Cyber-resilience of critical national infrastructure (CNI) is now fundamental to the security and prosperity of the UK.
It is not just the random, un-targeted effects of ransomware, such as WannaCry, but the more insidious, enduring and potentially very serious consequences of a targeted cyber-attack on CNI, which could disrupt or physically damage the systems and services upon which our safety, well-being and economic welfare depend.
So, the UK government’s statement on January 28 2018 provided further clarification on how the EU Network and Information Systems (NIS) cybersecurity directive will be implemented across key parts of CNI should to be welcomed.
In the announcement, the government warned operators of “essential services” that they could face a fine of up to £17m if they fail to put in place robust organizational and technical measures to comply with the directive, which covers all kinds of cyber-incidents that could result in the loss of availability of those essential services including power outages, hardware failures and data corruption.
The key measures cover areas such as: access controls, data security, vulnerability management, network segregation and resilience, staff training, incident response and supply chain security.
To make proper sense of this new EU directive, it is important to recognize that the key purpose of it is to ensure the continuity of those essential services from any cause that could affect the networks and information systems which enable those essential services. That means ensuring the resilience of those network or information systems by improving their resistance to cyber-attack, but also improving their resilience - the ability of those systems to detect, respond to and recover from cyber-attacks.
The UK’s approach to implementing the directive is based upon outcome focused objectives. This represents a step-change from inflexible, prescriptive, compliance based approaches associated with more traditional approaches to security regulation.
From our experience of working with regulators, it appears that outcome-focused, performance-based approach to cybersecurity regulation really works. Not only should it enable cost-effective and risk-based practices, but it should also drive real improvements to cybersecurity and to national economic resilience.
However, time is tight for this, with a go live date of May 10 2018 there is much work still to be done to establish an effective NIS regulatory regime in the UK. That work includes building specialist regulatory capability and capacity among the multiple Competent Authorities (CAs), implementing regulatory target operating models, publication of sector specific guidance by those CA’s, as well as a Cyber Assessment Framework by the NCSC, while also ensuring a consistent approach is taken to NIS across all CNI sectors and with our EU partners.
Whilst the implementation of the directive by the UK has been well-signaled in advance, with cybersecurity and resilience regulations, the devil is always within the details, and those details are not yet fully developed.
So CA’s will have to take a pragmatic and realistic stance when it comes to transition periods for each of their sectors, not forgetting that the UK Regulators Code requires them to act in a proportionate, accountable, consistent, transparent and targeted manner.
Operators of Essential Services (OES), who meet the thresholds to bring them into NIS regulation (as set out in the NIS Consultation Paper, which was published by the Department for Culture, Media and Sport in August 2017), should now be actively planning their implementation of the NIS Directive.
With GDPR implementation also taking place in a similar timeframe, many are likely to have their cyber-resources focused firmly on data privacy rather than the cyber-resilience of their essential services.
The National Cybersecurity Centre (NCSC) has recently published some good practice guidance which is based upon the framework of four top level objectives and 14 key principles. Helpfully, that guidance links the NIS Directive to existing international standards such as ISOs 27001, 27019, 27035, 55001 and 62443, as well as EU (ENISA), national (NCSC) and industry (e.g. CREST) good practice guidance.
We expect that the emphasis will be on duty holders, OES and DSPs (Digital Service Providers), to provide credible assurance which demonstrates that they are meeting the outcomes set out in the directive.
Importantly, meeting those four objectives and 14 principles will demand a degree of cyber-maturity that is far removed from prescriptive, compliance-based tick-box exercises. This means that OES will need to put as much emphasis on NIS as they should be putting on that other well-known EU regulation, GDPR; not least because the level of fine for non-compliance is similarly punitive. That will require OES to assess their existing cybersecurity and resilience, to identify any gaps in meeting the NIS outcomes, and to develop improvement plans to close those gaps.
Overall, the NIS Directive is likely to be a positive step towards enhancing the cybersecurity and cyber-resilience of the UK’s CNI, but it may take some time for improvements to be realized.