In this exclusive article for IoT Insider, Jos Beernink, VP EMEA at Milestone Systems writes about meeting the NIS2 Directive requirements
We live in an increasingly digital world, so it comes as little surprise that cybersecurity is at the top of business leaders’ and governments’ agendas. Indeed, 96% of CEOs feel that robust cybersecurity is essential to their organisation’s future growth and stability. This is just as well, since cybercrime is projected to cost a staggering $15.63 trillion by 2029.
As the Internet of Things (IoT) expands, so do the opportunities for malicious actors to exploit devices, either as gateways to larger cyberattacks or to access data. The European Union Agency for Cybersecurity, ENISA, sees new threats to cybersecurity emerging because of the wealth of data that devices can now collect; advances in AI that make cyberattacks more complex and scalable; supply chain targeting (98% of firms affiliated with a third party have experienced a breach), and the IoT acting as a gateway to larger attacks.
Your security system with its different connected devices and physical locations (usually outside, where devices can be tampered with), presents an attractive target for hackers. Securing it, therefore, is of the utmost importance if you want to avoid becoming one of the millions of businesses hacked each year.
Enter: The NIS2 Directive
Amid this backdrop comes the NIS2 Directive, a Europe-wide legislation that aims to boost the resilience of cybersecurity in network and information systems across Europe. The legislation marks a continuation of the protective measures that the European Union (EU) set out in the first NIS Directive, albeit with an expanded remit including digital infrastructure — hence why cameras and other connected devices are impacted. Any user of cameras and connected devices will need to take active, ongoing steps to protect their video network security and its data from 18 October 2024.
Europe has long been vigilant about the use and protection of data (for instance, bringing in GDPR in 2016, now used as an example globally of data protection best practices). So, we can expect the NIS2 Directive to have some sway over other governments’ legislation in the coming years. That said, the practices and guardrails put in place by the NIS2 Directive will have applicability to any organisation using video security — that is, if you don’t want your video network to be the weak link in your cybersecurity. It’s therefore vital for everyone to understand how to make your video network compliant with the Directive.
Meeting NIS2 Directive requirements
The NIS2 Directive focuses on two main areas: Protecting networks and information systems through proactive measures; and responding quickly when under a cyberattack.
Protecting your video network
Your video network is a unique target for hackers thanks to the data it collects, and which can be used to gain confidential information, for blackmail, or even to inform future cyber or physical attacks, through mapping out a building’s floor plan and schedules. Checking the fundamentals are in place to secure cameras is the first to-do on any user’s list. These fall into two distinct areas: Asset management and access management.
Asset management involves identifying and securing the hardware in a security system, from cameras to recording servers, and the video technology software. Access management is about controlling who can interact with a video security system — through individual user credentials and limiting access rights to the lowest level needed for someone to do their job.
Every camera and connected device in your network become vulnerable if its firmware isn’t kept up to date. Users should check for the latest version as soon as it is installed, as some time can pass between a camera leaving the factory and its installation. Likewise, camera drivers should be updated to the latest software version. Some camera models come with factory passwords and these need to be changed quickly.
This brings us to access management best practices. Password sharing is a common thing in many organisations, and it opens a Pandora’s Box of potential vulnerability, misused passwords (insider attacks), and more. Without unique login credentials, a user cannot track who is in their system, and what they are doing. So, every individual needs their own access credentials for a video system.
Individuals should be granted the level of access appropriate to their role, and that extends to a physical space too. If someone isn’t directly working on the maintenance or administration of the hardware and software, they shouldn’t have access to, for example, the server room, nor admin rights.
Focusing on getting the basics of video cybersecurity right will greatly reduce a system’s attractiveness to malicious actors.
Responding to a cyberattack
If the worst was to occur, users will need to respond quickly. In some organisations, there is a separation between a video network and wider IT infrastructure. In this case, containment can be relatively straightforward. Users should identify the affected devices and networks and, if possible, take them offline to disconnect them and prevent a widespread, gateway attack. Checking audit reports will help understand who has accessed the system, what they did, and when (this is a good habit to get into to quickly identify if a hack has occurred).
On a regular basis, users should run simulated exercises to test response times and processes. These exercises can also highlight areas of improvement, such as additional training or unused user licenses.
Supply chain security
Supply chain security also occupies a prime position in the NIS2 Directive. We live in an increasingly interconnected world and the Directive introduces measures to ensure entire ecosystems are resilient and cannot be easily compromised by malicious actors. Rigorous security assessments and risk management practices across an organisation’s entire supply chain will reduce the likelihood of a supply chain-focused cyberattack.
Find the right partner for cybersecurity
The NIS2 and CER directives together represent a holistic approach to securing and strengthening the resilience of critical infrastructure across the EU. By addressing both cybersecurity and physical resilience, these directives aim to ensure that essential services can continue to function in the face of various threats and challenges.
Partnering with a responsible manufacturer can make a serious difference to cyber-resilience and an organisation’s ability to meet the demands of the NIS2 and CER Directives. A well-informed and serious technology partner can help companies navigate the complex cybersecurity landscape, ensuring robust protection for their digital assets.
Users should focus on working with manufacturers that put cybersecurity and the responsible use of technology at the core of product development and design. Encryption, user rights management, audit reports, digital signatures, full authentication, and HTTPS are all vital to protecting a camera from cyberattacks. A dedicated response team can be a green flag that a manufacturer can keep updated with the latest threats and patch vulnerabilities rapidly.
Compliance with NIS2 and, to a lesser extent, the CER Directive, is just the start for anybody working in the digital realm. Governments worldwide are making concerted efforts to secure critical infrastructure and digital products against cyberattacks. Working together with a reputable manufacturer, users can rest assured that their video security ecosystems won’t be an easy target for hackers and will continue to meet legislative requirements for years to come.
Author: Jos Beernink, VP EMEA at Milestone Systems
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.