Digitalisation and IIoT are driving increased connectivity between IT and OT (Operational Technology) networks, increasing the attack surface and the risk of cyberattacks on critical infrastructure.
As we’ve seen from recent cyberattacks such as WannaCry and NotPetya — which are generally attributed to North Korea and Russia respectively — these attacks can have a devastating impact on industrial production and hence on quarterly profits, with global estimated losses in the billions of dollars.
Additionally, targeted cyberattacks like TRITON (generally attributed to Iran) that compromise large-scale cyber-physical systems — such as petrochemical mixing tanks, turbines, and blast furnaces — can cause catastrophic safety failures, environmental damage, and even loss of human life.
The growing number and sophistication of cyberattacks on industrial and critical infrastructure have led EU legislators to adopt the Network and Information Security Directive (NISD). The new directive requires companies from industrial and critical infrastructure sectors to adopt specific technical and organizational measures to manage threats to their networks.
This guide offers insight into what changes are taking place and what steps affected organizations can take to avoid financial penalties.
The NIS Directive is perceived by Members of the European Parliament (MEP) to be critically important as it ensures cybersecurity oversight of systems which are fundamental to the functioning of society. While the NIS Directive is a product of the EU with similarities to the GDPR, there are key differences between the two. The NIS Directive is primarily meant for organizations involved in the provision of critical infrastructure services, whereas the GDPR addresses all organizations that process personal data. – Deloitte
The NIS Directive in a Nutshell
What is the NIS Directive?
The Network and Information Security Directive (NISD) is similar in nature to the EU’s General Data Protection Regulation (GDPR), which also came into effect in May of 2018. While the EU’s GDPR is a privacy directive focused on organizations that collect personal data, the NIS Directive is focused on strengthening resilience for providers of critical infrastructure services.
What types of organizations are affected?
The NIS Directive applies to organizations that provide “essential services” in critical infrastructure sectors such as energy, transport, water, health, banking & financial, and digital infrastructure (ISPs, DNS, etc.).
Additionally, organizations in other sectors such as manufacturing, pharmaceuticals, chemicals, and oil & gas are voluntarily leveraging the NISD guidelines as a framework for improving their operational resilience.
NISD is also the first legal requirement to define “minimum standards of due care” for protecting OT networks. This means that, in the case of a major safety or environmental incident, organizations may be held negligent and financially liable for not having taken the minimum steps to prevent it — even for US organizations.
Which countries does the NIS Directive apply to?
The NIS Directive applies to all EU member states in its entirety and is a mandatory action. Each member state will decide on penalties and deadlines. The governance also applies to the UK, both during and following Brexit.
Additionally, these rules will also affect US companies that have operations in EU member states.
What is the timeline for implementation?
Member states had to transpose the NIS Directive into their national laws by May 9, 2018. According to the NIS Directive Q&A page of the EU, the countries have until November 9, 2018 to identify operators of essential services that need to take appropriate security measures and to notify significant incidents according to the following criteria:
- The organization provides a service essential for the maintenance of critical societal and economic activities.
- The provision of that service depends on network and information systems.
- A security incident would have significant disruptive effects on the essential service.
What are the penalties for breaching the directive?
Although the NIS Directive applies to all EU members, each member state must legislate its own financial penalties for transgressions within its borders.
Like GDPR, NISD imposes substantial financial penalties for non-compliance. In the UK, for example, non-compliant companies can be fined up to £17 million, or 4% of global turnover (similar to GDPR). According to a Dutch draft law, fines could reach as much as €5 million — and it is likely that strict penalties will be in place across other EU member states as well.
Some member states are expected to legislate larger fines to prevent a frequency or recurrence of non-compliance. Organizations operating in member states will avoid these hefty penalties as long as they follow both the technical and organizational requirements of the NIS Directive.
What You Need to Know to be Compliant
What are the key technical requirements?
The NIS Directive stipulates that affected operators of essential services (OESs) and digital service providers (DSPs) must have in place, among other requirements:
- Asset Management: An understanding of their assets and a mechanism to identify unknown devices
- Vulnerability Management: A mature program for identifying and mitigating vulnerabilities
- Threat Detection: Mature systems for detecting, identifying, and reporting threats
- Incident Reporting & Management: Effective mechanisms for recording and reporting incidents within 72 hours of detection, and for managing incidents
- Response and Recovery: Contingency plans for responding to and recovering from emergencies
What are the key organizational requirements?
