There is a lot of media attention on the European Union’s General Data Protection Regulation (GDPR) at present and indeed many organisations are well advanced in their planning to meet their obligations when it comes into force next year. Yet who has heard of the Security of Network and Information Systems Directive, or NIS Directive? This legislation is due to come into law throughout Europe at about the same time and its impact is likely to be just as far reaching. So, what is it and what will change when it comes into force?

The Timeline

The NIS Directive was adopted by the European Parliament in July 2016 and Member States have until 9th May 2018 to incorporate the Directive into their own domestic legislation. Regardless of the outcome or timescales of Brexit the UK Government has confirmed its intention to implement this Directive, meaning that the clock is ticking for the whole of Europe.

Duties Under the Directive

All Member States will need to put in place a framework covering:

Adopting a national strategy on the security of network and information systems;
Designating “one or more National Competent Authorities” to oversee implementation and compliance with the Directive’s provisions;
Designating a “single point of contact” to act as a liaison point with other Member States; and
Creating one or more computer security incident response teams (CSIRTs).

In the UK the NCSC (National Cyber Security Centre) is expected to fulfil the role of CSIRT and also to act as the Single Point of Contact (or SPOC) for collaboration with the rest of the EU. They will also act as the Technical Authority on cyber security, providing guidance and support to the nominated Competent Authorities, including for example the National Cyber Security Strategy required by the Directive, and also a generic Cyber Assessment Framework (CAF) for use by the Competent Authorities when assessing good practice. Further information on the UK National Cyber Security Strategy can be found on the NCSC web site here.

Operators of Essential Services

Member States must also identify the “Operators of Essential Services” (OES) for the purposes of the Directive. According to the Directive an “Operator of an Essential Service” is a public or private entity in the drinking water supply & distribution, energy (electricity, oil & gas), digital infrastructure, health and transport (air, maritime, rail and road) sectors that meets the following criteria:

Provides a service which is essential for the maintenance of critical societal and/or economic activities;
The provision of that service depends on network and information systems; and
An incident affecting those systems would have significant disruptive effects on the provision of that service.

The scope of this Directive and the criteria for an OES are far-reaching and likely to affect all but the smallest of companies in each of these sectors. After all, in the modern connected enterprise how many companies do not depend on network and information systems for the provision of their service? Unlike the GDPR where the focus is on information security the NIS Directive will almost certainly have significant implications for the management of cyber security of industrial networks where the emphasis is on the availability and safety of systems. IS / IT is not the same as OT and the security of these systems cannot be managed in the same way. This implies a paradigm shift in the approach to planning and managing security when preparing to comply with the NIS Directive.

Penalties

There is of course a sting in the tail. Member States are required to lay down the rules on penalties applicable to infringements of this Directive and must take all measures necessary to ensure that they are implemented. Any penalties provided for in national legislation should be “effective, proportionate and dissuasive”. In the UK the proposal is to have two bands of penalties as follows:

Band one - set at a maximum of €10m or 2% of global turnover – for lesser offences, such as failure to cooperate with the Competent Authority, failure to report a reportable incident, failure to comply with an instruction from the Competent Authority.

Band two - set at a maximum of €20m or 4% (whichever is greater) - for “failure to implement appropriate and proportionate security measures”.

Conclusion

It is clear that the European Union is serious about enforcing the NIS Directive and that its effects will be far reaching. Yet the deadline is relatively close and many organizations still appear to be focused more on the GDPR regulations coming into law at about the same time. The NIS Directive will require the Operators of Essential Services to demonstrate that they are adopting good practice in managing the security of their networks, including their industrial networks, and in my opinion this implies an understanding of the difference between IT security and OT security. Taking this further, it is also my view that the management of OT cyber security is more akin to the management of functional safety, that there are a number of parallels between the two disciplines, and that functional safety and cyber security can and should be regarded as two faces of the same coin. After all, can a control system be regarded as safe if it is not secure? The answer surely is “no”. One of the consequences of the NIS Directive, and it is not clear to me whether this is intentional or not, is that it has the potential to drive improvements in process safety as well as process network security. Whether this happens or not will depend in part on whether organisations embrace the Directive and whether they see this as an OT security issue in addition to being an IT security issue. Are you aware of the NIS Directive and is your organisation ready to comply with its requirements?

