We’ve all seen gripping Hollywood blockbuster cyber-attacks with high octane car chases to a vulnerable datacentre and the fancy multiscreen computer rapidly cycling through millions of combinations of passwords as the attacker tries to break encryption in record time. The reality luckily is somewhat different and very rarely requires the assistance of Bruce Willis in a vest! However, as we live in an increasingly connected world, the potential threats are becoming more and more real. There is a growing risk that essential services that we take for granted and play a vital role in society, such as the supply of electricity and water, to the provision of healthcare and passenger and freight transport, could be disrupted by cyber-attacks.
The NIS Directive, which was transposed into UK law as the Network and Information Systems Regulations 2018 (NIS Regulations), imposes new obligations on operators of essential services and digital service providers. It ensures that they put in place adequate measures to protect against cyber security threats that could render their services unavailable, undeliverable and thus threatening wellbeing and society.
Whilst the General Data Protection Regulation (GDPR) created a media frenzy, this equally important EU legislation has had a much lower profile. The NIS Directive, or more accurately the Directive on Security of Network and Information Systems, hasn’t been hitting the front page of many newspapers yet its aim is to ensure that essential services across Europe are resilient and protected from cyber-attacks.
Responsibility for oversight and enforcement of the NIS Regulations lies with sector specific ‘NIS Competent Authorities’, such as the Secretary of State for Transport or the Civil Aviation Authority. The National Cyber Security Centre (NCSC) supports NIS Competent Authorities by providing technical support and guidance.
Who does it cover?
The Government have estimated that at least 164 businesses and 268 public health sector organisations will be subject to the Regulations, which are:
- Operators of Essential Services (OES), which includes organisations in water, energy suppliers, health services (NHS etc) and transport sectors (airports, ports, road logistics).
- Relevant Digital Service Providers (RDSPs) such as providers of online marketplaces, online search engines or cloud computing services.
Not every operator will be covered by the Regulations. There are sector specific threshold requirements that help operators determine whether or not the Regulations apply to them. For example the threshold for electricity suppliers in Great Britain is:
(i) Supplying more than 250,000 final customers (a customer purchasing electricity for their own use); or
(ii) Supply and generate a total capacity, in terms of input to a transmission system, greater than or equal to 2 gigawatts.
Additionally, some sectors, such as finance and civil nuclear sectors, have existing regulations that contain equivalent requirements, so are exempt from aspects of the NIS Regulations.
How does it compare with other requirements or standards, such as Cyber Essentials and ISO27001?
Unlike standards, such as Cyber Essentials and ISO27001 (the International Standard for Information Security), it is a legal requirement to comply with the NIS Regulations and operators who fail to implement effective cyber security measures could face GDPR-style fines (up to £17 million or 4 per cent of global turnover). However, it is important to note that fines would be a last resort, and the Government have confirmed that fines will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.
In a similar way to the GDPR, the NIS Regulations include a mandatory requirement to notify the Competent Authority of security incidents that have a significant impact on the continuity of the essential service.
''The Cyber Essentials scheme provides a good basic Cyber Security foundation, however the NIS Regulations are significantly more complex.''
The key difference is the level and approach to risk. Cyber Essentials focuses on the most common Internet-based threats to cyber security — particularly, attacks that use widely available tools and demand little skill, whilst the NIS Regulations focus on a higher level of risk associated with essential services. As a result Cyber Essentials may address some of the risks and can be a useful step towards NIS compliance, but does not address all the NIS requirements.
In practice the NIS Regulations are much closer to the ISO27001 approach, which aims to create a systematic management system for managing security risks and protecting information. However, unlike ISO27001, which requires operators to determine their own risk appetite and to select the appropriate security controls, the NIS Regulations aims to ensure that there is a common level of risk appetite across a sector and similar security measures are adopted.
Assessing compliance with the NIS Regulations
There are 14 NIS cyber security principles written in terms of outcomes (i.e. specification of what needs to be achieved rather than exactly what needs to be done).
These principles are grouped into the following top-level objectives:
Managing security risk
Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services.
Protecting against cyber attack
Proportionate security measures are in place to protect essential services and systems from cyber-attack.
Detecting cyber security events
Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.
Minimising the impact of cyber security incidents
Capabilities to minimise the impact of a cyber security incident on the delivery of essential services including the restoration of those services where necessary.
The NCSC has worked with government departments and Competent Authorities to develop a Cyber Assessment Framework (CAF), which enables Competent Authorities to assess the cyber security of operators. The CAF contains a set of 39 indicators of good practice that can provide a good starting point for assessments but should be used flexibly. Conclusions about an operator’s cyber security should only be drawn after considering additional relevant factors and special circumstances.
Overtime it is likely the initial version of the CAF will evolve into sector specific CAF profiles that include sector specific interpretation and requirements.
The ISO27001 systematic approach can be used as a mechanism to help ensure compliance with the NIS Regulations. Indeed a lot of the NCSC guidance refers to part of the ISO27001 standard. Adopting the ISO27001 approach would also help to give customers and stakeholders’ confidence by ensuring:
- There is a robust governance framework in place
- Compliance with other legal requirements, such as GDPR
- The supply chain is secure
As much as we like Bruce Willis and the Die Hard 4.0 philosophy, based on our experience supporting a national petrochemical storage organisation we recommend that organisations rather develop a tailored roadmap based on the following general approach:
The NIS Regulations should ensure that essential services are protected from the increasing magnitude, frequency and impact of network and information system security incidents. It requires operators to have a systematic approach to understanding risks and implement appropriate and proportionate cyber security measures based on their sector, which can form part of a wider programme of security improvements such as attaining Cyber Essentials or ISO27001. As for the Bruce Willis style vests? They’re purely optional.
If you would like to learn more about the NIS Directive please contact us. You can also find official guidance from the Nation Cyber Security Centre here: https://www.ncsc.gov.uk/guidance/nis-guidance-collection