With the recent implementation of the Network and Information System (NIS) Directive in May 2018, the new regulations are starting to take. Due to several EU member states requesting a temporary phase of self-certification by industry, implementation will take time to guarantee a smooth transition period. Whilst strict regulatory enforcement of the NIS Directive will most likely occur once responsibilities become more refined in mid 2019, forced compliance of the NIS by the EU member states will take place. Therefore it is important to know if your business is effected by the NIS, what it requires you to do, and what this might mean in the years to come.
The technical requirements for the NIS Directive are limited. In order to enforce compliance with local regulation, a government must designate Competent Authority's (CAs) having the power to judge whether operators of critical infrastructure are complying with the regulation. CAs are part of existing government agencies, although their structure can be different in each country. For example, in the UK there is a CA for each sector such as railroads and energy, where the Germans rely on a single CA which is the BSI (Bundesamt für Sicherheit in der Informationstechnologie). Since the implementation of the NIS in local regulation is very recent, it still has to be shown how these CA’s will adopt their new responsibilities.
Regulation in each sector develops in its own unique way, but this process can be roughly divided into three phases:
New technologies lead to previously unanticipated situations and incidents, which slowly moves public opinion towards regulatory action. In this phase, regulatory bodies struggle to use the existing legal and regulatory framework to address the issues imposed by the new technologies. Fundamental legal questions such as responsibility and accountability are being discussed whilst regulatory and legal intervention is rare, exemplary and is seemingly uncoordinated.
A regulatory landscape starts to take shape. Relations between regulatory bodies, governments and private sector parties are becoming clear. The initial regulation is strongly tilted towards policy, high level technical requirements and best practices from industry. Regulatory and legal intervention maintains a reactionary character and no routine has yet been implemented. A high level of trust and self-regulation practices amongst industries are characteristic for this phase. Knowledge, authority, and resources are limited on the regulatory side, which leads to a gap between the issues addressed by regulation and the challenges faced by industry.
During this phase the regulatory system matures and becomes routinised. Clear knowledge requirements, certifications and responsibilities are drawn up for people and organisations involved in the regulation process. Regulatory activities are leaning towards prevention and registration instead of reacting to incidents. Compliance with regulation becomes an evidence-based process. It involves technical verification and inspection by skilled auditors during multiple moments of the product lifecycle. Regulatory bodies are actively monitoring and reacting on new developments in the field.
Learning from the introduction of regulation in other sectors
Based on current trends and by examining the regulatory history of other sectors, it can be expected that this early phase of regulatory development will rely heavily on suggestions and best practices proposed by industries. For example, during the early phases of pharmaceutical regulation in the early 1960’s and aviation regulation in the late 1920’s and 30’s, most regulations were industry best practices formalised into law. Meanwhile, due to a lack of knowledge and manpower, the regulatory system was not always able to properly enforce compliance. These phases were therefore characterised by limited regulatory efficiency. The challenge for CA's and industry leaders will be to define a mapping between the high-level requirements from the NIS, and the technical reality of critical infrastructure operations.
In the rapidly changing environment of cyber security regulation, it is a necessity for stakeholders to be aware of the rules that apply to operators of critical infrastructure. Currently, compliance procedures focus mainly on policy level, such as sufficient commitment from senior management, having an incident response plan, and clearly documented responsibilities and procedures for staff members. However, in the NIS regulation of some member states, reference is being made to an increase in technical requirements that will be enforced in the coming years. For example, official documents released by the UK, Germany, and The Netherlands describe the possibility of mandatory auditing and penetration testing performed by third parties.
More lessons for the near future can potentially be found by studying cyber security regulation for the financial sector, which can be considered 10-20 years ahead of Industrial Control Systems (ICS) security. This also forms the reasoning behind EU member states excluding the financial and banking sector from the NIS regulation, as existing laws are already sufficiently comprehensive.
How do you ensure a smooth transition to regulatory compliance?
To minimise the risk imposed by cyber threats and to guarantee smooth regulatory compliance now or in the future, Applied Risk recommends ICS stakeholders to consider the following factors:
1.Cyber security regulation for ICS is still in an early stage and can be expected to further develop and expand. Therefore, it is recommended to pay close attention to new regulation such as the NIS, even if your ICS activities are currently not covered by it. Introductions may be made in the future.
2.The driving force behind regulatory developments regarding ICS security are real world cyber threats! There are many excellent practices and recommendations formulated in cyber security regulations and guidelines. Treat those as free consultation on how to limit the probability and consequence of a cyber incident. This point reaffirms the statement formulated above that any ICS owner will benefit from being aware of new regulation.
3.Don't treat regulatory compliance as a “check the box” exercise. As previously mentioned, current regulation is mainly focused on policy and high level technical requirements, leaving a lot of freedom for actual implementation. Doing the minimum to comply with requirements such as “implement appropriate safeguards” or “have written procedures” can give a false sense of security. In the end, real security is achieved by maintained and properly used systems, well trained people, and routinised procedures.
As a leader in the field of ICS security, Applied Risk has extensive experience in assisting many Operators of Essential Services (OESs) with managing their cyber risk.Contact us to learn more about Applied Risk’s Industrial Automation and Control Systems(IACS) Security services