Simon Edwards, Cybersecurity Solution Architect at Trend Micro, discusses the EU compliance law which he says is just as important to long-term security, stability and growth as the headline dominating GDPR.
Critical national infrastructure (CNI) is an essential pre-requisite for any functioning society. It provides us with energy, transportation, water, hospitals and vital internet services. But as such it’s a major target; for hacktivists, cybercrime groups and increasingly nation states. That’s why at the beginning of May the EU Directive on Security of Network and Information Systems (NIS Directive) took effect.
As legacy systems and new technologies like the Internet of Things (IoT) continue expand the attack surface, CNI operators must take time out now to make sure they have the controls and processes in place to keep them secure and compliant.
Threats are everywhere
Digital transformation has enabled CNI firms to differentiate on innovative new services, enhance staff productivity, improve cost efficiencies and run their businesses with greater agility. But the combination of these modern tools with legacy systems is exposing them to greater risk of attack. Software flaws, open network ports, undetected file changes, poor authentication and insecure network protocols are all ripe for exploitation by those with the right know-how.
Industrial IoT (IIoT) systems are particularly exposed if factory default log-ins are left on devices and patches are produced and applied quickly enough. Trend Micro research revealed that the average time between disclosing a vulnerability to a SCADA vendor and the release of a patch can reach up to 150 days – much longer than for popular software from the likes of Microsoft or Adobe.
The problem is exacerbated if CNI operators are running underlying technology systems on outdated platforms. It’s not unusual to find Windows NT and XP in such environments. Unfortunately, many IT bosses regard these systems as too mission critical to take offline to patch or upgrade, especially as they’re plugged in to IIoT endpoints, SCADA systems and more. Isolating them from the internet completely is no longer an option in many cases as firms switch to cloud-based services for managing and operating them. Protocols like MODBUS were never designed for the interconnected world and so don’t support authentication or encryption, further exposing these legacy systems.
Because they focus on critical infrastructure, attacks can do far more damage than mere data theft. Ukrainian energy suppliers know this all too well. Attacks on key systems in December 2015 and 2016 resulted in power outages for hundreds of thousands of consumers. They’re by no means the only CNI providers in danger. Recently the UK and US governments issued a joint alert warning on Kremlin-sponsored attacks targeting CNI and other firms.
Time to comply
This is why the European Commission developed the NIS Directive – a new law designed to mandate minimum best practice standards to improve security across the board for providers of ‘essential services’. Fines of up to £17m or 4% of global annual turnover could theoretically be levied for serious infractions, just like the GDPR.
The directive is split into four main objectives – managing security risk; protecting against cyberattack; detecting cybersecurity events; and minimising the impact of incidents. Within these, it covers everything from governance to risk management, supply chain security, staff training, security controls, asset management, incident response and recovery.
While the directive doesn’t contain a prescriptive set of rules, the National Cyber Security Centre (NCSC) has devised a detailed set of principles which will aid compliance. Broadly speaking, the first step is to understand what you are running. With this information you can then better identify the cyberrisks and put in controls to mitigate those risks.
A best practice approach to security would suggest you consolidate where possible onto a trusted vendor with a wide spread of cross-generational threat protection tools which share intelligence. With that approach, you stand a great chance of optimising your security set-up — although this is only one part of the bigger compliance picture.
The GDPR might have dominated the news headlines up until now, but this new EU law is equally important long-term to UK security, stability and growth.
Click below to share this article