- Governance: The organization must have appropriate management policies and processes in place — as well as clear roles and responsibilities — to govern the security of network and information systems.
- Risk Management Process: The organization must take appropriate steps to identify, assess, and understand security risks to the network and information systems in relation to the delivery of essential services — including an overall organizational approach to risk management.
- Supply Chain: The organization must understand and manage security risks to networks and information systems that support the delivery of essential services that arise as a result of dependencies on external suppliers — including ensuring that appropriate measures are employed where third party services are used.
- Staff Awareness & Training: Employees and staff must have appropriate awareness, knowledge, and skills to carry out their roles effectively when it concerns the security of the network and information systems supporting the delivery of services.
How can companies demonstrate compliance?
To demonstrate compliance with the new directive, organizations may be asked by EU authorities to provide:
- The results of real-time incident simulations — logs or reports that demonstrate software is accurately identifying threats in real time, and that systems are in place to address them
- Information needed for authorities to assess security of network and information systems
- Evidence of effective implementation of security policies
- Results of security audits
What are the implications for US companies?
Although this is an EU directive, many US companies will be affected since they have global operations with plants worldwide.
As mentioned above, US companies may also be held to the “minimum standards of due care” defined by NISD in case of liability lawsuits in the future.
The NIS Directive also sets a compelling precedent that US companies should consider following voluntarily, even if they are not currently legally bound by the Directive’s requirements.
According to the US FBI and DHS, Russian threat actors have already successfully compromised US critical infrastructure including critical manufacturing. As attacks on industrial and critical infrastructure rise in sophistication, number, and severity, the likelihood of similar requirements for US-only firms grows — either from new government regulations or from industry self-regulation (like NERC-CIP for electric utilities).
US entities can stave off the disruption of new regulations and protect their production today by adhering to the NIS Directive requirements now
How CyberX Can Help: Top 10 Capabilities
CyberX is currently helping global industrial and critical infrastructure companies in some of the most complex and demanding OT environments worldwide. We address NISD requirements in key areas including asset management, vulnerability management, continuous threat monitoring, and incident response.
Our customers span all verticals and geographies and our platform is currently defending some of the most complex and demanding OT environments worldwide.
Here are the top 10 ways that CyberX can help. All of these capabilities are essential for safeguarding OT environments today — in addition to demonstrating compliance with NISD:
- Asset management including asset auto-discovery and identification of device type, manufacturer, serial number, firmware revision level, etc.
- Vulnerability management to identify vulnerabilities such as unpatched systems, weak passwords, unauthorized Internet connections, unauthorized connections between IT and OT, open ports, etc.
- Behavioural anomaly detection to continuously monitor networks and detect attacks in real-time. In addition to strengthening operational resilience, this also supports the requirement to secure stored data since CyberX will alert on unusual or unauthorized access to OT databases such as those used in historians.
- Pre-configured reports and intuitive data mining interface to perform root cause analysis during incident response, as well as demonstrate compliance to regulators and automate ongoing compliance reporting.
- Automated ICS threat modeling to predict the most likely paths of attacks on your most critical assets (“crown jewels”) and prioritize mitigation of vulnerabilities based on risk.
- ICS threat intelligence via CyberX’s dedicated in-house team which tracks ICS malware, zero-days, campaigns, and adversaries.
- Secure remote access via CyberX’s integration with CyberArk and other privileged access management solutions to support NISD’s Access Control requirements.
- Native integration with your existing SOC workflows and security stack, including SIEMs such as IBM QRadar and Splunk plus ticketing and security orchestration systems such as ServiceNow and Resilient. This enables CISOs to create a unified IT/OT security governance structure that leverages scarce resources across both IT and OT.
- Integration with firewalls such as Palo Alto Networks to immediately block sources of malicious traffic, plus integration with their Application Framework to identify assets & threats.
- Professional services delivered by CyberX’s OT security experts, to help SOC teams adapt their existing IT workflows for OT incidents, plus services to help them simulate OT incidents in order to practice incident response.
Addressing the NIS Directive will require a multi-layered, active cyber defense strategy incorporating modern security controls and expertise — and CyberX is here to help. Forward-thinking firms should get started now on the optimum path to protect their production facilities worldwide.