The EU’s NIS Directive, which requires operators of essential services and to strengthen their cybersecurity capabilities, has a significant impact on industrial organisations. The NIS Directive has been in effect for two years now, and in this time of increased uncertainty and heightened vulnerability, it’s worth going back to basics and ensuring your organisation is still compliant.
Mapping your assets. Ensure that you have an up-to-date list of all of your assets in your industrial control system (whether or not they are communicating over the network), with information including firmware versions, serial numbers and other details. Make sure you have a recurring process within your organisation to make sure that this inventory is consistently updated and that any changes to the existing assets are noted.
Access and device management. Organisations should ensure that devices used for specific purposes are only ever used for those purposes, and that only employees with those responsibilities are granted access. This can be achieved through access management policies and restricting access to the internet for some devices. Additionally, organisations must monitor their networks to ensure that there are no unauthorised devices attempting to gain access.
Risk management. Organisations must be aware of potential risks stemming from all aspects of their operations, including third parties, software, hardware, network and operating systems. By referring to the detailed asset list – which should include version information – organisations should be able to regularly scan for any known vulnerabilities. This can be a time-consuming process as it should be consistently monitored. Helpful tools like CyDesk can automatically continuously identify, analyse and manage supply chain, compliance and business risks.
Monitoring and identifying security breaches. Constantly monitoring your network and assets is key to early identification of potential vulnerabilities or in-progress breaches. No cybersecurity posture is truly strong without a thorough monitoring and alert process that allows your organisation to mitigate risks or manage ongoing security issues. While this may be challenging with older OT equipment, it is vital. Therefore, organisations should ensure a proper monitoring and identification process is in place.
Finally, it’s always good to check in on your Competent Authority for guidance and support. Competent Authorities differ by sector and sub-sectors; for example, within the Energy sector, Electricity, Oil and Gas companies all refer to different regulatory authorities. Your relevant Competent Authority should have information tailored to the needs of your industry sub-sector.
While the NIS Directive may seem burdensome, it is key to ensuring that operators of the essential services that make up the critical national infrastructure that runs the country remains secure. Ensuring ongoing compliance only serves to strengthen the industrial sector and will hopefully allow for minimised disruptions as we continue into the future.
This is the third in a series of blogs about the NIS Directive; to read the first two, click below:
Making the UK’s NIS Regulation work for you
How the EU’s NIS affects cloud service providers