On November 2016 United Kingdom published the National Cyber Security Strategy to address cyber threats from rogue nations like Iran, Russia, China, terrorists, states sponsored hackers and cyber menaces like ransomware against the national infrastructure.
On August 2017 UK government published a public consultation to improve United Kingdom essential services in electricity, transport, water, energy, health and digital infrastructure in accordance with the Directive of Security of Network and Information Systems (known as NIS Directive) in cooperation with the Member States within the European Union (EU).
The NIS Directive consultation covered six main topics that are the following: identification of essential services, national Framework to manage implementation, security requirements for operators of essential services, incident reporting requirements for operators of essential services, requirements on Digital Service Providers and proposed penalty regime.
The Directive comes into play to cover aspects of network security that are not present in GDPR. Regarding GDPR the Directive aligns itself with the deadline for the implementation.
It is important to notice that there are two major and distinct bodies inspecting the compliance of the NIS Directive, the Competent Authorities, and NCSC. NCSC stands for National Cyber Security Centre a part of GCHQ, while Competent Authority stands for Regulator Body defined in NIS Directive scope for different critical sectors. This division aims to allow NCSC to carry out its function in providing expert advice and incident response capability to cyber attacks.
The NIS Directive is established in a layered fashion with a mandatory security outcome to be achieved with each principle like the NIST Security Framework. This assures that the NIS Directive can be implemented throughout the whole industry regardless their sectors. The layered approach takes into account the implementation of the principles without discarding the actual infrastructure.
The NIS Directive is composed of 14 principles that can be divided into four major objectives: Management of security risks (Governance, Risk Management, Asset Management, Supply chain), Protection of cyber attacks (Service protection policies and processes, Identity and access control, Data Security, System security, Resilient Networks & Systems, Staff Awareness & Training), Detection of cyber security events (Security Monitoring, Anomaly Detection) and reduction of the impact of cyber security events (Response and Recovery Planning, Improvements).
The directive sets the scope for the identification of operators of essential services and significant disruptive effects that that may pose a threat to national security, the potential threat to public safety and the possibility of significant adverse social or economic impact. The NIS Directive lay the ground for a national framework where Government ensures that the Competent Authorities have the necessary legislative provision to accomplish their duties and the necessary resources to conduct their activities.
The penalty will only be applied once the operator of essential service fails to comply with the directive tacking into account these following criteria listed in article 14, Security requirements and incident notification: the number of users affected by the disruption of the essential service, duration of the incident and the geographical spread with regard to the area affected by the incident. The fine will be judged and decided upon the accordance with the proper measures that were not taken and nor implemented, with a maximum value of €17 million. There are some uncertainties if essential services providers can accomplish the implementation requirements of NIS Directive until May 2018.
About the author Luis Nakamoto
Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.
(Security Affairs – UK Government security measures, NIS Directive)