What Operators Need to Know About the Latest EU Security Directive
In insight / By Phil Muncaster / 10 October 2017
If you mention the words “EU”, “compliance” and “cybersecurity” to most UK IT and business leaders, the chances are they’ll assume you’re talking about the General Data Protection Regulation (GDPR). This huge, far-reaching piece of legislation has dominated compliance plans and newspaper headlines for months now as the May deadline draws near. But in fact it’s not the only new EU law coming our way in May 2018.
Have you heard of the Security of Network and Information Systems (NIS) Directive? If not, and your organisation is a provider of “essential services”, you’ve not got much time to get compliant. As it stands, maximum fines could be the same as the GDPR: that’s £17m or 4% of global annual turnover, whichever is higher.
A new directive
The NIS Directive differs from the GDPR in several key ways. Firstly, it’s not a “regulation”, meaning that the legislation needs to be transposed into domestic law by individual member states. As part of that process it’s expected to vary slightly from country-to-country. The UK government is currently consulting on the final shape of the law. This will cover:
- The penalties
- Which authorities should regulate and audit specific sectors
- The security measures to be imposed
- Timelines for incident reporting
- How this affects “Digital Service Providers”
The second major difference from the GDPR is who it applies to. Essentially, this new law is designed to improve baseline security standards in the critical infrastructure (CNI) sector, referred to as “essential service” providers. Although the final details are still being worked out on exactly what type of organisations NIS will cover, the government has already said the electricity, transport, water, energy, transport, health and digital infrastructure industries will be included.
In this respect, the law is not about protecting consumers’ personal data, as per the GDPR, but mitigating the risk of cyber-attacks on our hospitals, energy and water plants, transport infrastructure and so on. According to the government, operators will broadly speaking need to put in place:
• Strategy and policies to understand and manage cyber-risk • Security controls to detect and repel cyber-attacks and prevent system failures, including continuous security monitoring • Staff awareness and training programmes • Incident reporting mechanisms to notify as soon as an attack hits home • Capabilities to ensure that they can respond and restore systems quickly after any cyber-event
CNI under fire
Although it’s been a long-time coming, just like the GDPR, there are worrying signs that many CNI firms may not be prepared for the forthcoming law. Corero Network Security sent Freedom of Information requests to over 300 CNI firms in March, and of the 163 that responded, over a third (39%) admitted that they hadn’t completed the government’s basic 10 Steps to Cybersecurity programme. The figure rose to over two-fifths (42%) of NHS organisations contacted.
It’s not quite time to be panicking yet; after all, the final details are still being worked out by the government. However, there has been a noticeable increase in attacks targeting CNI firms over recent years. Perhaps the most infamous of late have been those launched against Ukrainian energy companies that left tens of thousands without power in December 2015 and 2016. These were highly sophisticated attacks which, in 2015 at least, worked to subvert the key SCADA control system by overwriting firmware at over a dozen substations with malicious code. This meant that the facilities couldn’t be controlled remotely by engineers, so they were helpless to stop a second wave of destructive “KillDisk” malware which caused computers to crash and rendered operator stations inoperable.
Now, that’s an example notable for the sophistication of the attack – leading many to believe it must have been state-sponsored – but it doesn’t have to be that complex. As the WannaCry ransomware outages of May proved, even a modified “ransomware worm” can cause serious damage and destruction around the globe. In just a couple of days, the ransomware had ripped through over 200,000 organisations in over 150 countries. It did not discriminate: from NHS Trusts forced to cancel operations and appointments, to a Nissan car plant that had to halt production, it caught out many organisations that should have known better. If they’d only patched a Windows bug for which a security fix had been available for two months, they would have been protected – highlighting serious security deficiencies.
Most recently, Symantec revealed a new attack campaign dubbed Dragonfly which it believes may even have given the hacking group behind it the ability to sabotage energy facilities in the US and Europe.
About time for NIS
These growing challenges, of course, are what the NIS Directive is meant to address.
The truth is that, whether we’re talking about state-sponsored hackers or financially motivated cybercrime gangs, critical infrastructure is an increasingly popular, and viable target. In the past, such facilities were largely safe from attack because they were air-gapped from the public internet and running on a multitude of obscure computing systems. This “security-by-obscurity” worked for a while, but now increasingly SCADA systems are internet-connected and many run some part of their IT infrastructure on Windows. Compounding cyber-risk is the fact that many such systems aren’t up-to-date with the latest software patches because they simply can’t be taken offline long enough to test said updates. This leaves them woefully exposed to attack.
That’s why the NIS Directive should be welcomed, if it works as planned in forcing CNI firms to improve security. If you want to have a say in how the law will ultimately look, the government wants to know. Otherwise, check out those 10 Steps to Cyber Security to help you start planning improvements. Whatever the final law looks like, it will likely mandate similar best practice security steps, as outlined there and in various standards such as ISO 27001.
Defence in depth
Nasstar has many layers of security protecting its hosted platforms but it is crucial that its clients creates a cyber savvy culture within their organisation. That comes from the top down, and it spreads via effective training and regular updates to ensure best practice is always front of mind for staff.
That’s why as a managed service provider, Nasstar puts a major focus on education and training – of our own staff and those of our clients, in things like Cyber Essentials. Security is present at every layer of our organisation, and it can be in yours too. Contact us today for more information.