THE NIS DIRECTIVE – THE NEW CYBERSECURITY RULES YOU PROBABLY HAVEN’T HEARD ABOUT.

Cybersecurity has risen up the agenda in recent months, especially with the coming into force of the General Data Protection Regulation. However, unnoticed even by many in affected industries, another piece of EU legislation has come into force – the Networks and Information Systems Directive, or NIS Directive. Phillip Corner, Project Manager – Industrial Cyber Security at Cougar Automation explains why it matters, and why it’s been so low-profile.

The size of the threat

When most people think of cyber-security threats, they usually think of threats to personal data. After all, the stories which attract most attention are those in which privacy has been violated, as seen with Cambridge Analytica’s harvesting of Facebook profile data.

But cyber-attacks also pose a major threat to critical national infrastructure, the operation of almost all of which is underpinned by computer systems.

“We’ve seen GDPR attract a lot of attention, but the NIS Directive is potentially just as consequential. Cyber-attacks on national infrastructure are not the thing of sci-fi anymore, but are a real and ever present threat” explains Philip Corner.

A taste of this came last year, when a number of NHS hospitals and GPs surgeries were hit by a ransomware attack, barring access to files, including patient data records, unless they paid the hackers. It’s not clear whether any patient data itself had been compromised, but the attack still resulted in cancelled appointments for many and a great deal of panic for patients and hospital administrators alike.

Industrial systems are also increasingly coming under threat from cyber-attacks. A report by EEF this April found almost half of manufacturers have faced a cyber attack, and in half of those cases their cyber security systems were unable to prevent financial damage to the business. The report also highlighted that industrial control systems are more frequently coming under attack.  

This is why the EU has also chosen to act, through the NIS Directive, to require operators of critical infrastructure to have robust cybersecurity systems in place.

Low awareness

Under the new rules, water supply companies, rail operators, road authorities, port authorities, aviation firms, suppliers and distributors of oil, gas or electricity, the NHS and suppliers of internet infrastructure will all have to take appropriate and proportionate security measures to manage risks to their network and information systems. Systems will be subject to independent audit, and a large fine can be levied for having inadequate protections in place, even if no attack has taken place.

Yet despite the potential financial and reputational cost of failing to comply, many operators of essential services have been slow to respond, and have not updated their systems – even though the new rules came into effect on 9 May.

Asked about this, Philip Corner explained that: “Complacency has been a big issue. While we’ve had data protection rules for a long time, these rules are new, and previously the attitude of most firms seemed to be to simply hope for the best – but not to prepare for the worst.”

He further explained that often it is the largest firms that are most complacent, as they already have substantial in-house teams, who tend to have their expertise in enterprise IT. This means as the line between information technology and operational technology systems blurs, experts from both fields increasingly need to collaborate closely to address potential threats.

Taking action

With the directive coming into force, Cougar Automation’s expertise in this area means it is ideally positioned to help companies and organisations manage this critical business risk. But the response is still very variable.

“Oil and petroleum handling businesses were the first to come to us seeking advice to meet the new standards. But in many critical sectors, there has been little interest.”

Cougar Automation has helped clients by drawing on its extensive experience to help them design and implement systems, policies and procedures which meet the new cyber security requirements – and in some cases, go beyond.

“We have a lot of experience improving the security of customers’ operations and in many of the relevant sectors affected by the NIS directive: water and waste water, oil & gas, energy, infrastructure and transportation to name a few. We are already working with several clients to tackle the challenges they face, but there is no doubt that many of those affected simply are not ready.”

The opportunity

Complying with the NIS Directive might be seen as a burden by many businesses, but as research from EEF has shown, there are also opportunities.

For example, many businesses are finding that their potential customers are demanding information about the strength of their cyber security systems before they buy – 59% of manufacturers have been asked to demonstrate this, according to EEF.

And in practice, with the NIS Directive coming into force, it’s not just the operators of nationally significant infrastructure that will need to ensure they have robust systems – but also in all likelihood anyone who wishes to work with them.

There is also the substantial opportunity to reduce the financial impact of cyber-attacks, if the NIS Directive is effectively implemented. Recent research has found the financial impact of each individual attack has grown, but that cyber security enhancements produce a substantial return on investment for companies which make those investments.

Getting to grips with this challenge is something from which every industry, and the UK as a whole can benefit – and Cougar Automation is playing its part.

Click here to find out more about how Cougar Automation can help bolster your cyber security.

If you’re interested in working at VINCI Energies UK & ROI or one of the businesses in our network, you can get in touch and find a list of vacancies here.

Prev Back to the list