It’s fair to say the General Data Protection Regulation (GDPR) has received attention in recent months. It’s only a matter of time until the first major breach occurs, and then we’ll see how things shake out from an enforcement standpoint. Meanwhile, there’s exciting news for compliance jockeys. Another directive from the European Parliament and the Council of the European Union is ramping up: Directive (EU) 2016/1148, also known as the “Directive on Security of Network and Information Systems (NIS).” The Directive was originally issued a few years ago and focused on measures for a “high common level of security of network and information systems across the Union.”
The effect the NIS Directive has on industry sectors is wide ranging, from energy and banking to air transport and drinking water suppliers. Implementation of the Directive is well underway. Key dates also extend out for nearly five years after the transposition. The 27 articles within the Directive are riddled with compulsory legal jargon and will likely not make the list of 2018 summer beach reads. However, the European Commission released a summarised memorandum highlighting the three core objectives:
- Improved cybersecurity capabilities at the national level
- Increased EU-level cooperation
- Risk management and incident reporting obligations for operators of essential services and digital service providers
Improving Cyber Security at the National Level
Upon going through all of the various articles and definitions, the one word that continues to come to mind is access. Per the NIS Directive, a security network and information system is defined by:
“..the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems..”
As organisations within the member states mould their security strategies to align to the Directive, incorporating the security and management of privileged access as part that strategy is critically important in the protection of networks and information systems. Unsecured secrets, privileged accounts and their associated credentials can provide an attacker with the ability to take complete control over an environment, disable systems and take down services that can impact an entire city’s population – hundreds of thousands of civilians – as shown in the Ukrainian power grid attack.
Placing controls on privileged users – both humans and machines – is a crucial step in mitigating risk against a security event that impacts critical services. Introducing the principle of least privilege, enforcing things such as multi-factor authentication and segregation of duties (SoD), and locking down the privileged access pathway to systems and applications are fundamental measures that can be implemented to resist the compromise of critical services and systems, upon which EU citizens and businesses rely.
Taking it one step further, the application of threat detection and analytics on privilege-related activity will help to prevent an attacker from comfortably navigating the network, performing reconnaissance and gaining access to the Domain Controllers where they can harvest the accounts and credentials that provide privileged access – which is exactly what the attackers did in the Ukrainian attack. Improving cyber security at the national level does not happen without the implementation of some of these security controls.
Cooperation amongst Union Member States
This part of the Directive is instrumental in successfully developing trust and confidence throughout the Union. This section defines a ‘Cooperation Group’ requiring member states to jointly implement planning, steering, share best practices, and report and assess the overall experience gained through cooperation. Of course, consistency in the interpretation of this legislation across all member states is ideal for success. The facilitation of cross-border communication and cooperation will be implemented more effectively if each member state is on the same page.
Member states such as France and Germany have already begun to release local legislation, while many others are slowly working out the final details before the transposition goes into national law later this year. Unlike GDPR, penalties for non-compliance will not be enforced at the EU level, rather directly from the member state, specifically they “shall be effective, proportionate, and dissuasive.”
In the recent CyberArk Threat Landscape Report, only about one-third of respondents from organizations based in France (29 percent) and Germany (33 percent) said they have an understanding of the Directive, which types of security incidents should be reported, and that their organisation currently meets local legislation.
Similarly with GDPR, these stats are a clear indicator that organisations are not fully prepared. The likelihood of many organisations being in a comfortable state to avoid non-compliance may be bleak.
Risk Management and Incident Reporting
Digital Service Providers (DSPs) and operators of essential services will be required to put in place technical and organisational measures to prevent risk, ensure the level of security of the network of information systems is appropriate to said risk, and effectively handle incidents to prevent and minimise the impact on the IT systems used to deliver services.
Whether data and applications are cloud native, running in a traditional on-premises environment or a combination of the two, nefarious characters and nation-state attackers continue to find ways to compromise the infrastructure and gain access to top tier resources. Some of the definitions within the Directive are deliberately ambiguous for local interpretation – but the one thing that remains crystal clear is the management and prevention of risk begins and ends with protecting access to an organisation’s most critical assets and resources.
Like GDPR, doing nothing in preparation for EU Directives is not only considered regulatory blasphemy, but it has the potential to result in serious reputational and financial repercussions.