They can cause expensive shutdowns, lead to the loss of intellectual property, and even endanger public health.
As the frequency and scale of these attacks increases, so pressure has grown on operators of essential services (OES) to ensure they are adequately prepared.
Preparing for NIS
That’s why utilities are a key focus of the Network and Information Systems (NIS) Directive, which was implemented around the same time as GDPR, but without the same level of fanfare.
It marks the first time that a regulation, rather than just a recommended standard, has been used to ensure that critical infrastructure operators consider the cyber-security of their operational technologies. It also requires that incident response plans are put in place and, crucially, it ensures that critical infrastructure operators consider cyber-security at every level of the organisation, from the technical to the board level.
In summary, the four areas covered by the NIS Directive are:
- Managing security risk, through governance, asset and risk management, and supply chain
- Protecting against cyber-attacks, through service protection, identity and access control, data and system security, resilience procedures and staff awareness
- Detecting cyber security events, using monitoring and event discovery
- Minimisation of cyber incident impact, using response and recovery planning, and monitoring lessons learned after an incident
Good cyber hygiene
The NIS directive doesn’t aim to counteract any particular specific threat, but requires an organisation to have implemented good cyber security practice throughout all levels of their organisation, and to have excellent cyber hygiene.
This in itself should both make it more difficult for attacks to be successfully deployed within an organisation, and for any potential attacks to be identified, stopped and mitigated in the future.
The organisation should be well prepared to handle an active threat within their critical infrastructure systems, and recover from any cyber-attacks, in turn minimising disruption to their essential service.
Act now
Time is running out, with different deadlines across different critical infrastructure sectors. For the UK gas sector, for example, self-assessments had to be submitted to Ofgem by 15th February 2019, after which the regulator will work with the operators to improve where needed, before official audits that are due in the last quarter of 2019.
The penalties for utilities which don’t get it right are stiff, with fines of up to £17 million or 4% of global turnover, whichever is greater.
The challenges will of course vary by sector. For water utilities, for example, operational (OT) engineers seem to be most interested in the vulnerabilities that ethernet-based devices bring their networks, while IT security teams may focus on the vulnerabilities that the combination of old and new OT devices pose. So the challenge is in the management of risk and the discovery of vulnerabilities as these once separate systems integrate further.
Another challenge for the heavily-regulated water sector will be to find the best way to work with the public sector, to gain assistance with the challenges identified through the NIS framework, without fear of penalties.
How to become NIS-compliant
Help is on hand. GCHQ’s National Cyber Security Centre (NCSC) has published Guidelines to the NIS Directive.
Companies can follow the indicators of good practise in the NCSC’s Cyber Assessment Framework. This is a complex framework, which takes time to work through. Operators need to be thorough and answer all questions carefully.
Operators also need to build and develop an internal team which will self-assess and improve compliance. This team should combine people from board level, through to information security management, IT management, operations management and operations engineers on the shop floor.
It’s important to understand what devices and assets are on every network, both IT and OT. A proper risk register can then be established once a full and extensive asset register has been established.
While the NIS Directive regulations do not directly apply to the supply chain of a critical infrastructure organisation, this is a consideration. The Directive advises that OESs ensure their suppliers have “appropriate and proportionate cyber-security countermeasures” which manage the risks of their services being disrupted through the supply chain.
Time is short, so critical infrastructure providers need to start preparing now.