Implications of the NIS Directive for the industrial sector

On July 6, 2018 the NIS (Network and Information System) Directive was enacted as the first EU-wide legislation that provides measures to boost security across the region.

Under the law, operators of essential services and digital service providers are required to abide by the requirements of the new regulations. These are intended to provide a framework for countries and operators to strengthen the security of critical infrastructures and allied information systems. Any operator with 50 or more employees and/or a balance sheet of greater than €10 million must comply with the NIS Directive.

The law lists 14 cybersecurity principles that form the objectives of NIS, but each member country must develop its own regulations to achieve them.

Here are some of NIS’ best practices and guidelines complying with the legislation.

Asset management

All assets relevant to the secure operation of essential services are identified and inventoried, and the inventory is kept up-to-date. These assets are managed with cybersecurity in mind throughout their lifecycle.

This requires the ability to discover and map all industrial control system (ICS) devices and keep an up-to-date inventory of these assets — even those that aren’t actively communicating over the network. Operators should collect granular information on each device, including the firmware versions, PLC backplane configurations, and serial numbers.

Device management and server configuration

Dedicated devices are used for privileged actions, such as performing administrative tasks or accessing a service’s network and information systems. These devices are not used for browsing the web or email. An organization should perform regular scans to detect unknown devices and investigate any findings.

To accomplish the above, operators should implement policies limiting which specific devices can perform certain (privileged) actions such as a code or firmware download to industrial controllers. In addition, policies should mandate that certain devices not access the internet.

Organizations must also monitor and manage changes in the environment, ensuring that network and system configurations are secure and well documented.

This requires regular review and validation of network and information systems to ensure security setting and configuration policies are being enforced and in place. Only permitted software should be installed, and ordinary users must be prohibited from making any changes to devices.

Vulnerability Mmanagement

Organizations maintain up-to-date information on their exposure to publicly known vulnerabilities. This involves tracking the vulnerabilities for all software packages, network equipment, and operating systems — and prioritizing patches for all the above.

Organizations need to maintain a continuously updated list of the version numbers of all software and firmware installed on ICS controllers, and compares it regularly against a list of known vulnerabilities.

This should include the ability to assess ICS environments whenever new vulnerabilities are released using both network monitoring and active device queries to identify at-risk systems that require remediation. This includes the ability to map device firmware versions and associated CVEs and list open ports.

Monitoring coverage

Organizations monitor networks, operating systems, and devices to detect potential security threats that could affect their essential service/s. Common threats are malware, malicious emails, and policy violations by users.

This involves the ability to detect policy violations and suspicious or anomalous activity across internal and external hosts and networks.

Organizations should establish a baseline of network activity — which can be used to detect and alert on events that deviate from expected patterns. The baseline should be updated in real-time, using alerts exported by default to SIEM systems, where they can be used for data correlation between multiple sources.

Identifying security incidents and issuing alerts

Organizations identify routine security incidents, proactively search for system abnormalities indicative of malicious activity, and be able to issue alerts to all stakeholders in real-time.

First, organizations need to identify security threats in real-time. This can be accomplished with signature-based detection for known threats and looking for indicators of compromise to detect unknown threats.

While the NIS Directive’s requirements will be familiar to IT departments, they are likely to present new challenges for operational technology (OT) teams. In addition, traditional tools used in IT environments will lack the core capabilities to monitor and provide visibility into proprietary ICS devices.

As a result, bridging the IT – OT security gap is likely to be one of the major obstacles facing industrial organizations with it comes NIS compliance.

NIS compliance is a good first step for the industrial sector to address new security threats brought on by the demise of the traditional air-gap between OT environments and both IT networks and outside world. Like any legislation, it should be considered a starting point for achieving security, due to the dynamic of the threat landscape .

An ideal industrial security architecture will not only satisfy current NIS requirements, but should also be able to adapt to evolving threats and regulations. The ability to monitor both OT network activity and changes made to individual ICS devices will make this possible.