by Bharat Mistry
There’s a major new piece of EU cybersecurity-related legislation landing in May, but it might not be the one you’re thinking of. Most UK organisations have their eyes firmly focused on the General Data Protection Regulation (GDPR). But arguably just as important for companies operating in critical infrastructure sectors is the new Security of Network and Information Systems (NIS) Directive. It introduces a range of best practice security steps which organisations must follow: fail to do so and you could face a GDPR-sized fine of up to £17m.
The government has already committed to transposing the directive into UK law irrespective of Brexit. With a 10 May deadline looming, the clock is ticking.
CNI under attack
Like GDPR, this directive has been a long time coming, but has also been widely applauded by experts as a long overdue attempt to improve baseline security for the region’s critical infrastructure suppliers. It’s increasingly an area coming under the scrutiny of cybercrime gangs and nation state operatives. Kremlin-linked actors have perhaps been most frequently in the headlines. In fact, NCSC boss Ciaran Martin and Prime Minister Theresa May have both called out Russia for repeated attacks.
Martin had this back in November:
“I can’t get into too much of the details of intelligence matters, but I can confirm that Russian interference, seen by the National Cyber Security Centre, has included attacks on the UK media, telecommunications and energy sectors. That is clearly a cause for concern – Russia is seeking to undermine the international system.”
Russia is also thought to have been behind the sophisticated attacks on Ukrainian energy companies in December 2015 and 2016 which resulted in power outages for hundreds of thousands. The UK’s defence secretary Gavin Williamson has ramped up the tension with claims that Russian attacks on infrastructure could cause “thousands and thousands and thousands of deaths”. But the country is by no means the only threat to the UK’s CNI.
The WannaCry ransomware threat last May caused havoc among NHS organisations, leading to an estimated 19,000 cancelled operations and appointments. Compared to the 2015 attack in Ukraine it was relatively unsophisticated, relying on an unpatched Windows vulnerability to spread. Yet it managed to infect 250,000 computers in over 100 countries.
Advice from the NCSC
If you’re an operator in electricity, water, energy, transport, health or digital infrastructure, you need to be focused on NIS Directive compliance. The good news is that the NCSC has produced detailed guidance to help. In many ways it chimes with Trend Micro’s XGen approach to security in that it advocates the layering up of defences across a range of areas.
It’s all based on best practice guidelines focusing on people, process and technology. There are four key objectives:
- Manage security risk
- Protect against attacks
- Detect security events
- Minimise the impact of incidents
Some of the key elements here include:
- Strong identity and access controls
- Data protection via encryption at rest and in transit
- Mobile device security
- Network segregation and proper configuration
- Vulnerability management via prompt patching, AV, pen testing etc
- Continuous monitoring, threat intelligence, log analysis
- Incident response plans
- Staff awareness and training
At Trend Micro we welcome the NIS Directive’s ambitious goals. With the right, systematic approach to compliance and advanced technology investments with a trusted partner, the UK’s critical infrastructure firms have a great opportunity to lead the world in cybersecurity.