The Network and Information Systems Directive on Security (NIS) – the first piece of European Regulation on cyber-security on systems essential to society – aims to raise levels of the overall security and resilience of essential network information systems. In a nutshell, it’s about ensuring substantial and adequate protection for essential services in an era where the magnitude, frequency and sophistication of cyber-attacks is rising.
The utility sector is a prime example of a service the directive has been laid down to cover, and one in undisputed need of protection. Society’s reliance on water, electricity and gas means a cyber-attack or cyber-physical attack would be damaging on multiple levels. From the risk of damage to individuals’ welfare to the financial losses – as well as the impact on the UK’s infrastructure and economy as a whole – a breach of systems could be catastrophic.
As the time for implementing the directive moves onwards – the UK gas sector has a self-assessment deadline of February 2019– the need for UK-based utilities to deliver on the requirements becomes more pressing, not only to protect against attacks but to also avoid financial penalties for non-compliance.
UK ‘wholly’ unprepared to protect critical infrastructure from cyber attack, MPs warn
For cyber-criminals, utility systems offer an attractive target. As new technologies have created system interconnectivity that is better than ever, so has the opportunity for malicious attackers grown. Older, more susceptible systems provide an easy opportunity for access and large-scale damage and disruption.
In practice, this means that utility companies need to evolve their cyber-protection, both to meet the new NIS directive and also on an ongoing basis, to defend essential services against attackers who will continually develop new methods of causing chaos.
Whilst many companies will have had some plans in place previously, the directive marks the first time that cyber-security has been dictated by regulation rather than a recommended standard. For the first time, operational technologies which share some commonalities between critical infrastructure sectors – from devices still running and maintained from the 1980s and 1990s through to contemporary devices – all need to be covered by the same protections, preventing attackers exploiting connectivity of old and new systems. Failure to do so could see cyber-criminals gain access and attack through older, weaker points of entry into networks and control systems.
Government responds to UK critical national infrastructure and cyber skills report
So what does meeting the directive mean in practice?
Utility companies need to look at the cyber-security of their industrial control systems – for example in a water company the systems which handle pressure, chemical composition etc. They also need to consider cyber-security at all levels of the business, not just at board level or for a specific project, but at technical ground level and upwards. Policies for protection, monitoring and correct response need to be put in place and understood at every stage. Response plans need to be put in place including knowing who would be involved in the event of an incident both internally and externally. Businesses need to ensure all parties are trained (regularly) and ready to respond.
Meeting the directive won’t be without its challenges. For the utility industry, one of the key challenges will be understanding the ownership of cyber-security risk, and how the risks differ between IT and Operational Technology (OT) networks. For example, OT engineers may focus more on the vulnerabilities that Ethernet-based devices bring their networks, while IT security teams may find the vulnerabilities the combination of old and new OT devices pose requires greater focus. To fully mitigate risks, the vulnerability of both OT and IT systems, and any joint systems in the future, need to be managed.
Whilst the utility industry, as an essential service, may be offered support from regulators in meeting the challenges and requirements of the directive, working with public bodies could in itself prove another challenge. Those whose plans are less progressive will need to seek assistance on areas that are not currently up to scratch, without fear of penalty.
Two-thirds of critical infrastructure firms have suffered service outages in last two years
What does the future hold?
The NIS directive aims to prompt critical infrastructure organizations to improve their cyber-attack resilience and response planning. These are the key when securing a company’s systems. Without them, systems will be left vulnerable and any attack would be more effective. But, by making these core business actions open to regular update and improvement, the purpose rather than letter of the directive can become embedded in the industry, and the industry as a whole can evolve. Building a permanent internal team who can self-assess, improve compliance and create a risk register is a good starting point. The team can then draw on expert help and software which will make these tasks easier. Independent, specialist and sector-specific bodies – such as the Network and Information Systems Directive on Security of GCHQ in the UK – offer frameworks that can be followed, and training courses to help upskill and build internal knowledge will all be a positive step in evolving protections in place.
Written by Daniel Lewis is CEO and Cofounder of Awen Collective