The NIS Directive: A path to cyber resilience or a simple ‘tick-box’ exercise?
Back in March 2017, the UK Government launched its long-awaited Digital Strategy, which promised to make “the UK the safest place in the world to live and work online.” The government pledged to support the National Cyber Security Centre (NCSC) to protect Britain’s critical national infrastructure.
While these aims were commendable, the current situation suggests that we may have completely lost sight of this vision and are on the cusp of kicking this golden opportunity to improve the UK’s cyber security posture firmly in to the long grass, says Andrew Lloyd, president at Corero Network Security.
Last month, the government published a response to its consultation on the UK’s implementation of the Network and Information Systems (NIS) Directive. This included confirming that UK critical infrastructure organisations may soon be liable for fines of up to £17 million (€19.33 million) if they fail to implement robust cyber security measures. But despite the tough talk, the response avoided making any hard recommendations and instead relies on a more passive approach of deferring responsibility to the National Cyber Security Centre and the Competent Authorities.
Unfortunately, unless there is a significant increase in the precision of the guidance, this approach of passing the buck could result in almost no tightening of our national security. In January, the NCSC published its initial guidance for organisations looking to comply with the NIS Directive legislation.
The measures outlined are heavily weighted on reactive attack reporting rather than advising organisations on how to better shore up their perimeter with proactive defence solutions. As an example, within the guidance organisations are asked to define their own risk profile, and then prove their resiliency against that profile – the equivalent of being graded on a test you wrote yourself.
Looking to the Competent Authorities, the Civil Aviation Authority recently published a list of 26 cyber security controls as a framework for the regulation of cyber induced risks within the aviation industry. With respect to Network Perimeter Security, the list references various ISO standards, which explain that “special controls may also be required to maintain the availability of the network services and computers connected.”
Against such vague guidance, it seems impossible that any aviation organisation could fail, effectively rendering the threat of receiving a £17 million (€19.33 million) fine as meaningless. In addition, most of the security standards referenced are far from new. Whilst many of the principles hold true, few of the standards have been adapted for the modern, proactive security postures necessary to deliver real-time protection against the sophistication and frequency of today’s cyber-attacks.
This is all deeply concerning, especially given that Ciaran Martin, the head of the NCSC, warned in January that it was a matter of “when, not if” the UK faces a major cyber-attack that might cripple infrastructure such as energy supplies or the financial services sector.
Across all parts of critical national infrastructure (CNI), we are seeing a greater number of sophisticated and damaging cyber threats which are often believed to be the work of foreign governments seeking to cause political upheaval. Last year’s DDoS attacks against the transport network in Sweden caused train delays and disrupted travel services, while the WannaCry ransomware attacks last May demonstrated the capacity for cyber-attacks to impact people’s access to essential services.
And yet, there is widespread evidence that many CNI organisations are still not taking adequate steps to protect themselves and the essential services they provide to UK citizens. In August 2017, a Freedom of Information study conducted by Corero Network Security found that 39% of CNI organisations in the UK (and 42% of NHS Trusts) had still not completed the government’s ’10 Steps to Cyber Security’ – considered a series of fairly basic steps to improve cyber security, that was first introduced in 2012.
In this light, it’s unclear how the opportunity to set out a framework of minimum standards for CNI can be effectively achieved with the NIS Directive. If the intended outcome is genuinely tied to resilience against cyber-attacks, then these essential services should be required to remain available during an attack.
The outcome described in the guidance points to merely the proper disclosure of failed protection and the swift recovery of that failure. The concern remains that implementation of the Directive will be viewed as a mere tick box exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world leading standards in this area.
The author of this blog is Andrew Lloyd, president at Corero Network Security