How to Achieve Compliance with NIS Directive

Network and information systems (NIS) and the essential functions they support play a vital role in society from ensuring the supply of electricity, water, oil and gas to the provisioning of healthcare and the safety of passenger and freight transport. In addition, computerized systems are performing vital safety-related functions designed to protect human lives. For example, such systems are controlling the safe operation of industrial sites that process and store dangerous chemicals as well as those that play a key role in the safety of aviation, rail transportation etc. Their reliability and security are essential to everyday activities. As we have seen from numerous cybersecurity incidents, these systems can be an attractive target for malicious actors, and they can also be susceptible to disruption through single points of failure. The magnitude, frequency and impact of network and information system security incidents are increasing. Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on U.S. water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have. Computerized safety systems could be adversely affected by a cyber incident either as a side-effect of a compromise or as a result of a highly targeted cyber-attack that’s specifically aimed at reducing the effectiveness of safety mechanisms. Such was the case with TRITON malware. Cyber incidents can result in several different consequences depending on the nature of the computer systems targeted and the intention of the perpetrators. Given that the possible consequences of cyber incidents can be extremely serious or perhaps even catastrophic, industrial organizations require very robust levels of cybersecurity and resilience. There is, therefore, a need to improve the security of network and information systems. Those efforts should especially focus on essential functions which if compromised could potentially cause significant damage to the economy, society, the environment, and individuals’ welfare, including loss of life. For the reasons above, European Union has taken the lead and developed the EU Security of Networks & Information Systems (NIS) Directive, which aims to raise levels of cybersecurity and resilience of key systems across the EU.

What Is the NIS Directive?

According to the NIS Directive, EU Member States should adopt a common set of baseline security requirements to ensure a minimum level of harmonized security measures across Member States and to enhance the overall level of security of operators providing essential services (OES) and digital service providers (DSP) in the EU. The NIS Directive sets three primary objectives:

• to improve the national information security capabilities of the Member States
• to build mutual cooperation at EU level
• to promote a culture of risk management and incident reporting among actors (OES and DSP) of particular importance for the maintenance of key economic and societal activities in the Union.

The NIS regulation provides the legal footing to:

• ensure that Member States have in place a national framework so that they are equipped to manage cybersecurity incidents and oversee the application of the Directive. This includes a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a National Competent Authority (NCA), or competent authorities.
• set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents as well as sharing information about risks.
• ensure that organizations within vital sectors which rely heavily on information networks, for example, utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES are required to take appropriate and proportionate security measures to manage risks to their network and information systems, and they are required to notify serious incidents to the relevant national authority. The participation of industry is therefore crucial in the implementation of the directive.

Apart from OES, NIS Directive is also applicable to Digital Service Providers (DSPs). DSPs can be search engines, cloud computing services, and online marketplaces (e-commerce sites).

• The Directive defines an online search engine as “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query…and returns links in which information related to the requested content can be found.”
• The Communication on the NIS Directive, which is intended to help Member States implement the NIS Directive, noted there are three main types of cloud service models: Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), and Platform-as-a-Service (PaaS).
• The Directive makes clear that online marketplaces may include the processing of transactions, aggregations of data, profiling of users, and application software stores.

The European Commission determines security and notification requirements for DSPs, and Member States are not allowed to impose stricter requirements on them. Mandatory DSP requirements include security measures for the network and information systems, including incident handling, business continuity, monitoring, auditing and testing, and compliance with international standards. Throughout the Directive, there is an emphasis on EU and international standards. DSPs must take measures to minimize the impact of incidents and notify the national authority or CSIRT without undue delay for incidents having a substantial impact on service, including any impacts of third-party providers. The national authority or CSIRT has the discretion to inform the public or require the DSP to inform them.

NIS Directive Applicability

Although NIS Directive is a European piece of legislation, it has global implications. For instance, the NIS applies to U.S. companies with operations in Member States. This means that U.S. companies may have to implement security requirements, turn over operational data to allow national authorities to assess their compliance, and perform required remediation measures. In addition, if a DSP has a primary business establishment in one Member State and networks and systems located in other Member States, then the DSP should register with the national authority of its main location, and the national authorities of other Member States will cooperate with that national authority. If a company is not established in the EU but offers services within it, the DSP must designate a representative in the EU where its services are offered.

Compliance with the NIS Security Requirements

Meeting the objectives and the security requirements of the NIS Directive can be a tenuous exercise. Information security audits and self–assessment/management exercises are the two major enablers to achieve this objective. The compliance assessment performed by national competent authorities (NCA) is mentioned in articles 14, 15 and 16 of the NIS Directive and defines risk assessment and auditing obligations for the OES and DSP respectively.

• Article 14: “Member States shall ensure that operators of essential services take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed.”
• Article 15: “Member States shall ensure that the competent authorities have the powers and means to require operators of essential services to provide (b) evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor and, in the latter case, to make the results thereof, including the underlying evidence, available to the competent authority.”
• Article 16: “Member States shall ensure that digital service providers identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services referred to in Annex III within the Union. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements: a) the security of systems and facilities, b) incident handling, c) business continuity management, d) monitoring, auditing and testing, and e) compliance with international standards.”

The EU Cybersecurity Agency (ENISA) has published “Guidelines on assessing DSP security and OES compliance with the NISD security requirements,” whose recommendations collectively aim to facilitate NCA conducting audits and to assist DSP and OES across all EU Member States to comply with the requirements of the NIS Directive in the effort to achieve a baseline security level. The ENISA guidelines outline audit and self-assessment/ management frameworks that can be applied:

• by both OES and DSP regarding the NIS Directive5 security requirements
• as the baseline for building an information security program to manage risk and reduce vulnerabilities
• to define and prioritize the tasks required to enhance security into IT-security risk-based environments

Apart from the ENISA guidelines, UK’s NCSC has published the Cyber Assessment Framework (CAF). The CAF Collection consists of a set of 14 cybersecurity & resilience principles, grouped in four major objectives, together with guidance on using and applying the principles, and the Cyber Assessment Framework (CAF) itself. The Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organization responsible. It is intended to be used either by the responsible organization itself (self-assessment) or by an independent external entity, possibly a regulator or a suitably qualified organization acting on behalf of a regulator. The NCSC cybersecurity and resilience principles provide the foundations of the CAF. The 14 principles are written in terms of outcomes, i.e. specification of what needs to be achieved rather than a checklist of what needs to be done. The latest version of the NCSC CAF can be found here.

How Tripwire Can Help

Tripwire can assist organizations meet the NIS Directive objectives and security requirements with a variety of solutions. Tripwire Enterprise is a security configuration management solution that allows for real-time detection of threats, anomalies and suspicious changes while providing visibility into the organization’s security state. Tripwire IP360 is a state-of-the-art, scalable and flexible vulnerability management solution that provides meaningful scoring to help improve organizational efficiency and assets visibility. Tripwire Industrial Visibility can help organizations map their networks to fix vulnerabilities without interrupting crucial operations while automating security controls. Finally, Tripwire Log Center ensures all data is captured and retained, highlighting critical events and reducing unnecessary noise.