INTRODUCTION
Technology has brought us into a world that many of us only poorly understand. While we may have some grasp of this technology, there is often a lack of real understanding as to how these technologies work and interact. A few decades ago, we understood that if the water levels fell then the hydroelectric plant would not be able to generate electricity. We knew that interchanges connected our phones to other phones elsewhere in the world. We had some appreciation of the fact that supermarkets and other retailers would have to call suppliers and wholesalers in order to have food delivered. Essential services and infrastructure were quite simple to understand.
Nowadays, so much has been automated and interlinked that it can be difficult to understand how our phone calls are connected or where our power comes from. Most people do not need to really understand how society continues to function. They do not need to know that RFID chips attached to crates of fruit make sure there is always fresh fruit on supermarket shelves. The electricity grid is driven by hundreds of power stations, with the flow managed, surpluses stored and shortfalls accounted for automatically. Our phones connect to remote cell towers and flicker between them to maintain the best possible connection. For the most part, as long as everything keeps working, we have no desire to understand any of this.
What we do want, however, is reassurance that these services will not be interrupted. This is not just for the benefit of the common person: our whole society relies on critical infrastructure, and this infrastructure is supported by a set of services. In the modern world, these services and infrastructure can be attacked not just physically but also digitally, and digital attacks can have significant repercussions in the physical world.
In 2014, a German steel factory suffered a cyber attack that caused significant physical damage to its machinery by turning off industrial controls.1 More famously, the original Stuxnet worm infected the Natanz nuclear facility in Iran in 2010 and destroyed almost one fifth of the country’s nuclear centrifuges.2 In 2015, Ukraine was the victim of what is believed to be the first successful attack against a power grid, which left 230,000 people without power for up to six hours.3
Unfortunately, cyber criminals need to find just one weakness to infiltrate and potentially cause damage, but an organisation has to patch all of its vulnerabilities and defend against all types of attacks. These threats are significant not just because they are difficult to stop but also because they are increasingly within reach of even common criminals. Only a few years ago, a Polish teenager was able to hack into the Lodz tram network, derailing several carriages and injuring 12 people4; you might have reasonably assumed that such attacks came from state actors or well-funded terrorist or dissident groups, but it is the nature of information to be replicated and reused. As such, the threat is proliferating and will continue to do so.
In the European Union, threats to infrastructure and essential services can be especially severe because so many organisations operate across borders – a single service may be critical to several nations, so a single threat can affect all of them. This also means that each nation has an obligation to its neighbours to adequately protect its critical infrastructure and services.
These are the conditions of the modern world, and protecting our infrastructure and critical services is now recognised as essential. Without electricity, water, sewage, transport and the Internet, it is almost impossible to do business – or indeed for our modern society as a whole to function – and the EU is, after all, a major trading partnership.
The EU’s Directive on security of network and information systems (NIS Directive)5 is part of the legislated response to these threats.6 It aims to establish a “high common level of security of network and information systems across the Union” (NIS Directive, Preamble), which will not only protect the Union’s economy but also those of its trading partners, because they will benefit from the stability of the EU’s infrastructure and services.
It is important to understand that the Directive is not just about cyber security or just about service continuity. It certainly requires cyber security and business continuity measures, but it is more accurately a synthesis of the two: cyber resilience. The fundamental thrust of the legislation is not simply that critical infrastructure organisations must be able to defend themselves, but that they must be able to continue functioning in the event of an incident. As part of this, there must also be a degree of communication and cooperation between EU Member States, both to share intelligence and to limit the spread of any attack.
Background
When the Directive was adopted in 2016, most EU Member States already had some regulations or laws regarding how critical infrastructure and services must be protected. These regulations and laws lacked a consistent approach, however: what one country thinks is an adequate level of cyber security may not meet their neighbour’s standards, or while one country has applied conditions to a specific sector, their neighbour may not.
On the face of it, this may not appear to be a problem: a country’s infrastructure should be its own concern, and it is in that country’s interests to protect it, regardless of the measures its neighbours are taking or its antipathy to EU intervention. With such interconnected economies, however, and the prevalence of cross-border infrastructure and services, it is important for there to be some measure of consistency and cooperation between Member States. This is especially true of digital service providers (DSPs), which often operate across borders.
The EU, as most organisations should be aware, began and remains primarily a tool for streamlining business throughout the continent. To this end, it has largely focused on standardising and formalising trade and business. The EU has two types of legal instrument that are used to regulate business:
1. Directives
These set minimum standards and parameters for the EU, but leave the actual implementation down to the states themselves. When a directive is passed, the EU sets a deadline by which every Member State must have put the directive into force, whether by law, regulation or other initiative.
2. Regulations
These apply across the EU with the same authority as if they were local laws. Member States may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.
So, for any attempt to standardise practices across the Union, the EU can choose to either enforce a standard directly, or to set a minimum standard and rely on the Member States to determine more of the detail and, perhaps, to set their own standards higher. It is also worth noting that a regulation will generally set requirements intended to be applied by businesses, while directives will set conditions for states and state-run agencies.
The NIS Directive is, obviously, a directive, so each Member State will need to implement its own interpretation of the Directive’s requirements. For the UK, these are ‘The Network and Information Systems Regulations 2018 (NIS Regulations)’, which were passed on 20 April 2018 and enforced on 10 May 2018.
Even though this approach can lead to some inconsistency, every Member State is, in theory, working from a common understanding – which is a major step up from having completely divorced systems. Having said that, organisations operating in multiple Member States need to be aware of possible differences in specific implementations – and that compliance with the NIS Regulations does not necessarily imply compliance outside the UK – although the ‘common approach’ is meant to prevent such situations. Regulations such as the EU’s General Data Protection Regulation (GDPR), which attracted headlines in part because any journalist or blogger could write about it without waiting to see how the government intended to implement it, should not lead to any such inconsistencies.
