, 2) EU-wide cybersecurity cooperation, and 3) risk management and reporting for operators of essential services and digital service providers.
2018 will be a year of changes for cybersecurity in the European Union. Deadlines approaching include transposing the NIS Directive into European States’ national law by May 9, 2018, and each EU Member State identifying national operators of essential services by November 9, 2018. The Directive specifies sectors of essential services (or critical infrastructure) to which the law applies, and not surprisingly, many of the sectors fall into the category of critical industrial infrastructure using Industrial Control Systems (ICS) – large, powerful, dangerous physical operations controlled by software. A successful cyber attack on a critical control network typically risks lost production, unrecoverable damage to vital equipment and the environment, and even worker casualties and threats to public safety.
National authorities and operators are collaborating to establish both the nature of national oversight and the reach of the law, but no matter how these debates are resolved, it is clear that protecting national critical infrastructure from cyber threats has become a strategic centerpiece of European cyber security legislation.
Operators of essential services benefit
Operators of essential services are private businesses or public entities which make up a Member State’s critical infrastructure and have an important role in society and the economy. Each Member State will identify the entities (operators of essential services and digital service providers) who will be required to take appropriate security measures and notify the state of significant cyber incidents by applying the following criteria as per the Directive:
(1) The entity provides a service which is essential for the maintenance of critical societal/economic activities;
(2) The provision of that service depends on network and information systems; and
(3) A security incident would have significant disruptive effects on the provision of the essential service.
The Directive’s goal is to enforce a baseline level of security and resiliency for operators of essential services which addresses cross-border and cross-sectorial dependencies. A security strategy that manages the risk of impact of incidents and cascading effects is a starting point for local regulators and critical for cross-border cooperation. The goal is that when these strategies are successfully implemented, the EU will be much better poised to defend against and reliably defeat modern cyber threats.
Where are the gaps?
The Directive itself is not prescriptive when it comes to security requirements and leaves Member States to take their own national interests, stakeholders and circumstances into account in the development of a robust cyber security strategy compliant with the broad objectives of the Directive. Cybersecurity will remain central to national security for years to come. As technology and attacks increase in sophistication, the Directive remains focused on the end goals, rather than specific means. This is understandable, since industries, operators and even societies vary significantly in their requirements, but can also be frustrating for operators who require a best-practices starting point, or who operate in multiple jurisdictions and so must reconcile multiple states’ regulatory frameworks.
Security grounded in prevention
An understanding of risk is essential to any more detailed rules from member states for the protection of critical industrial systems and networks. Protecting critical industrial infrastructure is more than protecting the integrity and confidentiality of data – security solutions for industrial networks must consider physical consequences of cyber attacks for site and worker safety, as well as consequences that may impair the reliable provision of essential services and products to member state societies. Unlike compromised information systems, physical infrastructure and human lives cannot be “restored from backups” when cyber attacks occur. The priorities for control system protection are not data confidentiality, integrity or availability, but ensuring safe and reliable physical operations by preventing unauthorized or incorrect control of physical operations.
While security monitoring and intrusion detection is important on control networks, preventing intrusion and unauthorized control is the highest priority. Waterfall contributes to robust preventative security postures for the most sensitive industrial networks with Unidirectional Security Gateways. One layer of gateways in a defense-in-depth network architecture prevents Internet-based attacks and issuing commands from reaching control system equipment.
Therefore, preventative security must be deployed at the control network perimeter to ensure the safety and security of not just property and physical assets, but for everything that could be affected by the integrity of the data, including human lives.
Essential services need the best
Waterfall offers the world’s most comprehensive unidirectional cybersecurity solution portfolio for industrial systems and critical infrastructures. Waterfall’s solutions replicate industrial data to external servers, enabling operational processes to be monitored by enterprise networks without risk of remote attacks. Having eliminated interactive remote control attacks, industrial sites benefit from cost reductions at many levels.
Protection from remote attacks significantly lowers the risks to a company’s brand, national security, operations, human life and the environment. Additionally, Waterfall’s technology simplifies and reduces costs of compliance with the European NIS Directive.
Waterfall’s global list of customers include national infrastructure, industrial sites, and manufacturing plants including sectors such as conventional and nuclear power plants, water utilities, rail transport, chemical plants, offshore oil and gas and many others industries that require the highest level of security available. Waterfall’s strategic partnerships with vendors enable unidirectional technology to be extended to may markets and ecosystems, such as the Industrial Internet of things, with full support of industrial cloud platforms including GE Predix, Microsoft Azure IoT, Amazon and FireEye Threat Analytics Platform.