The NIS Directive: Operators of Essential Services are only as strong as their weakest link

Since the start of the Industrial Revolution, organisations have been constantly striving to improve efficiency. In the 18th and 19th centuries, it was the mechanisation of manufacturing that revolutionised industry. Today, it’s the rise of digital technology.

​​What happens when the network and information systems of an organisation that supports essential services, such as the provision of healthcare, are compromised by a cyberattack? Any breakdown in their reliability and security will not only require a robust disaster recovery and business continuity strategy, but it will also have a detrimental impact on society.

Implementing Technological Solutions: More Pros than Cons? Or Vice Versa?
As digital technology has developed, businesses and society have become increasingly reliant on network and information systems to facilitate everything from processing data to the supply of energy and water. This presents opportunities for organisations to streamline their operations, increase their competitive edge (no pun intended), and reduce their costs by implementing new technological solutions.

Adopting an innovative approach can, however, expose them to risks that have the potential to cause financial and reputational damage. For example, with such large volumes of digital data being processed daily, cyberattacks are a real threat – a vulnerability that can also harm the owners of the compromised data.

NIS, the EU Information Directive Eclipsed by GDPR
Mindful that cyberattacks are on the increase, the European Union (EU) has been busy developing a piece of legislation designed to strengthen its members’ cyber defenses. The EU’s Network and Information Systems Directive (NIS) came into force in the United Kingdom (UK) in May 2018 – the same month the General Data Protection Regulation (GDPR) was imposed. Consequently, NIS rather slipped under the radar as GDPR attracted large scale media coverage due to its wide-reaching scope.

NIS applies to organisations in the UK that are Operators of Essential Services (OES). However, because NIS relates to loss of services rather than loss of data, it’s arguably the more disruptive of the two new cybersecurity laws.

With such critical aspects of society impacted, the NIS directive deserves the same level of attention and consideration as GDPR. The ramifications of an attack on any one of these OESs is unimaginable to most of the general population, who would be the ones affected.

What is an OES and Why Compliance With NIS is so Important
An OES is a public or private organisation operating in the water, energy, transport, health, or digital infrastructure sector. The NIS Directive has been created to ensure organisations that operate in these critical sectors are prepared to cope with the growing number of cyber threats targeted on these sectors. Incidents that compromise network and information systems in any of these sectors have the potential to damage the UK’s infrastructure and economy, and even put lives at risk. An attack on the UK’s infrastructure is a very real possibility, as demonstrated by the 2015 attack on Ukraine’s electricity network, leaving almost a quarter of million people without power.

Any OES that falls under the NIS Directive must meet four core objectives:

• managing security risk;
• defending systems against cyberattacks;
• detecting cybersecurity events; and
• minimizing the impact of cybersecurity incidents.

Organisations that fail to implement effective cybersecurity measures, as outlined by NIS, could face a fine of up to £17 million, or 4 percent of revenue – whichever is greater.

The financial damage caused by non-compliance with NIS shouldn’t be an OES’s only concern. Reputation is priceless. If customers don’t think an organization is taking cybersecurity seriously, customers very likely won’t trust the organizations, and will take their business elsewhere.

Third-party Risk Management and NIS: Asset or Weakest Link? 
The drive to improve profitability and streamline operations motivates many organisations to outsource business functions that rely on technology. While third-party service providers don’t fall within the scope of NIS, it’s the responsibility of the OES to ensure suppliers have appropriate cybersecurity measures in place. Article 19 of the Directive states that:

The organisation understands and manages security risks to networks and information systems supporting the delivery of essential services that arise from dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third-party services are used.

Put another way, organisations are only as strong as their weakest link. With this in mind, OESs should incorporate a comprehensive third-party cyber resilience program into their strategy for achieving NIS compliance, including:

• Contractual terms of all third-party suppliers: review and record who currently has access to relevant systems and data, together with the level of access. Ensure all existing and new supplier agreements make provisions for cybersecurity.
• Robust (and tested) cybersecurity measures: conduct regular risk assessments of the entire supplier base, and evaluation of security controls deployed by third-party tech suppliers.
• Proactive and preventative measures designed to monitor networks and information systems: pre-assess the suitability of any potential third-party technology suppliers.
• Automated tools: systems and processes that enable incidents and data breaches to be reported efficiently and effectively.

If the NIS Directive is to achieve its objective, OESs must recognise the importance of cybersecurity, both in terms of the benefits to their business and society in general. An informed approach to the issues in question will ensure NIS is viewed as a progressive measure rather than a regulator chore. By embracing the four core objectives organisations won’t only be protecting their own interests, but they will also contribute to the reliability and security of the national infrastructure. Clearly, the NIS directive deserves the same level of attention and consideration as GDPR.

The good news is there are options with respect to your best way to approach compliance with NIS. You can work with a GRC advisor you can trust. GRC Edge consultancy services will identify areas of weakness, while also providing board guidance on which leading platforms deliver the best ROI. Delivering the increased automation, visibility and audit trail needed to remain compliant with the NIS Directive.

Author - Lee Edge
Article adapted - from the original written while at SAI Global