Governments on both sides of the Atlantic are concerned about an increase in cyber attacks targeting critical infrastructure, such as power supplies, technology service providers, and road and rail networks. Such attacks might be carried out for financial gain, but attacks on critical infrastructure are more likely to be politically motivated.
There have already been numerous examples of cyber attacks that were most likely state-sponsored and intended to embarrass targets or damage their economy. Russia has been implicated in a number of these incidents, including the attack during the opening ceremony of the 2018 Winter Olympics in Pyeongchang and the much-discussed interference during the 2016 US presidential election.
These attacks were certainly damaging – although to different degrees – but there’s no doubt that an incident affecting critical infrastructure would cause more immediate and lasting damage. Millions of people’s quality of life would be affected, there would be health concerns and the economy would suffer.
Ciaran Martin, the chief executive of the National Cyber Security Centre (NCSC), has said that it is a matter of “when, not if” the UK suffers a catastrophic cyber attack. Similarly, the US Computer Emergency Readiness Team (US-CERT) has issued warnings about potential attacks on critical infrastructure.
EU regulators have been concerned about the threat to critical infrastructure for a long time, and introduced a law in 2016 to help protect essential services: the Directive on security of network and information systems (NIS Directive).
It mandated that the law be transposed into each EU member states’ national laws by 9 May 2018.
The Directive applies to two groups. The first, operators of essential services (OES), includes the health, energy, water and transportation sectors. The second, digital service providers (DSPs), covers online search engines, Cloud computing services and online marketplaces.
Organisations within the NIS Directive’s scope must:
- Take appropriate technical and organisational measures to secure their network and information systems;
- Account for the latest developments and consider whether their systems are potential targets;
- Take appropriate measures to prevent and minimise the impact of security incidents, and to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident that has a “significant impact” on service continuity.
You can learn more about the NIS Directive by reading our free compliance guide. It provides further information on the Directive’s requirements and explains the UK government’s implementation approach, which organisations are in scope of the NIS Directive, the proposed security requirements and how you can implement them.