What You Need to Know About the NIS Directive

There is a lot of media attention on the European Union’s General Data Protection Regulation (GDPR) at present and indeed many organisations are well advanced in their planning to meet their obligations when it comes into force next year. Yet who has heard of the Security of Network and Information Systems Directive, or NIS Directive? This legislation is due to come into law throughout Europe at about the same time and its impact is likely to be just as far reaching. So, what is it and what will change when it comes into force?

The Timeline

The NIS Directive was adopted by the European Parliament in July 2016 and Member States have until 9th May 2018 to incorporate the Directive into their own domestic legislation. Regardless of the outcome or timescales of Brexit the UK Government has confirmed its intention to implement this Directive, meaning that the clock is ticking for the whole of Europe.

Duties Under the Directive

 T071 Industry in Action

All Member States will need to put in place a framework covering:

  1. Adopting a national strategy on the security of network and information systems;
  2. Designating “one or more National Competent Authorities” to oversee implementation and compliance with the Directive’s provisions;
  3. Designating a “single point of contact” to act as a liaison point with other Member States; and
  4. Creating one or more computer security incident response teams (CSIRTs).

In the UK the NCSC (National Cyber Security Centre) is expected to fulfil the role of CSIRT and also to act as the Single Point of Contact (or SPOC) for collaboration with the rest of the EU. They will also act as the Technical Authority on cyber security, providing guidance and support to the nominated Competent Authorities, including for example the National Cyber Security Strategy required by the Directive, and also a generic Cyber Assessment Framework (CAF) for use by the Competent Authorities when assessing good practice. Further information on the UK National Cyber Security Strategy can be found on the NCSC web site here.

Operators of Essential Services

Member States must also identify the “Operators of Essential Services” (OES) for the purposes of the Directive. According to the Directive an “Operator of an Essential Service” is a public or private entity in the drinking water supply & distribution, energy (electricity, oil & gas), digital infrastructure, health and transport (air, maritime, rail and road) sectors that meets the following criteria:

  • Provides a service which is essential for the maintenance of critical societal and/or economic activities;
  • The provision of that service depends on network and information systems; and
  • An incident affecting those systems would have significant disruptive effects on the provision of that service.

The scope of this Directive and the criteria for an OES are far-reaching and likely to affect all but the smallest of companies in each of these sectors. After all, in the modern connected enterprise how many companies do not depend on network and information systems for the provision of their service? Unlike the GDPR where the focus is on information security the NIS Directive will almost certainly have significant implications for the management of cyber security of industrial networks where the emphasis is on the availability and safety of systems. IS / IT is not the same as OT and the security of these systems cannot be managed in the same way. This implies a paradigm shift in the approach to planning and managing security when preparing to comply with the NIS Directive.

Penalties

There is of course a sting in the tail. Member States are required to lay down the rules on penalties applicable to infringements of this Directive and must take all measures necessary to ensure that they are implemented. Any penalties provided for in national legislation should be “effective, proportionate and dissuasive”. In the UK the proposal is to have two bands of penalties as follows:

Band one - set at a maximum of €10m or 2% of global turnover – for lesser offences, such as failure to cooperate with the Competent Authority, failure to report a reportable incident, failure to comply with an instruction from the Competent Authority.

Band two - set at a maximum of €20m or 4% (whichever is greater) - for “failure to implement appropriate and proportionate security measures”.

Conclusion

It is clear that the European Union is serious about enforcing the NIS Directive and that its effects will be far reaching. Yet the deadline is relatively close and many organizations still appear to be focused more on the GDPR regulations coming into law at about the same time. The NIS Directive will require the Operators of Essential Services to demonstrate that they are adopting good practice in managing the security of their networks, including their industrial networks, and in my opinion this implies an understanding of the difference between IT security and OT security. Taking this further, it is also my view that the management of OT cyber security is more akin to the management of functional safety, that there are a number of parallels between the two disciplines, and that functional safety and cyber security can and should be regarded as two faces of the same coin. After all, can a control system be regarded as safe if it is not secure? The answer surely is “no”. One of the consequences of the NIS Directive, and it is not clear to me whether this is intentional or not, is that it has the potential to drive improvements in process safety as well as process network security. Whether this happens or not will depend in part on whether organisations embrace the Directive and whether they see this as an OT security issue in addition to being an IT security issue. Are you aware of the NIS Directive and is your organisation ready to comply with its requirements?

For more information on the NIS Directive or to find out how Yokogawa can help your organisation implement an effective cyber security strategy for your industrial assets then please leave a reply to this blog, or alternatively get in touch at Advanced Solutions UK.

Read another article by Rob Turner here.