Inside LORCA’s Needs Accelerator: how utilities companies are approaching the NIS directive
LORCA’s core aim is to develop and scale promising solutions that keep industry and customers safe online. Helping innovators understand what the needs of industry are – and how their solutions align to those needs – is an important component of LORCA’s activity.
To that end, we’re running a series of Needs Accelerators, where we convene key players in specific industries and explore the nature of the challenges faced.
All these events apply the Chatham House Rule so the discussions are frank and open. This also allows us to make the key insights public for everyone to digest and respond to.
Most recently, we brought together representatives from the water, transport and energy sectors to talk about the challenges of boosting the cybersecurity defences of their respective sectors. Specifically, we asked them about how they’re approaching the implementation of the Networks and Information Systems (NIS) directive, which came into force in the EU in May 2018.
The NIS directive aims to boost network and information systems security across the EU. The cybersecurity requirements apply to two main groups:
- Operators of essential services (OES), including the health, energy, water and transportation sectors. Member states were required to identify OES by 9 November 2018.
- Digital service providers (DSPs), including search engines, cloud computing services and online marketplaces.
The UK’s National Cyber Security Centre (NCSC) has developed a Cyber Assessment Framework (CAF) that consists of 14 high-level security principles as well as Indicators of Good Practice (IGPs).
Given how critical their services are, identified OES must take appropriate and proportional measures to manage their security systems risks. If they’re found to be non-compliant, they could face penalties as high as £17 million (or 4% of a company’s global turnover).
5 key insights from our discussion
1. Checklist compliance or sound cyber resilience principles?
There was a consensus in the room that interpretation of the CAF is gravitating towards a checklist approach against IGP. The concern is that this could result in OES failing assessments under the CAF based on single indicators and individual requirements, rather than a full-picture assessment of how sound their cyber resilience principles are.
2. Assessment Framework is being interpreted differently
As an example, the voices in our discussions noted that CA tend to lean towards a bottom-up approach for understanding the complete asset inventory. In reality, this is a very challenging practical exercise that often takes many months, if not years, to complete. A top-down approach focusing on the assets that support critical business processes emphasises the resilience of delivering critical services. But beyond this, there are marginal gains to be achieved.
3. Infrastructure is becoming more connected, digitised and complex
With the increased digitalisation of devices, organisations are discovering that parts of their infrastructure that were once stand-alone are becoming connected. For example, water testing equipment is becoming part of the wider IT infrastructure.
This proliferation of devices means OES organisations are seeing the range of connected assets expanding, and this is happening over beyond the realm of traditional IT architecture. In response, companies are moving to a risk-based approach across the whole technology estate.
OES organisations are also seeing that they need to adapt their approach as they inherit legacy OT systems that have not historically needed basic security controls. Greater clarity from CA on what then constitutes a reportable incident would help, as would enabling board-level engagement in security across IT as well as OT assets.
For instance, a representative questioned about whether his organisation should report every single failure of a Programmable Logic Controller (which is used to operate water treatment machinery) would find this task very time-consuming since each treatment facility has tens of thousands of units.
4. NIS directive drives opportunities to share threat intelligence
OES are keen to use the incentive provided by the NIS directive for indecent reporting to open the door for further collaboration. In particular, the consensus was that there’s an opportunity to create a collaborative platform for sharing threat intelligence within and across industries. This platform could help from a nationwide response to threats on critical services.
There’s an opportunity to work more closely with regulators to identify any role they could play in supporting sector-wide threat intelligence, while still facilitating open sharing between the OES.
5. The door is open for CA to collaborate with OES
The final but resounding concern raised was the level of engagement between OES and their relevant CAs.
Across the sectors, OES are keen to collaborate more deeply and openly with their CAs to ensure the work they’re doing to comply with the NIS directive is strengthening the overall security positions of the country’s essential services. There was also a consensus view that closer collaboration across the CAs would bring about benefits to critical services on a national level.