Taking the EU cyber security Directive seriously
19 July 2019
The EU’s NIS Directive (Directive on security of network and information systems) is the first piece of EU-wide cyber security legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure. The Directive was enacted into UK law on 10 May 2018, and fines of up to £17 million can be levied on companies found to be in contravention.
The UK regulations provide legal measures to boost cyber and physical security of network and information systems critical for the provision of digital and essential services. So-called critical national infrastructure include the energy, transport, water, chemical and various process sectors in addition to health.
Organisations within these sectors must secure their network and information systems by taking technical and organisational measures appropriate to the risk.
This includes ensuring service continuity by taking measures to prevent and minimise the impact of any incidents; and notify regulators of any security incident that has a significant impact.
Compliance with the NIS Regulations will be monitored through audits and investigations conducted by the designated competent authorities.
The CAF (Cyber Assessment Framework), developed by the NCSC (National Cyber Security Centre), provides guidance for organisations to assess themselves against 14 security principles and outlines the acceptable levels of security for organisations under the Regulations’ requirements.
At a minimum, board members need to take the following measures:
* Security awareness – encouraging all employees to notice variations in machine behaviour and report these
* Risk analysis around I/T and O/T systems – checking security controls and updates before introducing new systems promising to monitor all devices or boost productivity
* Understand the nature of specific cyber threats to the business – third party equipment and staff’s personal USBs may present a more genuine security threat than hostile states or hackers
* Segregation of systems – as many manufacturing firms have grown through acquisitions and mergers and operate with varied IT and OT systems
* Good understanding of penetration testing and its application – checking physical as well as cyber security against intruders
While the largest international companies have quickly adapted to the connected world thanks to abundant resources of finance and skilled personnel, cyber security is a more daunting prospect for smaller enterprises. Nevertheless, information security specialists are available to provide all the necessary support - surely a better use of resources than paying a large fine.