This article first appeared in Utility Week
The EU Network and Information Systems (NIS) Directive, which comes into force on 10 May 2018, will result in UK legislation to protect essential services from cyber threats. The directive covers many sectors that provide essential services, with energy and utilities operators a key focus. These operators of essential services (OES) will have to ensure their cyber resilience meets the NIS security objectives and guidance or they could face significant fines.
The problem is that awareness of the NIS Directive, and its implications, is still low across the affected industries. It has tended to be eclipsed by its “bigger brother”, the General Data Protection Regulation (GDPR). However, companies must focus now because there is little time for implementation before the rules come into force in May next year.
The government’s approach
The government has held a consultation on the directive and will publish the detail of its approach around the end of this year. The consultation included four security objectives and 14 security principles for OES to follow, and it is expected that the National Cyber Security Centre will publish generic cross-sector guidance early in the new year.
Meanwhile, the relevant lead government departments or authorities (designated “competent authorities”) will be providing sector-specific interpretation of the generic guidance in early 2018. This means that, although the direction of the government’s thinking is clear, the detail of what will actually be in the legislation will not be known until early 2018, leaving OESs with only a few months to comply.
Owing to the potentially significant impact of cyber incidents on essential services, the government is proposing a “high bar” penalty approach for non-compliance. There will be fines of up to 20 million euros or 4 per cent of global turnover for major breaches – such as failure to implement appropriate and proportionate security measures – and 2 per cent for minor breaches – such as failure to report an incident or failure to co-operate with a competent authority.
It has been recognised that much work has been done to protect critical infrastructures and essential services from cyber threats over recent years, but the implementation of the directive will result in a step change for many operators. Initially, energy and utility operators should identify whether they would be considered operators of essential services under the legislation. The consultation document is clear about the government’s thinking in this area, but this may change when the consultation response is published.
OESs should immediately assess their compliance with the National Cyber Security Centre’s (NCSC) security objectives and principles, which were outlined in the consultation. They should then put in place the appropriate cyber resilience measures to protect networks and information systems that provide or support essential services, along with incident-reporting mechanisms.
It is also important to identify all dependencies that enable essential services to operate, such as telecoms and, potentially, third parties. Organisations can then conduct a risk assessment to understand their vulnerabilities and the appropriate response.
Essential services only
NIS will only apply to essential services and OESs will not be required to implement full cyber resilience capabilities across all services. These essential services are likely to be the operational infrastructure and the services they support, rather than enterprise and corporate services and systems.
Once these preparatory steps have been completed, the OES can then move to designing and implementing what is required to meet the four security objectives of the NIS.
The first of these is to establish an appropriate governance framework and management system – supported by policies, standards, and processes and procedures to continually assess and manage the risk to the network – and information systems that support the essential services.
The second objective is to ensure proportionate security measures are implemented.
The third is to ensure the OES has the right capabilities, recognising that security is not just about implementing technical solutions but about the organisation being able to ensure that its cyber defences remain effective and that it can effectively detect security threats that could affect essential services.
Finally, the directive requires organisations put in place the capabilities to respond -effectively to potential security incidents once they have been detected. They should be able to minimise the impact of the incident and ensure the timely restoration of services.
Another critical element of the directive is to ensure that incidents are reported to relevant authorities “without undue delay and as soon as possible, at a maximum of no later than 72 hours after having become aware of an incident”. Experience from GDPR implementations, which have the same reporting requirements, shows that incident-response procedures must be enhanced and streamlined to meet these timescales.
OESs will have to take a strategic approach and draw up a clear programme to implement these technical, management and operational measures. The implementation plans should also reflect that there are likely to be further waves of implementation as sector-specific guidance and requirements is issued. Although there are currently no formal requirements for readiness reporting, OESs may also wish to conduct NIS Directive readiness assurance reviews to provide assurance to internal and external stakeholders.
What is critically important, though, is that OESs should recognise that the implementation timescale is short and that they need to start preparing now.
Justin Lowe is an energy cyber security expert at PA Consulting Group