Four Pillars to Securing UK Critical National Infrastructure

Brian Chappell
August 23rd, 2018

Just ahead of GDPR, the European Directive on Security of Network and Information Systems (NIS Regulations) passed into law on 10th May 2018. Like GDPR, it’s fully expected that this legislation will survive Brexit largely unchanged, but many people will not have even heard about this new regulation. So, what is it all about?

The NIS Directive, as it’s known, lays out a framework for:

  • Improving national cybersecurity capabilities
  • Increasing cooperation between EU member states
  • Requiring “operators of essential services and digital service providers” to take appropriate and proportionate security measures, and notify the relevant national authorities of serious incidents.

The first two points are national concerns and, while beneficial to us all in combating global cybercrime, not applicable to everyone. The last point covers organizations who provide services in the following sectors: Energy, Transport, Banking*, Financial market infrastructures, Health, Water, and Digital Infrastructure (IXP, DNS, TLD). This list is given in the Directive, but is not absolute as some operators in certain sectors may also be classified as essential services even though they don’t directly operate in one of the given sectors. Digital Service Providers (DSPs) also fall under the scope of the NIS Directive, and this category includes search engines, online marketplaces, and cloud computing services. Like GDPR, the NIS Directive applies even when the provider is outside of the EU, so long as they are providing services in the EU. As with GDPR, the NIS Directive carries a maximum £17m (€20m) fine for failure to comply.

Why is this important to me, you may be asking? If you don’t operate in any of these sectors and you aren’t a DSP, it may seem like unimportant legislation, but there are two key areas that make it important to everyone.

The first is that it’s going to benefit everyone by ensuring that key services to our businesses and ourselves personally will receive greater scrutiny, which should translate into better security for our data and our wellbeing.

The second is that this regulation reinforces the importance of taking appropriate and proportionate action in securing your organization’s infrastructure. It emphasizes approaching cyber security as a risk management exercise and in partnership with business continuity. I would go further and say that I see effective cybersecurity as business continuity rather than being separate to it.  After all, if your systems have been compromised, how do you keep doing business effectively?

Regulations like the NIS Directive offer excellent resources for assessing and planning your own cybersecurity solutions. You probably don’t need to take every part of the regulation, but using it like a toolbox and picking the tools that make sense for your sector can save a lot of time. Trying to work out where to start can often be paralyzing for organizations approaching cybersecurity for the first time, so a framework can help by giving you the first thing to tackle. It’s also great to see that this regulation leans on existing guidance and frameworks like ISO/IEC 27002:2013, ISO/IEC 27001:2013 and ISO/IEC 27035:2016, rather than reinventing the wheel. This should also stand as good evidence for adopting those standards within your own organizations.

Some key areas of interest within the NIS Directive include:

  • 2 Risk Management – As Clause 6 of ISO 27001, this is an approach to threat management that is firmly based in managing the risk associated with those threats. This is a mindset that BeyondTrust has embraced for more than a decade, with risk scoring being a fundamental part of our vulnerability management solution and integral to the behavioral analysis that’s built into the platform that sits behind all of our products. Approaching threats by their risk ensures that you aren’t wasting time on academic threats, i.e. threats that only exist in principle, but for which there is no identified exploit available.
  • 2 Identity and Access Control – This draws on Clause 9 of ISO 27002 which is focused on ensuring that access controls are effective and well-documented. Implementing solutions like Privileged Password Management (PPM) platforms ensure that access to privileged accounts like Administrator and root is fully managed, monitored, and recorded. Hackers leverage attacks like pass-the-hash (PtH) to move around your infrastructure looking for valuables. Effective PPM, like PowerBroker Password Safe, can eliminate the opportunity for such attacks while also lifting the responsibility of protecting the passwords for such privileged accounts from your operations teams and into an automated tool.
  • Minimising the impact of cybersecurity incidents – This is focused on response and recovery planning as well as lessons learned (from a mixture of ISO 27001, 27002 and 27035). While not directly linked to security controls, I think there’s an important lesson to learn from past attacks. Minimising the impact of a cyber attack doesn’t sit entirely post attack, there is much that can be done to actively limit the impact ahead of the attack. Implementing least privilege across your estate, ensuring that users are never operating with more privilege than is absolutely necessary (which is normally never with superuser rights) will prevent hackers from gaining useful footholds in your systems and limit their spread across your infrastructure. Solutions like PowerBroker for Unix & Linux, PowerBroker for Windows and PowerBroker for Mac enable you to give your users more opportunities to be productive without exposing yourself to the risk of superuser access.

While regulations can be seen as annoying compliances thrust upon us, they also offer helpful repositories for good practice in cybersecurity and other areas. Even if a regulation does not apply to your organization, it’s worth taking note; as you see, there is reuse and there will only be more of it. So, picking the best practices from those regulations now may well mean you are ahead of the curve when the compliance juggernaut rolls into your street.

For more in-depth resources on meeting the NIS Directive demands and improving security controls around critical infrastructure, download our white paper: Four Pillars to Securing UK Critical National Infrastructure and/or register for our webinar: Improving Cyber-Resilience for Critical Infrastructure Providers.

Brian Chappell

Brian has more than 20 years of senior level IT enterprise experience in a career that has spanned high-tech multi-nationals, including Amstrad plc, BBC Television and Xircom Inc. He has held technical IT roles including International Operations Manager for Cidera Inc. and Global IT Consultant for GlaxoSmithKline. Brian leads the Technical Services arm of BeyondTrust across the EMEAI & APAC regions. His role ensures the delivery of world-class technical services of BeyondTrust’s leading vulnerability management and least privilege platform, to some of the largest organisations in the world.