Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The EU Network and Information Systems Directive (NIS Directive) became law in the UK in May 2018 via the NIS Regulations. They form the basis of the NCSC Cyber Assessment Framework (CAF), which provides guidance for organisations responsible for “vitally important services and activities”. The operators of essential services and digital service providers in the UK are required to keep their networks and information secure and to notify security incidents to “competent authorities” when they occur.
In the face of mounting worries that interlinked systems and networks, as well as an increasing link between IT systems and industrial control systems (ICS), could provide an avenue for cyber attacks, the regulation aims to bolster cyber security and resilience within the critical infrastructure sector (“essential services” and “digital services”).
The net effect of the NIS Directive and Regulation is that operators of essential services and digital service providers are required to keep their networks and information secure and to notify security incidents to “competent authorities” when they occur.
Regardless of geographical location, there are two key cyber security principles that all operators of Critical Infrastructure need to defend their assets: C1 Security Monitoring and C2 Proactive Security Event Discovery
The organisation monitors the security status of the networks and systems supporting the essential functions in order to detect potential security problems and to track the on-going effectiveness of protective security measures.
The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployable).
In the UK there is no single competent authority. Instead there are a number of separate organisations, mostly existing industry regulators – assisted by the National Cyber Security Centre (NCSC) – such as Ofcom, Ofwat etc. and the Information Commissioner’s Office (ICO) who are responsible for overseeing compliance and defining rules in the various sectors. This diversity in the definition of rules, standards and processes makes policing compliance a challenge.
The NCSC has published an introduction to the NIS Directive and guidance for Critical Infrastructure organisations; this includes guidance for C1 and C2. Their advice covers:
NCSC also has an associated Cyber Assurance Framework (CAF) for audit, review and assessment services.
The Department for Digital, Culture, Media and Sport (DCMS) is asking the competent authorities (regulators) to take a cautious approach to enforcement initially, to give organisations that are affected by the NIS Directive time to digest and update their cyber security defences. See DCMS guidance here.
While fines under the NIS Directive, in particular for incidents that cause loss of life or actual physical harm, might be severe in due course; initially they should be more modest, especially where operators have “assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack”.
Huntsman Security’s Enterprise SIEM has first-hand experience in meeting the high security, real-time visibility and assurance requirements of critical infrastructure organisations. Our customers manage complex network structures, deal with extremely high data volumes and monitor a wide variety of data types and sources. The suitability of our technology for these high critical environments is proven.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.