A note on Brexit
While the UK will presumably be departing the EU in March 2019, the Regulations will continue to apply after that date, much like the GDPR. This should not be a surprise: the deadline for implementing the Directive was May 2018, when the UK was still a member of the EU. Furthermore, the UK has cemented both the GDPR and the NIS Directive into UK law and regulation through the Data Protection Act 2018 and the NIS Regulations 2018, so it would be difficult (and foolish) to later renege on the commitment.
Other states have also been quick to implement the requirements of the Directive. In Germany, for instance, only minor amendments had to be made to the IT Security Act (IT-Sicherheitsgesetz) of 2015, which were completed in the Implementation Act (Umsetzungsgesetz) of June 2017,7 while Slovakia has passed a law “on Cybersecurity and on Amendments and Supplements to certain Acts” (o kybernetickej bezpečnosti a o zmene a doplnení niektorých zákonov).8
Guidance
As mentioned earlier, the UK government transposed the NIS Directive into ‘The Network and Information Systems Regulations 2018 (NIS Regulations)’, which was passed on 20 April 2018. This content is supported by guidance from the European Union Agency for Network and Information Security (ENISA) and the UK’s National Cyber Security Centre (NCSC) for DSPs and operators of essential services (OES) respectively.
Because of their typically cross-border offerings, the guidance in the NIS Directive itself is also of use for DSPs. For instance, Recital 48 explains that:
Many businesses in the Union rely on digital service providers for the provision of their services. As some digital services could be an important resource for their users, including operators of essential services, and as such users might not always have alternatives available, this Directive should also apply to providers of such services.
The security, continuity and reliability of the type of digital services referred to in this Directive are of the essence for the smooth functioning of many businesses. A disruption of such a digital service could prevent the provision of other services which rely on it and could thus have an impact on key economic and societal activities in the Union. Such digital services might therefore be of crucial importance for the smooth functioning of businesses that depend on them and, moreover, for the participation of such businesses in the internal market and cross-border trade across the Union.
The NIS Regulations further clarify the requirements for DSPs that fall under the UK’s jurisdiction – that is, those that are either headquartered or have their representative in the UK. Additionally, the EU set out the security measures and incident reporting thresholds for DSPs in more detail in the European Commission’s Implementing Regulation.9
The UK is taking two approaches to compliance – one for each of the types of organisation described in the Directive: DSPs and OES. This pocket guide focuses on the requirements for DSPs, while its partner will provide guidance for OES.
Key definitions
The following definitions are likely valuable to any organisation that needs to comply with the NIS Directive/Regulations. These definitions are shared between both pieces of legislation, so the risk of divergence from the original intent is diminished.
Network and information systems
a) An electronic communications network – that is, “transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed”10;
b) Any device or group of interconnected or related devices at least partially involved in automatic processing of digital data; or
c) Digital data stored, processed, retrieved or transmitted by one of the two elements above for their operation, use, protection and maintenance.11
Security of network and information systems
According to section 1(3)(g) of the NIS Regulations, this is “the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems”. The use of “at a given level of confidence” is particularly interesting, as it supports the notion that risk management practices are an essential element of compliance.
Incident
Under the NIS Regulations, this is “any event having an actual adverse effect on the security of network and information systems”. Because it is a common term across a range of disciplines, however, it is valuable to also consider wider definitions:
ISO/IEC 27000:2018 (ISO 27000, information security) provides the following definition for ‘information security incident’: “single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”.
ISO 22301:2012 (ISO 22301, business continuity) provides the following definition for ‘incident’: “situation that might be, or could lead to, a disruption, loss, emergency or crisis”.
ISO standards commonly distinguish between an event and an incident on the grounds that an ‘event’ is something that may or may not be an incident. ISO 27000, for instance, describes an ‘information security event’ as an “identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that can be security relevant”.
High common level of security
The Directive do not provide a definition for this, which leaves the actual ‘level’ up to negotiation between Member States. As it also aims for significantly increased cooperation across borders within the Union, the Directive will be driven by cooperation between competent authorities and computer security incident response teams (CSIRTs). This should result in a general coalescence around a set level of security in line with the priorities and objectives of businesses in the common market, and will doubtless be subject to some degree of change depending on the threats to infrastructure and the impact of the Directive on the ability to do business.
1 SANS ICS, “German Steel Mill Cyber Attack”, December 2014, https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf. For more information, see: Bundesamt für Sicherheit in der Informationstechnik, “APT-Angriff auf Industrieanlagen in Deutschland”, Die Lage der IT-Sicherheit in Deutschland 2014, 2014, www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf.
2 William J. Broad, John Markoff and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay”, New York Times, January 2011, www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html.
3 Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired, March 2016, www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/.
4 John Leyden, “Polish teen derails tram after hacking train network”, The Register, January 2008, www.theregister.co.uk/2008/01/11/tram_hack/.
5 Directive (EU) 2016/1148.
6 Alongside legislation such as the General Data Protection Regulation (GDPR) and the ePrivacy Regulation.
7 Bundesamt für Sicherheit in der Infomationstechnik, “Gesetz zur Umsetzung der NIS-Richtlinie”, www.bsi.bund.de/DE/DasBSI/NIS-Richtlinie/NIS_Richtlinie_node.html.
8 National Council of the Slovak Republic, “Act of January 30, 2018 on Cybersecurity and on Amendments and Supplements to certain Acts”, January 2018, www.nbusr.sk/en/cyber-security/index.html.
9 Commission Implementing Regulation (EU) 2018/151.
10 Directive 2002/21/EC, Article 2(a).
11 Derived from NIS Directive, Article 4(1).