It Matters: The EU Gets It Right with its Network and Information Security (NIS) Directive

By Damon Tompkins

Cyber security is one of the most pressing issues of our time, many consider it to be as big a threat to society as terrorism.

When you take into account that a breach within critical sectors— ranging from Energy– suppliers, operators, distributors, transmitters of oil and gas; to Transportation- airlines, airport managing bodies, rail transport operators, ferry and freight transport, operators; to Financial–banks, credit, trading; to Health and Drinking Water supply – hospitals, surgeons, suppliers and distributors of water; to Digital Infrastructure- digital exchange points, and more—could adversely impact mass populations, the need for prevention, protection, risk mitigation, and recovery is crucial.

As far back as 2012, then US Secretary of Defense Leon Panetta warned, “The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.”

And because so many of the systems, services and networks involved are interconnected across international lines, governments and industries need to both collaborate and work together to minimize risks and safeguard their citizens.

“In the case of a malware attack, we’ve seen that it takes only 24-48 hours before secondary systems become infected,” said Joseph Carson of Thycotic, an expert in enterprise privileged accounts solutions. He pointed to the 2007 cyber attacks in Estonia that swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters as a micro-preview of what could happen.

After all, had the same happened in Holland and involved Rotterdam, the largest port in Europe, the entire continent would have been affected.

And when you consider that the Estonian attack was likely prompted by a disagreement with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, it doesn’t have to take much to spark big trouble.

Especially in an increasingly interconnected, interdependent Europe.

So it is with great wisdom that earlier this year the European Union (EU) Council took an important step forward when it approved the Network and Information Security (NIS) directive which lays down security obligations for operators of essential services and requires EU member states to designate one or more national authorities to establish a strategy for dealing with cyber threats.

The initiative goes into play this month.

As individual EU members and infrastructure providers consider their strategies, it is critical that they review their policies practices and applicable technologies. Since nearly all high profile breaches—ranging from the NSA breach by Edward Snowden to the South Korean Credit Bureau Breach to the Ukraine power grid—were all rooted in privileged accounts, a strategy around safeguarding and managing access to these accounts is crucial.

A sound strategy, at the very minimum, should include:

  • A means to automatically identify and understand the scope of privileged account risk
  • A comprehensive solution for protection and remediation of privileged credentials from cyber attacks
  • Delivery of continuous monitoring, recording and secure management of privileged accounts and administrator access
  • A least privilege, secure endpoint strategy
  • Ensure endpoint security and application control for Windows and Unix
  • A means to remove admin privileges for business and IT users while automating privilege escalation for approved applications

European Union member states now have two years to design their strategies and national programs around protecting their essential infrastructures. They will then be allowed an additional six months to identify affected operators.

This is an important and critical initiative, according to Carson. “Proactive planning and action is crucial,” he said, calling for transparency, coordinated investigations and notifications, and prevention.

“We know that cyber criminals have attempted to breach our infrastructures, so the intention is there,” said Carson. “But if we take the right steps, we can keep the intent from becoming a real cyber catastrophe.”

Source:: Thycotic