For more information on the NIS Directive or to find out how Yokogawa can help your organisation implement an effective cyber security strategy for your industrial assets then please leave a reply to this blog, or alternatively get in touch at Advanced Solutions UK.

Read another article by Rob Turner here.

Aug 1, 2024

Embracing Digital Transformation in Manufacturing: A Journey to Efficiency and Innovation

Join us as we explore the journey of a Singaporean manufacturer who partnered with Yokogawa to enhance operational efficiency. From assessing digital readiness to implementing a stable data foundation and a digital energy monitoring solution, discover how they achieved remarkable improvements in performance and sustainability.

Apr 18, 2024

Oil & Gas Operations and Decision-Making in the Cloud Era

Recently, KBC launched the Acuity Industrial Cloud Suite, consolidating its simulation software solutions. It aligns with KBC's portfolio to address challenges in energy transition, process optimization, value chain optimization, and asset management. For insights, we interviewed Rolando Gabarron, a senior consultant in product management.

Apr 2, 2024

Behind the scenes of Pioneers: Pursuing objectives while also focusing on personal growth with Esmeralda Roxas

In the dynamic landscape of professional careers, the journey of growth and adaptation of Esmeralda Roxas at Yokogawa stands out. From her humble beginnings in system sales engineering for upstream oil and gas to her current role in network security, her trajectory is a testament to resilience, proactivity, and a thirst for knowledge.

Dec 21, 2023

The Necessity of Converged IT/OT SOC in Strengthening Cybersecurity for Today's Industrial Landscape

In the rapidly advancing technological landscape, industrial organizations face escalating cyber threats. To fortify cybersecurity, embracing a Converged IT/OT SOC is imperative. Yokogawa's cloud-based IT/OT SOC service provides a holistic defense, offering integrated visibility, proactive measures, and real-time monitoring. As cyber threats evolve, businesses can stay ahead with Yokogawa, safeguarding operations effectively in the cybersecurity race.

Dec 19, 2023

Yokogawa Recognised as a ‘Leader’ in Verdantix Green Quadrant for Process Safety Software 2023

Yokogawa has been acknowledged as a key software platform provider in the Green Quadrant report published by Verdantix and achieved the title of a 'Leader' in Process Safety Management. This recognition stands as a great achievement for Yokogawa, showcasing excellent performance in areas such as Control of Work, Mobile, Platform Interoperability, Integration, and Sustainability, including ESG considerations, among other notable areas.

Dec 18, 2023

Behind the scenes of Pioneers: Mahalakshmi R, Deputy Head, Yokogawa India Service: A Trailblazer in Leadership and Career Success at Yokogawa

In a recent interview, Mahalakshmi, Deputy Head at Yokogawa India Service, revealed her remarkable 28-year journey with the company. A leader in training and customer service, she has driven innovative projects and fostered a culture of success. Let's explore the key elements that have defined her leadership and career at Yokogawa.

Nov 30, 2023

Optimizing Energy Efficiency for Industrial Enterprise Buildings & Offices

Explore Yokogawa's EEMS revolutionizing energy efficiency in industrial buildings, recognizing their substantial impact on global energy consumption and CO2 emissions. This blog delves into EEMS's digital prowess for optimizing energy dynamics through real-time monitoring and a centralized platform. Uncover insights into smart meters, sensors, and communication protocol challenges and solutions.

Digital Solutions Blog

What You Need to Know About the NIS Directive

The Timeline

Duties Under the Directive

Operators of Essential Services

Penalties

Conclusion

Looking for more information？

Yokogawa Digital Solutions

Contact us