Rethinking CNI’s long-term resilience as the new NIS 2 directive approaches

With the new UK Network and Information Systems (NIS) regulations launching in October 2024, intended to boost the whole CNI sector’s operational resilience and ability to manage cyber risk, Operators of Essential Services (OES) must be ready to take a proactive, structured, and auditable approach to security in order to achieve and maintain full compliance with the new legislation.

However, the resilience of CNI systems presents a number of singular challenges, all of which must be given careful consideration as we prepare for the new legislation’s official launch. Central to this, any downtime not only costs millions but can leave citizens without critical services and – in extreme cases – damage assets and put people at risk of injury.

As will become clear, this process is very much a journey rather than a one-off project, but with the support of trusted technology partners, it will help to ensure the critical services that citizens depend on remain secure and available, able to weather the most sophisticated attacks.

The following should be considered the first steps of this journey, not only in terms of achieving full NIS 2 compliance, but also for establishing a whole new standard of operational resilience across the UK’s entire CNI sector…

Identifying the hidden assets within CNI infrastructure

The OES must be able to provide details of what essential services, functions, systems, and sites, are within the scope of the NIS regulations.

Managing, monitoring, and updating legacy infrastructure, remains a vital element of cyber security best practice. However, CNI systems frequently include legacy OT assets that are deeply embedded and difficult to replace without unacceptable risk or disruption to critical operations. Unfortunately, this may only become apparent when the asset in question needs to be remediated and/or fails to restore after an update.

A proactive approach to the management and support of CNI OT systems is an essential component of NIS compliance. This should include monitoring tools that provide visibility of all assets and dataflows, and the ability to detect and alert security threats.

Fortunately, there are three references that support the journey:

• The Purdue Model. A well-established model for the segmentation of assets within ICS networks and the hierarchy of dataflows between them, based on four/five distinct ‘zones’.
• Cyber Assessment Framework. A structure and collection of outcome-based resources for organisations to follow, providing a reference guide to help build robust cyber resilience plans.
• IEC 62443. An internationally recognised standard for the security of control systems, and the cyber security lifecycle. There are numerous elements to this, but of particular importance is planning end-of-life support for any new assets introduced into a system.

A full audit of all assets, based on these three models, is therefore the first step towards secure CNI, ensuring all legacy infrastructure has been accounted for and factored into the design of the security ecosystem. This should not only cover the assets themselves, but also the data they generate, how the data is processed, stored, and disseminated, what data needs to flow through the iDMZ, and what data needs to be accessed through a secure gateway.

The increasing convergence of IT and OT means that physical security systems (i.e. cameras and locks) must also be factored into the auditing process, something that we will explore in depth in a future article.

Know your infrastructure, understand the threat landscape

The OES must take appropriate and proportionate measures to prevent and minimise the impact of a cyber incident.

The next step is the implementation of an Intrusion Detection System (IDS), which can then normalise dataflows across the entire infrastructure and establish a baseline, so any anomalies can be automatically detected. This doesn’t just mean security issues – it could also means planned maintenance, the deployment of new hardware, or elements of a specific project. Regardless of the cause, as soon as a deviation from the established baseline has been detected, the CSOC should receive an automatic alert.

This can then be expanded to draw on wider threat feeds, ensuring security teams are able to proactively secure against the very latest threats, and conduct rigorous post-mortem procedures after a validated cyber incident. Likewise, if the alert is a consequence of new assets being added or a network re-configuration, the IDS toolset can be used to establish a new baseline.

A systematic approach to testing and patching

In a heightened threat landscape, effective testing and patching is critical, but the OES must balance this against critical IT/OT systems’ unique operating models.

Once full visibility of all assets and dataflows has been established, it is time to prepare for the worst. With cyberattacks against CNI systems now a near-certainty, it is unfortunately a question of ‘when’ not ‘if’ a breach occurs, which means a proactive approach to maintaining the security of all physical and digital assets is essential.

While most organisations will already have some form of regular cyber security testing in place, default IT methodologies are not suitable for integrated IT/OT systems. For example, it is common to automate patching for IT systems, ensuring the latest security updates are implemented as soon as they become available. However, this represents a significant risk for critical, high-availability OT systems and an alternative approach must therefore be taken, with testing and patching carefully controlled and co-ordinated.

Threats and vulnerabilities must be categorised and prioritised on a ‘now’, ‘next’, and ‘never’ basis, supported by a rigorous bi-annual maintenance schedule, undertaken by a trusted third-party. Any partner undertaking such a role must be able to demonstrate proven experience in the convergence of IT and OT and the three methodologies discussed earlier, as well as the ability to supply UK NSV-cleared staff.

NIS 2 compliance and beyond – a unique model of operational resilience

Failure to comply with these obligations could result in enforcement action and penalties, including fines of up to £17 million, depending on the severity and duration of the non-compliance and the harm caused.

As the new NIS 2 fast approaches, CNI’s critical IT and OT systems need to evolve at pace. But as they do so, they must accommodate the operational complexity of high-availability systems and sector-specific constraints. When we give this deeper consideration, it becomes clear that the new NIS 2 is very much the latest step of a much longer journey. The decision-making involved – both now and in the years ahead – will be inherently complex, making the support of the right technology partner essential.

Contact us if you’d like to discuss anything we’ve covered here, and any other aspects of the new NIS 2 regulations before they come into effect. Our highly consultative approach and edge-to-core knowledge of OT and IT technology means that Vysiion are perfectly placed to support you on the journey to compliance and beyond.