On our website we have a growing amount of information defining the Network and Information Systems Directive on Security, showing how the NIS Directive relates to what we do, and talking about the various sectors that it applies to - such as energy, water and transportation. In this blog post we go a little deeper, and discuss why you should care about the NIS D, and how might it improve your cyber security levels.
First of all, the NIS Directive is a European Union established directive of 2018, which is applied across the EU member states. As this was 2018, this means that the UK has also ratified the directive into law as the NIS Regulation. Different states have implemented it slightly differently, but the goal is the same, and that goal is to essentially reduce disruption to everyday life by making improvements to the cyber security of critical infrastructure operators of essential services (OES) and other critical digital service providers (DSPs) such as search engines and digital markets.
Non-compliance with the implementation of the directive comes with fairly hefty fines, however the primary actions of each nation state is to essentially help operators and service providers improve prior to enacting the full force of fees. Carrots are being offered before the sticks are “thwacked.”
As we mentioned above, different countries are implementing the directive in different ways. In the UK, the National Cyber Security Centre (NCSC) has developed the Cyber Assessment Framework (CAF) which is a framework of best practices within cyber security. It’s a general framework applicable to all kinds of sectors, but it was developed specifically with critical national infrastructure sectors in mind. The energy, water, transportation and a variety of other critical sectors are therefore recommended to work towards full compliance against the CAF, with the regulators in each sector assisting with initial checks, monitoring progression, suggesting recommendations and auditing - with the eventuality of fines in the cases of non-compliance to those recommendations.
However, it should be noted that there is a lot of marketing spiel from the cyber security community saying that compliance is not equal to cyber security. This is certainly true, but only because compliance is the minimum that we should be doing in order to reduce the very real threat of a cyber attack on critical infrastructure. Unfortunately it is the case that many organisations are not yet compliant with the CAF.
Why do Awen care?
Awen cares because compliance to the regulation, and especially using the CAF, leads to a safer society. Imagine, for a second, that the drinking water supply was contaminated because the filtration systems were switched off by a cyber attack. That filtration system was being monitored by an efficiency & predictive maintenance monitoring system directly connected to the filtration controllers. If that water company had followed the CAF as a baseline, then they would have been prompted to ensure that (for example) appropriate authentication was installed on the IT systems, that OT systems were patched, and that the onsite engineers had cyber awareness. Thereby reducing the cyber risk, and ultimately reducing the chance of the water supply of the community being polluted.
This is the raison d’être for Awen. We exist to make society safer by reducing the cyber risks in critical national infrastructure and manufacturing. Our product Profile helps to ensure that organisations progressively improve their adherence to the Cyber Assessment Framework (CAF), leading to NIS Directive compliance. Our other product Dot, then goes one step further and begins to help organisations reduce the vulnerabilities on their operational technologies. Not through any fancy artificial intelligence system, but through actionable intelligence working in collaboration with engineering and business processes.
p.s. You can now buy Profile through our website using a credit or debit card, with options for monthly or annual agreements! To celebrate we’ve also applied a discount. Plus, don’t forget that if you are a healthcare organisation, or are manufacturing face masks, hand sanitiser, other PPE, ventilators, vaccines or treatment for COVID-19 then you can get Profile from us for no charge for the remainder of 2020.