First established in July 2016, The Network and Information Systems Directive (NIS), encompassed two groups— the operators of essential services; and relevant digital service providers. The aim of the directive was to strengthen cybersecurity resilience and, while somewhat effective, it was seen to have limitations. Not least the narrow scope of organisations covered. This was addressed in January 2023, when the European Union adopted a new version of the Directive.
NIS2 expands the scope of entities covered from seven to 18, adding new sectors based on how crucial they are for the economy and society, broken into two categories — essential and important. For essential organisations with a headcount of over 250 or in excess of €50 million revenue; and important organisations with a headcount over 50 or in excess of €10 million revenue from the sectors identified in NIS2 will be directly included in the scope. That doesn’t mean small or micro-organisations are excluded. Each member state can extend the scope to include any organisation (in the identified sectors) deemed to fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.
All EU member states, and non members trading in the EU, will need to transpose NIS2 into national legislation by October 17, 2024. Although no longer bound by EU regulation, the UK government has confirmed it will also strengthen its NIS regulations.
What you need to know
NIS operates on a principle-based approach that each member state will adopt and publish their own set of security measures to be implemented, allowing cybersecurity to become a part of an organisation’s business as usual.. This is similar to multiple international, consensus-driven standards, including ISO/IEC and others, that offer pathways for organisations to develop and implement cybersecurity programs. Organisations understand their business better than an outsider, therefore the principle-based approach allows organisations to make informed decisions on how best to tackle cybersecurity challenges.
One important change in the updated Directive is reporting significant incidents within 24 hours to the competent authority or CSIRT. This should be followed after 72 hours with a full notification report including the assessment of the incident, severity and impact and indicators of compromise. A final report must be communicated within a month. While detecting incidents is obviously important, the onus for organisations should be on reducing the risks faced and preventing incidents in the first place.
Box ticking does not always equate to security
While adhering to the locally adopted NIS2 Directive is mandatory, and failure to adhere can result in large fines, organisations should not be lulled into a false sense of security. It does not always equate that by following frameworks or ticking boxes organisations are secure. The reality is that, while adherence with NIS2 principles will strengthen defences, alone it does not equate to being secure and is not a substitute for maintaining strong cyber hygiene. The onus has to be on every organisation to implement secure working practices that protect their infrastructure and the sensitive data and critical systems contained.
True cybersecurity requires complete and holistic understanding of the risks that exist within the entire infrastructure. A preventative approach in Industrial cybersecurity is paramount to eliminate many of the core risks associated with the new trends and challenges that are present. When threat actors evaluate a company’s attack surface, they’re probing for the right combination of vulnerabilities, misconfigurations and identity privileges.
To mitigate the risks, it is essential to gain full visibility into both IT and OT environments — of IT and OT assets, IoT, Building Management Systems, and everything in between, the interdependencies that exist for critical functionality, and determine where weaknesses and vulnerabilities exist.
Knowing what is there is only part of the equation as it’s imperative to understand how OT devices are interconnected and what interdependencies exist for critical functionality. With that intelligence, security teams then need to identify where weaknesses and vulnerabilities exist and prioritise those assets that could become possible attack paths. From this stance, steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations that could be indicators for attacks.
While regulatory compliance can be daunting, it is an important exercise. Knowing the adversary means organisations can anticipate cyber attacks, ensuring they are best positioned to defend against today’s emerging threats. As defenders, it’s vital that time is taken to understand the data infrastructure and determine where the greatest risks lie, then take steps to reduce that risk.
Author: Bernard Montel, EMEA Technical Director and Security Strategist, Tenable