Lessons we’ve learned: the EU NIS directive and securing critical infrastructure
What is NIS?
The Networks & Information Systems (NIS) Directive was created by the European Union (EU) with the specific aim of raising levels of overall cybersecurity and network resilience for critical infrastructure. NIS improves overall EU cybersecurity by driving organizations to adopt enhanced security for critical infrastructure.
The NIS Directive & Critical Infrastructure
Although GDPR was undoubtedly the compliance craze of the mid-2010s, in its shadow the sophisticated and forward-thinking NIS directive was introduced at almost exactly the same time.
The NIS directive provides a well-laid foundation for European business, and the EU as a whole.
Despite remaining somewhat underappreciated during its early years, with attacks on critical infrastructure on the rise, the NIS directive provides a well-laid foundation for European business, and the EU as a whole.
By targeting critical infrastructure, criminals gain political leverage by virtue of their ability to shut down critical services. The IBM X-Force Incident Response & Intelligence Services found a 200% rise in attacks on critical infrastructure in the first half of 2019.
Here are examples of the kinds of damage caused by cyber attacks from the last decade:
2010: The US & Israel deploy the Stuxnet worm, damaging centrifuges and compromising Iran’s Natanz Nuclear Enrichment Plant
2012: Saudi oil giant Aramco is targeted by “Shamoon” malware, shutting down operations for nearly a month
2014: Spear Phishing & APT attack on German Steel mill leads to Industrial Control Malfunction and massive asset damage
2015: Cybercriminals target the Ukrainian Power Grid, switching off substations remotely and resulting in widespread loss of electricity during winter
2017: Shamoon malware returns to disrupt Aramco’s operations and also affects critical state agencies in Saudi Arabia
2019: A ransomware attack causes production stoppage in Norsk Hydro, Norway
Cyber attacks on critical infrastructure present new, complex political scenarios that put entire communities, states and countries at risk. A hypothetical attack shutting down the US power grids has been estimated to have a 70-90% percent casualty rate within 12 months.
With such scenarios in mind, the European Commission released the NIS Directive as a sharp set of policies to control cyber threats across critical infrastructure. The NIS requirements are built on four key strategies:
- Managing Cyber Risk
- Protecting Against Cyber Attack
- Detecting Cybersecurity Events
- Minimizing the Effects of Cybersecurity Incidents
Now, five years on from the publication of the NIS Directive, here are some of the lessons we have collectively learned about securing critical infrastructure.
1. Protecting Critical Systems means Privileged Access Management
One of the overwhelming takeaways from the NIS Directive is the recognition that our most critical environments require additional layers of security and control.
Where GDPR has been deemed sufficient for standard European business, NIS was crafted out of an awareness that certain kinds of systems and environments require more control and attention.
The detail of the NIS Control Objectives references capabilities associated with PAM.
We see a similar parallel in security software: as opposed to standard Identity & Access Management (IAM), Privileged Access Management (PAM) is designed to secure privileged access. Because of this, the detail of the NIS Control Objectives references capabilities associated with PAM.
For example, Control B2 goes beyond traditional password management advice to highlight the need to control what kinds of actions are possible: “Organisations must put in place policies to limit and control which specific devices can perform which actions.”
Where password management and vaulting may be useful, the NIS directive takes things further by not simply asking subjects to control who has access to which credentials, but also what actions they can perform on that endpoint. A key PAM construct is the principle of least privilege, and here it’s being applied to critical infrastructure security.
2. Cyber Resilience for Critical Infrastructure means removing privileges to prevent Ransomware
The NIS Directive calls for subjects to “Build resilience against cyber attacks” and recent events highlight critical places to start.
Ransomware epidemics, such as WannaCry and NotPetya, caused havoc across the globe and highlight the vulnerability of the healthcare vertical, which has been reliant on legacy, vulnerable systems with little to no cyber resilience in place.
A more practical and realistic approach has emerged: endpoint privilege management.
The idealist advice of replacing legacy systems and enhancing user awareness is simply not practical, especially for those in the UK who run healthcare technology that requires legacy operating systems.
A more practical and realistic approach has emerged in recent years: endpoint privilege management can ensure cyber resilience by removing the privileges that ransomware requires to run.
Endpoint privilege management is a key component of PAM that enables businesses to painlessly implement intelligent application white, black, and restricting policies across their business, and then remove local admin rights to ensure resilience against malware.
Industry experts are forecasting significant increases in ransomware in 2020, with critical services (financial services, utilities, and public institutions) being the focus of more and more attention.
There has never been more reason to remove privileges with PAM to prevent ransomware from causing critical outages, loss of data and money, or business failure.
3. Some targets continue to draw more attention than others
The NIS Directive offers a broad definition of what constitutes Critical Infrastructure, including scenarios that involve operational environments (water supply, electricity generation, transmission, and distribution, and renewable energy), to digital service providers and financial services that may not have any operational technology.
Regardless of the major differences in these environments, there are some similarities. Across all verticals, each different kind of business will have some “crown jewel” targets that can offer cybercriminals and nation-states unparalleled disruptive abilities.
Within the realm of operational technology, there are ICS systems, such as SCADA, for financial services SWIFT and trading terminals, and for digital service providers administrative consoles to IaaS and PaaS environments.
Though Objective A in the NIS Directive defines what and where these systems and consoles are (Governance, Risk Management, Asset Management, etc.), applying the appropriate access controls to these systems is best managed with a PAM solution.
With PAM, subjects will be able to deliver the appropriate layers of access control, access workflows, anomalous access detection, live monitoring, time-based control, and zero trust controls appropriate for these high-value systems and controls.
2020 is set to be a year where critical infrastructure and its role in cybersecurity take center stage. Learn how Privileged Access Management can help you ensure NIS compliance.