Implementation of the NIS Directive is described in these 4 top-level objectives which will be achieved through the implementation of a the set of 14 common security principles. Each principle describes mandatory security outcomes.
There will be support to help organisations implement the principles, which at this level may be sector specific. Support might typically be in the form of guidance or use-cases, but may also include services with particular certifications. In addition there may be competent organisations who may wish to implement bespoke or tailored solutions that meet the objectives defined by the principles.
- Objective A. Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services
- Objective B. Proportionate security measures in place to protect essential services and systems from cyber attack
- Objective C. Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services
- Objective D. Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary
A. Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services
Principle: There are appropriate management policies and processes in place to govern the organisations approach to the security of network and information systems.
Explanation: Effective security of network and information systems must be driven by organisational management and corresponding policies and practices. There should be clear governance structures in place with well-defined lines of responsibility and accountability for the security of network and information systems. There should be an individual(s) who holds overall responsibility and is accountable for security. This individual is empowered and accountable for decisions regarding how services are protected. For small organisations, the governance structure can be very simple.
A.2 Risk Management
Principle: The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.
Explanation: There is no single blueprint for cyber security and therefore organisations need to take steps to determine security risks that could affect the delivery of essential services and take measures to appropriately manage those risks.
There is an expectation that organisations would take steps to understand the types of threats that might be relevant to them and share information about the threats facing them with appropriate authorities . This includes thinking about who might conduct an attack, or key single points of failure that need protection. Examples could include online attackers, ‘insider’ threats or accidental threats.
There should be efforts to seek an understanding of potential system vulnerabilities that the identified threats might attempt to take advantage of. This might include technical vulnerabilities, misuse of legitimate business processes or anything else that could impact the essential service.
There should be a systematic process in place to ensure that identified risks are managed and the organisation has confidence in the efficacy of the applicable mitigations.
A.3 Asset Management
Principle: All systems and/or services that are required to maintain or support essential services are determined and understood. This includes data, people and systems as well as any supporting infrastructure (such as power or cooling).
Explanation: In order to manage security risks to the network and information systems of essential service organisations require a clear understanding of service dependencies. This might include physical assets, software, data, essential staff, utilities and so on. These should all be clearly identified and recorded so that it is possible to understand what things are important to the delivery of the essential service and why.
A.4 Supply Chain
Principle: The organisation understands and manages security risks to networks and information systems supporting the delivery of essential services that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where 3rd party services are used.
Explanation: If an organisation relies on 3rd parties (such as outsourced or cloud based technology services) they remain accountable for the protection of any essential service. This means that there should be confidence that the security principles are met regardless of whether the organisation or a 3rd party delivers the service.
For many organisations, it will make good sense to use 3rd party technology services. Where these are used, it is important that contractual agreements provide provisions for the protection of things upon which the essential service depends.
B. Proportionate security measures in place to protect essential services and systems from cyber attack
B.1 Service Protection Policies and Processes
Principle: The organisation defines and communicates appropriate policies and processes that direct the overall organisational approach to securing systems and data that support delivery of essential services.
Explanation: The organisations approach to securing network and information systems that support essential services should be defined in organisational security policies with associated processes. It is essential that these policies and processes are more than just a paper exercise and steps must be taken to ensure that the aim of the policy or process is effectively implemented.
Policies and processes should be well described and communicated. Steps should be taken to ensure that intended recipients understand the policy or process and are practically able to follow its direction. Policies and processes should be written with a clear understanding of the intended recipient community. For example, the message or direction communicated to IT staff will be different from that communicated to senior managers.
There should be mechanisms in place to validate the implementation and effectiveness of policies and processes where these are relied upon for the security of the essential service.
B.2 Identity & Access Control
Principle: The organisation understands, documents and controls access to systems and functions supporting the delivery of essential services. Rights or access granted to specific users or functions should be understood and well managed.
Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised. Verification of a user’s identity (they are who they say they are) is a prerequisite for issuing credentials, authentication and access management.
Explanation: It is important that the organisation has clarity on who (or what in the case of automated functions) is authorised to interact with the network and information system of an essential service in any way or access associated sensitive data. Rights granted should be carefully controlled, especially where those rights provide an ability to materially affect the delivery of the essential service. Rights granted should be periodically reviewed and technically removed when no longer required such as when an individual changes role or perhaps leaves the organisation.
Users, devices and systems should be appropriately authenticated and authorised before access to data or services is granted. For highly privileged access it might be appropriate to include approaches such as two-factor or hardware authentication.
Unauthorised individuals should be prevented from accessing data or services at all points within the system. This includes system users without the appropriate permissions, unauthorised individuals attempting to interact with any online service presentation or individuals with unauthorised access to user devices (for example if a user device were lost or stolen)
B.3 Data Security
Principle: The organisation prevents unauthorised access to data whether through unauthorised access to user devices, interception of data in transit or accessing data that remaining in memory when technology is sent for repair or disposal.
Explanation: Mobile devices will get lost or stolen from time to time. When this occurs, it is important that such loss does not lead to compromise of data stored on the device. Data at rest on the device would typically be protected either physically or through technical means such as encryption.
