Vertical Markets

Essential services cyber-attack-proof

by Mark Rowe

Transport and energy companies will have to ensure that the digital networks that they use to deliver essential services, such as traffic control or electricity grids, are robust enough to withstand cyber-attacks. That’s after new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers. Online marketplaces like eBay or Amazon, search engines and clouds will also be required to ensure that their infrastructure is secure.

Parliament’s rapporteur, the German MEP Andreas Schwab, said on December 7: “Today, a milestone has been achieved: we have agreed on first ever EU-wide cyber-security rules, which the Parliament has advocated for years.

“Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will have to cooperate more on cybersecurity – which is even more important in light of the current security situation in Europe.

“Moreover this directive marks the beginning of platform regulation. Whilst the Commission’s consultation on online platforms is still on-going, the new rules already foresee concrete definitions – a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services.”

Listed by sectors – such as energy, transport, banking, financial market, health and water supply – critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.

Member states will have to identify ‘operators of essential services’ from those sectors: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety.

Some internet service providers, such as online marketplaces (eBay, Amazon), search engines (Google, Yahoo) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the MEPs say. The draft rules setsup a strategic cooperation group to exchange information and best practices, draw up guidelines and assist member states in cyber-security building. Computer Security Incidents Response Teams (CSIRTs), in each member state to handle incidents, will have to be established to discuss cross border security incidents and identify coordinated responses.

The provisionally-agreed text still needs to be formally approved by the European Parliament‘s Internal Market Committee and the European Council Committee of Permanent Representatives.

Comments

Executive Director of ENISA, Udo Helmbrecht, said: “Ensuring the availability, integrity and confidentiality of critical and digital infrastructures is a challenging task for public and private stakeholders. ENISA welcomes the new tasks associated with the implementation of the NIS [Network and Information Services] Directive and will continue to assist the EU Member States and the private sector in improving cybersecurity capabilities and co-operation towards the implementation of the NIS Directive and in line with the objectives of the DSM [Digital Single Market].” Parliament is expected to approve the agreed text on December 17 and Council the following day. EU countries will then have 21 months for turning the directive into national law.

The IT sector has welcomed the proposed ruling. Nigel Hawthorn, Skyhigh Networks’ European spokesperson, believes it’s good news for consumers.

“The agreement of the first EU-wide cybersecurity directive is a landmark occasion. For too long businesses have tried to tip-toe their way out of notifying customers about data breaches, worried about the damage it can have on reputation and sales. Banks especially have been guilty of trying to keep ‘mum’ whenever they can. While this directive is aimed at critical infrastructure companies, it will still provide customers with greater confidence and, more importantly, raises their expectations of privacy. Companies must now realise that change is on the horizon. For years EU-wide regulations have been discussed and, until now, they have really just been hot air. However, with the agreement of the first directive, we can expect a domino effect and more to surely follow. Businesses must therefore begin to take the necessary steps to ensure they are acting compliantly with the new laws which will come into effect within the next few years.”

Matt Middleton-Leal, regional director, UK and Ireland saw it as good and bad news according to its customers. “Organisations will need additional funding to help them improve their security posture, however the fear, uncertainty and doubt created by new regulations can also hinder rational decision making. The cyber threat landscape has shifted to such an extent in recent years, that it really is now a matter of when rather than if an attempt will be made to infiltrate a network. Indeed, today’s attackers are highly skilled at breaking in; the key to mitigating the damage is effectively limiting their movement and ability to access critical systems once inside.

“However, the inevitable time delay in interpreting the text according to each individual EU member state’s own laws will mean that this likely won’t come into effect for some time. As with any compliance requirement, it is always advisable to stay one step ahead and so businesses should certainly not delay re-assessing their security strategy. Taking a proactive rather than reactive approach, by locking down access to the most valuable assets within a network and ensuring that privileged access is stringently monitored, will give firms a fighting chance of thwarting an attack before significant damage can be done to the heart of the business.”

Chris Wysopal, CTO and CISO, Veracode, said: “It’s good to see agreement from EU lawmakers that something needs to be done about the state of cyber-security across the region. Alerting impacted organisations, businesses and people of breaches that could impact them is a step in the right direction. Hopefully this will open everyone’s eyes to what’s been happening for years and put pressure on organisations to double down on their security efforts. Any legislation needs to be prescriptive to create a baseline for what’s considered reasonable security, otherwise it will be difficult to drive change. One way to do this would be taking the Network and Information Security Directive one step further and crafting some form of liability to enforce reasonable efforts are being taken to secure systems. A good starting point would be to address the woeful state of application security across sectors such as transportation, energy, health and finance.”

Ross Brewer, vice president and managing director for international markets at LogRhythm, similarly said that an EU-wide initiative has been a long time coming. “The Network and Information Security Directive will further enforce what is now so important; the ability to identify threats as quickly as possible. From Vtech to JD Wetherspoons, to the disaster that was TalkTalk, you can pick up any newspaper and see that organisations are still failing when it comes to cyber defences. Perhaps hitting them with eye-watering financial penalties and stricter regulations will help change that. Ultimately, businesses have a duty to ensure private information is as safe as it can be. It only takes a small breach for a company’s reputation to take a severe hit, which is bad enough, but when it comes to Critical National Infrastructure (CNI) a breach has the potential to be catastrophic.

“While this directive is a massive step forward in the fight against cybercrime, organisations must not become complacent. They still need security intelligence that provides insight into network activity and enables them to identify and mitigate a breach as soon as it happens. It’s no good having rules in place that enforces the sharing of information if tools aren’t in place to provide this information as soon as a breach occurs. JD Wetherspoon was clueless for six months, but if the initiative had been in place when it happened, would that mean that they would have found the breach any sooner? It’s unlikely. Furthermore, a lack of visibility and control over their network can cause companies to panic and jump the gun like TalkTalk did with its announcement of four million affected customers, when in reality it was more like 157,000. Businesses need to combine information sharing and best practices with security intelligence, otherwise they will only be taking a half-hearted attempt to protect their assets and run the risk of ‘overdisclosure’ after a breach – which for critical infrastructure companies could have consequences far worse than a fine.”

Related News

  • Vertical Markets

    Award for Eyewitness

    by Mark Rowe

    Southeastern’s Eyewitness scheme is a way for passengers to report low-level crime by email. Eyewitness allows passengers to discreetly report antisocial behaviour…

  • Vertical Markets

    Body scanners

    by msecadm4921

    A majority of British citizens surveyed said body scanners and biometric technology should be deployed at public venues across the country ahead…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing