Keeping the Lights On: A Look at the EU’s Network and Information Security (NIS) Directive
In December 2015, an attack on a Ukrainian power grid left a swath of the Ivano-Frankivsk region without power for hours. It was the first ever reported malware-driven power outage and was a signal to many critical infrastructure enterprises that malware attacks could have severe real-world consequences. More attacks took place since then. In 2016, a similar outage happened in Kiev. A review of the malware that caused the Kiev power outage showed that it was an automated malware specifically designed to disrupt power grids — security researchers called it Industroyer or Crash Override. Then, in 2017, the WannaCry ransomware crippled many businesses, and even critical utilities, across the globe.
The European Union had anticipated such events when, in 2013, the European Commission proposed the Network and Information Security (NIS) Directive, an EU legislation which demands tougher network security for operators of services that are essential to everyday life — water, electricity, transportation, among others — as well as providers of digital services. Since these industries are critical to the operation of businesses and the lives of citizens, their networks should be made as secure as possible.
What is the NIS Directive?
The Network and Information Security (NIS) Directive is an EU-wide cybersecurity legislation that is meant to improve the cybersecurity of the critical utility and digital services industries, thereby minimizing risk to essential processes and operations. Member States of the EU were given until May 2018 to adopt the Directive through national legislation. Two months after the deadline, most of the members have already established or are in the process of establishing a cybersecurity strategy to address how the Directive will be implemented within their areas. Member States have some flexibility in adopting the Directive and may adjust existing legislation or draft new laws to fulfill the requirements. However, corresponding national laws can’t be more stringent than the Directive.
What are the major stipulations of the Directive?
The NIS Directive has three major components that Member States need to include in their national laws. The first is a national strategy to achieve and maintain more secure network and information security systems. This means that each State should have a complete plan to realize this goal, including measures such as establishing a solid governance framework, performing awareness and training programs, implementing research and development plans, and so on. Each State should designate a national competent authority and a single point of contact to keep track of compliance. There should also be at least one Computer Security Incident Response Team (CSIRTs) to monitor incidents, analyze risks, and provide warnings and alerts to the public and authorities.
Since the NIS Directive aims to foster cooperation and trust between EU Members, the second component is a Cooperation Group and a CSIRT network. The Cooperation Group will facilitate the exchange of best practices and guide CSIRTs of Member States. The CSIRT network will be a group of national CSIRTs that will work together with the CERT-EU (Computer Emergency Response Team for EU agencies) to maintain the security of essential services and infrastructure and share information to prevent or mitigate cyberattacks.
Finally, Member States should outline security requirements and specific incident reporting procedures for the operators of essential services and digital service providers. The Directive says that these operators should have “appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems.” Operators should also be capable of ensuring the continuity of their services and minimize any impact a security incident will have.
Which industry groups will it affect?
The NIS Directive is meant to ensure the continuity of essential services, utilities, and digital services that society depends on. That means energy enterprises that provide people with electricity and gas will be affected, as well as organizations that handle transportation and water services. Banking institutions, companies that handle financial infrastructure, and healthcare groups are also covered by the Directive. And since many services rely on online connections, organizations that manage digital infrastructure (IxP and DNS service providers, for example) are also under this Directive, along with digital service providers like cloud services and search engines.
What incidents should be reported with the Directive in effect?
Like the General Data Protection Regulation (GDPR), the NIS Directive places importance on quickly and efficiently reporting any cybersecurity incident to the right authorities. Each EU member may implement different standards for incident reporting. However, the Directive delineates some factors which should be taken into consideration: the number of affected users, the length of the incident, and how far it spread. The same factors apply to digital service providers, with the addition of the severity of service disruption.
Reports of the incident should go to the CSIRTs or the competent authority established by the governing body, and should include any information that could determine cross-border impact.
How can affected organizations prepare for this Directive?
While the Directive will be implemented differently within each Member State of the EU, the Directive does not specify preferred cybersecurity technologies but offers general guidelines. Affected organizations need to have ample measures and processes, preventive and mitigation measures for incidents, and efficient notification procedures.
To stay ahead of the curve, organizations should already start strengthening their network security by finding the right solutions that are optimized for key environments. Since many different industrial networks have specific internet of things (IoT) devices and are specialized and unique, there is no silver bullet or easy fix. Security measures will have to be tailored to each network, either enhancing existing security infrastructure or adding new solutions. While this might pose challenges for many companies, particularly large plants or factories using legacy software, it is important to install updated solutions within all layers of operations. Following the “privacy by design” security framework will also help with NIS Directive compliance, as proof of sufficient measures employed for cybersecurity.
Organizations will benefit from proactive detection and incident response strategies that, in the event of a cyberattack, will help the organization be more resilient and mitigate the effects of an attack. Part of a comprehensive response strategy is establishing reporting procedures that ensure the safety of affected parties and allow CSIRTs to ascertain any cross-border impact. It is important that the organization have the tools to get a full view of any attack and also understand incidents end-to-end.
The NIS Directive is part of a larger EU framework to strengthen cybersecurity across Europe. Like the GDPR, this is an important opportunity for organizations to upgrade and update their security solutions to match the threats that are increasingly affecting businesses across the globe. As cybercriminals continue to exploit new vulnerabilities, enterprises may find it in their best interests to keep up with the latest and most effective solutions — especially enterprises that keep our communities running.
To help businesses, Trend Micro offers Connected Threat Defense, a layered security approach that uses XGen™ security capabilities across endpoints, data center and cloud servers, and networks. It can quickly protect, detect, and respond to new threats while simultaneously improving visibility and streamlining any investigations across your organization. Trend Micro also has a Managed Detection and Response (MDR) service, which leverages security experts and sophisticated technology to correlate threats from networks, servers, and endpoints to get a complete picture of an attack — subsequently remediate it.
For IoT and IIoT environments, Trend Micro™ Network Defense, which is also powered by XGen™ security, has a blend of cross-generational techniques that apply the right technology at the right time to deliver integrated detection and prevention of known, unknown, and undisclosed threats. It uses automated protection across hybrid environments, including protection for the cloud and vulnerabilities unique to IoT and IIoT devices and networks.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.