In October 2024, the NIS 2 directive came into force and now everyone affected must adapt their operations. Among other things, the updated directive involves an increased focus on encryption and mentions network segmentation as a basic cyber hygiene factor. In this blog post we go though some use cases that suggest solutions to these subjects.
What is new with the NIS 2 Directive?
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.
The original NIS Directive contained a process for regular review of its own content. This has led to a proposed directive for countries in the EU on measures for a high common level of cybersecurity – this is called NIS 2.
NIS 2 contains aspects that address deficiencies in the original NIS Directive. Based on these shortcomings, new additions have been made, resulting in the new proposal NIS 2. These are the most prominent additions:
- Larger scale than NIS, more sectors considered essential services (list further down)
- Managers are held responsible for securing operations
- Incident reporting must now be done within 24 hours instead of 72 hours
- Higher security and reporting requirements, where a list of minimum requirements must be met
- Security for supply chains and suppliers
- Stricter supervisory measures for national authorities
- The distinction between “operators of essential services” and “digital service providers” has been removed
- Stricter regulatory measures for national authorities, stricter compliance requirements
- Harmonise sanctioning systems between Member States and enable administrative fines. The fine will be up to EUR 10 million or 2% of the company’s total turnover worldwide
- The Cooperation Group gets a bigger role, as well as increased information sharing and cooperation between member states’ authorities
But how do you follow the NIS 2 directive? We have a number of use cases that suggest some solutions to the issues that the NIS 2 Directive mentions.
Use encryption to make your organisation more secure
In NIS 2, there are recommendations on using encryption and cryptography. Encryption is mentioned in Article 21 in the NIS 2 Directive, where it is stated that each organisation should have strategies for cryptography, and when applicable, use encryption. Among other things, encryption and other security related functions (access control, integrity preservation and non-repudiation) can be included in efforts to protect networks and information systems. It is also mentioned that public electronic communication networks and available electronic communication services should use encryption and especially such encryption called end-to-end encryption.
We have a number of use cases as suggestions as to how to use encryption to make your organisation more secure.
Use Case #1: Secure communication with remote sites
Advenica’s SecuriVPN provides sustainable data in motion protection for all end user applications. Optimal deployment is ensured by multiple product models. At the main office, SecuriVPN can be configured to use high availability with failover or dynamic routing. Mobile offices can use the portable SecuriVPN variant. The system supports many features such as NTP, logging and automatic key updates. The system is hardware-based, evaluated and has a central administration system for ease of use.
Use Case #2: Protection of sensors
The deployment and protection of bandwidth-hungry sensors and more video, data and voice traffic can put pressure on available bandwidth and be expensive. Data protection by encryption comes with a cost of increased traffic escalating the issue. SecuriVPN can be configured to compensate for the low bandwidth and automatically compress all data. It can also be configured to act as unidirectional security gateway, allowing data to travel only in one direction.
Read more about the Advenica SecuriVPN.
Increase your information security with network segmentation
Network segmentation is mentioned in one of the reasons for NIS 2 (preamble 89) as a necessary and basic cyber hygiene factor, and again (preamble 98) to secure electronic communication services and networks. We have gathered a few use cases as to how network segmentation can be used to increase your overall information security and protect your systems and networks.
Use Case #1: Secure IT/OT integration
Separating IT and OT into separate segments helps avoid vulnerabilities or disruption in IT affecting OT. To avoid risks because of mistakes in configuration or function, physical segmentation (zoning) should be used. This means that separate hardware is used for IT and OT.
The most secure way to connect an integrity sensitive data network to other systems is to use data diodes. All data flows from OT that can be managed with data diodes involve a simplified security analysis, quite simply because a data diode is so secure and easy to analyse. Or, more correctly, because it has such high assurance.
Use Case #2: Secure logging
All the zones that supply log data are protected with one data diode each. The data flow is made unidirectional towards the log system. A shared log system can therefore be used regardless of the number of zones supplying data to the log system. If any of the zones contains confidential data, either the log system must be protected at the appropriate confidentiality level, or the log data from such a zone must be filtered so that the log system is not contaminated with confidential data. However, this can lead to the value of the log data decreasing as free text data often needs to be filtered out, which may make it more difficult to interpret log data.
- The data diodes make it impossible to use the log system as a stepping stone.
- The data diodes make it easy to protect the log system so that no unauthorised person can access the data.
- It is much more difficult for an attacker to cover their tracks after an attack.
- It is also possible to encrypt the connection to the log server to prevent corruption of log data.
Read more about Advenica’s data diodes and about network segmentation.
If you need more help with your different security challenges you are more than welcome to contact us!
