As we’ve seen from recent cyberattacks such as WannaCry and NotPetya — which are generally attributed to North Korea and Russia respectively — attacks on critical infrastructure can have a devastating impact on industrial production and hence on quarterly profits, with global estimated losses in the billions of dollars.
Additionally, targeted cyberattacks like TRITON that compromise large-scale cyber-physical systems — such as petrochemical mixing tanks, turbines, and blast furnaces — can cause catastrophic safety failures, environmental damage, and even loss of human life. (TRITON is generally attributed to Iran.)
The growing number and sophistication of malicious cyberattacks on critical infrastructure have led European Union (EU) legislators to adopt the Network and Information Security (NIS) Directive (NISD). The new directive requires companies from critical infrastructure sectors to adopt specific technical and organizational measures to manage threats to their networks and information systems.
While the EU’s General Data Protection Regulation (GDPR) is a privacy directive focused on organizations that collect personal data, the NIS Directive is focused on strengthening resilience for providers of critical infrastructure services. In particular, NISD applies to organizations that provide “essential services” in critical infrastructure sectors such as energy, transport, banking & financial, water, health sector, and digital infrastructure (ISPs, DNS providers, etc.).
EU member states had to incorporate the Directive into their national laws by May 9 of this year — a couple of weeks before GDPR went into effect — and are required to identify operators of essential services by November 9. So while we’ve seen no actions yet against providers, we could begin to see the effects of the new laws by the end of the year.
Like GDPR, NISD imposes substantial financial penalties for non-compliance. In the UK, for example, non-compliant companies can be fined up to £17 million, or 4 percent of global turnover (like GDPR). According to a Dutch draft law, fines could reach as much as €5 million — and it is likely that strict penalties will be in place across other EU member states as well.
The NIS Directive applies to all EU member states in its entirety; each member state will decide on penalties and deadlines. Additionally, these rules will affect companies outside the EU that have operations in EU member states.
Interestingly, GDPR garnered a lot more publicity than NISD — perhaps because EU consumers are fiercely protective of their online privacy. The irony is that NISD is perhaps much more vital to the proper functioning of society than protecting personal information like email addresses and phone numbers — because it addresses critical infrastructure services upon which we all depend every day, such as electricity, water, and transport.
Potential implications for U.S. companies
Although this is an EU directive, many companies throughout the United States will be also be affected as many organizations have global operations with plants worldwide.
Additionally, this directive is the first to define “minimum standards of due care” for critical infrastructure protection, which means that, in the case of a major safety or environmental incident anywhere in the world, the organization may be held negligent and financially liable for not having taken the minimum steps to avoid it.
The NIS Directive also sets a compelling precedent that US companies should consider following voluntarily, even if they are not currently legally bound by the Directive’s requirements.
As attacks on critical infrastructure rise in number and severity, the likelihood of the US government adopting similar legislation grows. US entities can stave off the disruption of new regulations and protect their production assets by adhering to the requirements of the NIS Directive now.
Key technical requirements
The NIS Directive stipulates that affected operators of essential services (OESs) and digital service providers (DSPs) must have in place, among other requirements:
- An understanding of their assets and a mechanism to identify unknown devices
- A mature vulnerability management program
- Mature threat detection systems, including detecting, identifying, and reporting capabilities
- Effective incident reporting mechanisms, including systems to record and report incidents within 72 hours of detection
- Mature incident management
- Response and recovery plans
Key organizational requirements
Governance: Organizations must have appropriate management policies and processes in place to govern their approach to the security of network and information systems.
Risk management process: Companies must take appropriate steps to identify, assess, and understand security risks to the network and information systems in relation to the delivery of essential services — including an overall organizational approach to risk management.
Supply chain: Companies must understand and manage security risks to networks and information systems that support the delivery of essential services that arise because of dependencies on external suppliers, including ensuring that appropriate measures are employed where third party services are used.
Staff Awareness & Training: Employees and staff must have appropriate awareness, knowledge, and skills to carry out their roles effectively when it concerns the security of the network and information systems supporting the delivery of services.
The bottom line
While it will take time to achieve full NIS Directive compliance, there is still time for companies to get started on the right path with protecting their organization for the long run. Addressing the NIS Directive will require a multi-layered active cyber defense strategy incorporating modern security controls such as OT asset management, vulnerability management, threat modeling, and behavioral anomaly detection.
Phil Neray is VP of Industrial Cybersecurity at CyberX. He began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Veracode, Symantec, and Guardium. He is certified in cloud security (CCSK) and has a 1st Degree Black Belt in American Jiu Jitsu.