The Networks and Information Systems (NIS) Directive was brought into effect in the UK on May 9, 2018. Effective almost exactly a year after the WannaCry ransomware attack on the NHS, the EU directive is designed to ensure the reliability and security of essential services that play a crucial role in society. Nick Boughton, sales manager at industrial systems integrator Boulting Technology explains the directive and what the changes mean for engineers.
As national reliance on technology grows, the impact of failure increases, as does the attractiveness of compromising the involved systems and data. It is essential that the UK responds to ensure the safety and security of cyberspace. Securing technology, data and networks is the only way to keep businesses and public services protected from considerable periods of downtime and even lost business. For UK operators of electricity, transport, water, health, energy or digital infrastructure, the regulations provide guidance on how to improve system security and protect against the increasing number of cyber threats.
The worldwide WannaCry ransomware attack in May 2017 is the perfect example of why systems must be prepared against cyber-attacks. More than 300,000 computers worldwide were infected, according to Czech security firm, Avast. The WannaCry attack exploited a vulnerability in the Microsoft Windows operating system, which had been patched out with Microsoft’s security update in April 2017. However, organisations that hadn’t installed the latest updates remained vulnerable to infection.
In the UK, the NHS was worst hit. More than a third of trusts in England experienced disruption after the WannaCry malware encrypted data and demanded a ransom to unscramble it. At least 6,000 appointments were cancelled and the financial cost of the incident remains unknown.
Legislation
The EU NIS directive is a direct response to the threat to cyber-systems. Any incident could affect the information systems and the essential services supported in any number of EU member states. In this way, shared systems could provide a single point of failure, which could be catastrophic to services that now play a vital role in society. The directive aims to protect all services, from the provision of healthcare and passenger and freight transport, to the supply of electricity and water.
Essential services
The directive will apply to Operators of Essential Services (OES) or Competent Authorities (CA). The criteria for identifying OES and the list of CAs in the UK can be found within the Government response to the consultation. For example, providers of electricity distribution services in England, Scotland or Wales are within the criteria if they have the potential to disrupt supply to more than 250,000 consumers if they undergo a cyberattack. Top Level Domain (TLD) name registries must have operators who service an average of two billion or more enquiries in 24 hours before being obliged to act.
Principles
The directive is structured into four objectives, devised by the UK National Cyber Security Centre (NCSC): managing security risk, protecting against cyber-attack, detecting cyber security events and minimising the impact of cybersecurity events. The directive does not provide rules or a to-do list for good cybersecurity, rather it states a set of principles as a guide to driving good cybersecurity decision making. For example, Objective B: Protecting against cyber-attack encompasses principles B1 to B5. Principle B4 guides companies on how to ensure system security. It describes how a strong system architecture can minimise the opportunities for an attacker to compromise the security of networks and information systems. Because vulnerabilities can arise through flaws, features or user error, the directive urges organisations to ensure that all three are considered when selecting and implementing protective security measures.
System security can be forfeited through the simplest mistakes, such as leaving laptops in public places or mismanagement of known vulnerabilities. The advice offered by the directive will be valuable to ensuring these do not become full attacks.
I would advise organisations to be wary of any authority that claims to provide a cybersecurity to-do list. In my experience, a to-do list is likely to be an unachievable goal that will produce an inferior cybersecurity response than a calculated, researched plan.
Operators must ensure they understand the principles and why they are important, interpreting them on behalf of the organisation. The outcomes described in the principles must be compared to current practices and shortfalls identified. These shortcomings must be implemented in a prioritised way, using the guidance provided to inform remediation.
Boulting Technology has a wealth of experience working with essential services and utilities including water and waste water. By working in an alliance with its partner NETbuilder, we can provide full cybersecurity capabilities across OT and IT.
The NIS directive is just one legislation that must be considered by operators of essential services, such as water distributors. The effects of the guidance provided by the NIS principles will be felt throughout the entire supply chain, which will limit the risk of cyber attack such as WannaCry disrupting national infrastructure.
Visit www.boultingtechnology.co.uk.
