The NIS Directive, The Directive on security of network and information systems, is a directive, i.e. it is translated into each member state’s national legislation. This means that there may be differences in application.
What is the purpose of the NIS Directive?
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.
What is the story behind the NIS Directive?
Digitalisation not only creates business opportunities but opens more attack vectors to systems. The number of cyberattacks has increased sharply over the recent years, not only from criminals and script kiddies but also from state-funded forces with great endurance and vast resources. Raising information security within critical infrastructure raises society’s readiness for external disturbances.
What practical effect does the NIS directive have?
The NIS Directive tightens the requirements for information security in terms of integrity and availability. It is important to take people, processes and technology into account to ensure information security in the affected organisations. Better understanding in general of information and system risk classification together with impact contingency and action plans is necessary to improve resistance to attacks. Incidents are to be reported as part of increasing knowledge and raising preparedness.
What do operators need to do?
Cybersecurity entails more than mere technology. In order to create sustainable protection, systematic analysis of assets, threats and risks is required, including also processes and human aspects.
It is neither practical nor economically justifiable to protect all information the same way. Therefore, the first step is to identify information essential to operations. With this basic understanding, necessary measures can be pinpointed and prioritised.
To raise cybersecurity of critical infrastructure in general, strict segmentation of industrial control utility systems (ICS/SCADA) has to be applied, combining logical separation with physical separation. This means keeping separate domains in the architecture isolated and allowing only very specific information to flow in-between. An effective way is to achieve this is by using products that replace manual management of information (air gap) and connect OT with IT systems at the highest level of security.
To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.
Today in the ever interconnected and digitalisation driven reality, fully air-gaped solutions is no longer a viable alternative. You need to allow information to travel between domains an you need to stay in control. You need Cross Domain Solutions.
A Risk and Safety Analysis is an efficient method to get the necessary protection is place. Our products and services are used by nations and critical infrastructure to protect the most secure information in the most unfriendly environments. Through our encryption and segmentation, networks can be isolated while the information itself can be linked. As a result, our customers can increase information security and digitise with confidence.