All technology and memory components should be managed through its entire lifecycle including appropriately sanitising information from memory prior sending technology for repair or disposal.
It is important to ensure that sensitive data is protected whilst in transit either by physically protecting the network infrastructure or preventing it from being read or interfered with via cryptographic means. This may mean using options such as an appropriate VPN for remote access or TLS when providing a web presentation of data or services.
B.4 System Security
Principle: Network and information systems and technology critical for the delivery of essential services are protected from cyber-attack. This includes minimising the opportunity for attack by configuring technology well, actively managing software vulnerabilities, minimising services available and controlling connectivity and physical access.
Explanation: Network and information systems must be protected from attacks that seek to exploit software vulnerabilities. Organisations should minimise the opportunity for successful attack by limiting software and associated permissions to those needed for legitimate functions. Software should be supported and up to date with security patches applied. Where patching is technically problematic there are other possible mitigations but these should be viewed as sub-optimal and care must be taken to ensure that they are effective.
It is important that arbitrary software cannot interact with network and information systems supporting essential services or access sensitive data. There should be control exercised over what software or apps can be installed, or user installed software or apps should be technically prevented from interacting with services or data.
Steps should be taken to manage the risk of malware ingress through import of data via both network connections and any removable media used.
All hardware and software should be well configured by for example disabling services that are not required and by changing default passwords.
Connectivity to, and interfaces/APIs presented by systems critical to the essential service should be highly constrained. This minimises the opportunity for an attacker to discover and exploit any given vulnerability.
Devices and technical infrastructure should be protected from physical interference or tampering that could undermine the security of network and information systems.
For larger organisations with their own network infrastructure, steps should be taken to prevent unauthorised devices from accessing the network, for example by use of well configured corporate WiFi, device authentication and disabling network ports by default
B.5 Resilient Networks & Systems
Principle: The organisation builds resilience against cyber-attack into the design, implementation, operation and management of systems that support the delivery of essential services.
Explanation: The services delivered by an organisation should be resilient to cyber-attack. In part this principle follows B.4 (the technical protection of systems), but in addition organisations should build resilience of service into their overall approach. This means that not only is technology well built and maintained, but consideration is also given to how delivery of the essential service is maintained in the event of technology failure or compromise. This might include additional contingency capability such as manual processes to ensure services can continue.
Organisations should ensure that systems are well maintained and administered through life. The devices and interfaces that are used for administration are frequently themselves the target for cyber-attack. Spear phishing campaigns remain a common method used to compromise management accounts. Preventing the use of management accounts for routine activities such as email and web browsing significantly limits the ability for a hacker to compromise such accounts.
B.6 Staff Awareness & Training
Principle: Staff are given appropriate support to ensure they can support the security of network and information systems of essential services.
Explanation: An organisations staff should be considered the first line of defence. They should be given appropriate support such as training and the correct policies, processes and technical tools to discharge their roles efficiently without having to resort to unofficial IT or break defined rules.
C. Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services
C.1 Security Monitoring
Principle: The organisation monitors the security status of the networks and systems supporting the delivery of essential services in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.
Explanation: An effective monitoring strategy is required so that actual or attempted security breaches are discovered and there are appropriate processes in place to respond to such. Good monitoring is more than simply the collection of logs, but the use of appropriate tools and skilled analysis to correlate events and discover anomalous activity.
This principle also indicates the need to provide effective and ongoing operational security. As time goes on new vulnerabilities are discovered, support arrangements for software and services change and functional needs and uses for technology change. It is important that security is considered a continuous activity and the effectiveness of the security measures in place is assured throughout the delivery and operational lifecycle of a system or service.
C.2 Anomaly Detection
Principle: The organisation detects anomalous events in the network and information systems affecting, or with the potential to affect, the delivery of essential services.
Explanation: There should be activity that aims to detect deviation from ‘normal’. This refers to technology, business processes and the operation of the essential service. The first challenge that must be addressed to meet this principle is taking steps to define what ‘normal’ is for the organisation. This might be in the context of access to sensitive data or the operation of the essential service. With a contextualised understanding of ‘normal’ the organisation should take steps to detect when activity falls outside of these bounds and take corrective action.
D. Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary
D.1 Response and Recovery Planning
Principle: There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential services in the event of system or service failure.
Mitigation activities are in place that are designed to contain or limit the impact of compromise.
Explanation: Incidents will invariably happen, so when they do organisations should be prepared to deal with those incidents and as far as possible have mechanisms in place that minimise the impact on the essential service. The particular mechanisms required will be determined by organisations for themselves as part of their overall risk management approach. Examples might include things such as DDoS protection, protected power supply, critical system redundancy, rate-limiting access to data or service commands, critical data backup or manual failover processes.
Principle: When an incident occurs, steps must be taken to understand the root cause of that incident and take appropriate remediating action.
Explanation: If an incident does occur it is important the organisation learns lessons as to why it happened and where appropriate takes steps to prevent the same issue from reoccurring. The aim should be to address the root cause or seek to identify systemic problems rather than solely fix a very narrow issue. For example to address the organisations overall patch management process rather than to just apply a specific missing patch.