Hackers have become more clever, while many critical infrastructures continue to rely heavily on legacy systems, leaving them exposed to attack. The National Health Service in the UK, for example, has recently been lambasted by the Public Accounts Committee (PAC) for not taking sufficient action to protect itself following the WannaCry virus which crippled nearly one third of hospitals. PAC warned that future attacks could be “more sophisticated and malicious.”
In March this year, a joint alert from the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) provided information on a “multi-stage intrusion campaign” by the Russian government targeting U.S. government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors. It was characterized by cyber actors targeting small commercial facilities’ networks where they staged malware, conducted spear phishing and gained remote access into energy sector networks.
Attacks in the past have included a supervisory control and data acquisition (SCADA) attack in the Ukraine that left 230,000 without power for hours and distributed denial of service attacks (DDoS) on Sweden’s transportation systems, which disrupted trains.
The 2018 cybersecurity report by non-profit research body The Kosciuszko Institute predicts that this year, cybercriminals will get serious about attacks on critical infrastructures, with Russia and North Korea becoming far more active.
A cybersecurity directive
The Networks and Information Systems (NIS) Directive is Europe’s answer to shoring up defenses against such attacks and providing a consistent cybersecurity strategy across the region, while forcing often deregulated private organizations to step up their security game.
The legislation came into force on May 9th this year and targets organizations that are classed as “essential services.”
Member states have until 9 November 2018 to identify businesses operating in their territories as "operators of essential services."
The Centre for the Protection of National Infrastructure (CPNI) outlines these as “facilities, systems, sites, information, people, networks and processes necessary for a country to function and upon which daily life depends.” It also includes those that need protection due to potential danger to the public such as civil nuclear and chemical sites. This includes energy, transport, banking, financial market infrastructures, health, water and digital infrastructure, including Internet exchange point operators, domain name systems, service providers and top-level domain name registries. This also covers search engines, cloud computing services and online marketplaces. Digital services do not include ordinary websites, which are not covered by the directive.
The Directive is well policed. EU member states have designated at least one national competent authority to monitor application of the Directive at a national level, together with a Computer Security Incident Response Team (CSIRT). They have also been required to set up a single point of contact to liaise and ensure cross-border cooperation with other member states.
The Directive also applies to digital service providers that are headquartered outside the EU but offer services within it. They must designate a representative in one of the member states of the EU and will fall under the jurisdiction of that state.
It may be a complex and difficult issue to enforce the Directive on digital service providers outside the EU, but operators of essential services will essentially be limited to digital service providers who comply with the Directive.
Organizations who fail to implement effective cybersecurity measures can be fined. The NIS Directive allows members states to set their own thresholds.
An active, mature, multi-layered approach is needed to comply with the Directive. Major requirements encompass having the right organizational structures, policies and processes in place to understand, assess and manage security risks. Organizations must have vulnerability management programs, threat detection systems, incident management and response and recovery plans in place. Reporting mechanisms must incorporate systems to record and report incidents within 72 hours of detection.
Digital service providers are required to notify the relevant national competent authority or CSIRT if the digital service is unavailable to more than 5 million users-hours in the EU, if more than 100,000 in the region are impacted by the disruption and if the incident has created a risk to public safety, public security or loss of life. Also if the incident has caused material damage of more than one million euros.
The NIS Directive underscores the fact that European regulators are getting very serious about security and will not accept sub-standard strategies and solutions.
Organizations who have not already done so need to run a holistic evaluation of their security strategy, tools and policies to ensure that they comply with the Directive, or they could rapidly be feeling its bite!
Detection is a key feature in the NIS Directive. A SIEM/SOC (Security Information and Event Management/Security Operations Center) is invaluable in providing a log and insight into activities within an organization’s IT estate. Find out more about the Orange Business Services solution here.
Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.