Cracking the code: How to manage critical infrastructure cyber security regulations
As societies rely increasingly on digital systems and networks to power essential services, the vulnerability to cyber threats of companies providing ‘critical infrastructure’ has been amplified. The potential disruption a breach could cause is significant, with sectors like energy, transportation, healthcare, and communication falling under this remit.
Governments worldwide recognise this and have therefore prepared (or are preparing) rigorous cyber security frameworks which these operators must abide by in their locality.
But knowing whether your company is considered a provider of national critical infrastructure, or an essential service is not straightforward. According to Mick Flitcroft, Global Lead for Government Compliance Services at cyber security specialists NCC Group, the UK NCSC define it as “national assets essential for functioning society, such as those associated with energy, water, transportation, and similar” in the UK, but it varies by country.
This means that multinational companies, with their vast supply chains and global operations, face a unique challenge in ensuring compliance with regulations across their operating locations. Indeed, parts of the frameworks themselves are also “open to interpretation”, said Mick, making it more challenging to know whether a company qualifies.
Mick added: “many companies face difficulties when trying to become compliant because they run devices and systems of vastly different ages, and the historical reliance on “airgaps” between them to reduce risks is now changing as we move to IT/OT convergence and therefore new and emerging threats in a connected world. Trains five years ago were never connected; you’ve now got Wi-Fi on them.” This became particularly prevalent post-COVID when employees almost immediately required remote access to old systems in sectors such as power generation and transmission.
While all this can be overwhelming for your security, legal and risk departments, the most important thing you can do is educate and inform yourself about the frameworks in which you operate.
By understanding the details of each one, you’ll be able to build a compliance roadmap tailored to your business’s specific needs.
What are the main critical infrastructure cyber security frameworks to be aware of?
- NIS2 – EU
In December, the European Council’s Network and Information Security (NIS) Directive was updated to ‘NIS2’, and Member States under its remit have until October 17 2024, to adopt the new regulations. The 73-page document outlines necessary provisions on risk analysis, incident handling, supply chain security, cyber security training, and more. As well as providing new regulations, the European Council has extended the scope of NIS2 so that more sectors must abide by it. Notably, it now covers managed service providers (MSPs) such as IT outsourcing service providers.
- NIS – UK
UK businesses must prepare for the country’s own set of updated NIS protocols. These amendments have yet to be published, but it is known that the updated version will set more stringent incident reporting requirements and also apply to MSPs and flexible energy providers. It will also likely include data centre operators. The thresholds for being a regulated entity – e.g. the amount of energy generated by a power plant – will continue to be set by authorities specific to their sector.
- NIST Cybersecurity Framework – USA
The Cybersecurity Framework (CSF) from the US National Institute of Standards and Technology (NIST) holds firm. This was last updated in 2018, but companies in the USA should expect changes to come at some point this summer after a concept paper for CSF 2.0 was published in January 2023. The current NIST CSF is targeted at critical national infrastructure organisations, but the new version will likely make it more applicable to small businesses and higher education facilities. There will also be a significant focus on supply chain risk management and more guidance on measurement and assessment.
- SOCI – Australia
In Australia, amendments were made to the Security of Critical Infrastructure Act (SOCI) last year, which meant many businesses had to impose new measures as part of their Risk Management Programs. The sectors included under the scope of critical infrastructure were also expanded, and now include electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space tech, and the defence industry.
Does my business have to comply?
Despite the complexities involved, adhering to multiple cyber security regulations is important for businesses operating in different countries. Doing so helps protect sensitive data, mitigates cyber risks, and maintains the trust of customers, partners, and stakeholders. The number of threats large companies face is growing due to increased digitisation.
By implementing robust cyber security practices that meet or exceed the requirements of each jurisdiction, companies establish their commitment to data security and compliance, enhance their reputation and reduce the likelihood of regulatory penalties.
Each framework specifies which industries and geographies should follow them, but trying to comply with all of them at once is ‘almost impossible’, according to Mick. “We would always advocate to start with one framework at a time. “What you can do from there is map to all your frameworks, so you don’t try and implement five frameworks all at once.” He adds that “90% of the questions [that make up each framework] are the same, using a different order or slightly different names,” and therefore only minor tweaks are necessary to comply with more than one. Get the first one right and then the rest can follow.
Cyber security experts at NCC Group are aware of the commonalities across the frameworks and standards. They regularly work with their multinational clients to manage the regional and sectoral nuances that apply. After checking the appropriate regulations against the company’s current operations, they can recommend a comprehensive plan that will allow it to meet all its compliance requirements.
However, the process must be taken seriously by the company and “driven and championed from the top down,” Mick said: “Without an investment of time, effort and money, you’re just wasting time.” One of the most common things he tells businesses is to communicate the necessity of compliance to all their teams. This especially includes those who “will never talk about IT” and may worry about how changes will impact system availability.
He said: “Go into control rooms and you’ll see a shift password that hasn’t changed in five years and is used by 25 people. Processes are running 24/7, so you can’t just log off and log back in again because the process stops. You’ve got to adapt, and what we can do is ensure there are defensive depth measures, such as control access of the building, to mitigate the risk.”
How can my business remain compliant but spend effectively?
When thinking about how to allocate your company’s budget for becoming compliant with cyber security regulations, there are a few manageable steps you can take.
- Implement training and awareness programs for employees, who play a critical role in maintaining security. Providing them with the necessary knowledge is an efficient way of helping prevent costly security incidents and facilitate compliance.
- Investing in cyber security automation tools and technologies that streamline compliance processes can also be helpful for monitoring IT systems, detecting threats, and reporting incidents.
- You do not have to do it alone. Consider partnering with external cyber security advisors who can conduct thorough security assessments and review all systems and networks. As well as being well-versed in all things cyber security for different operating locations, the advisors you choose should understand the challenges unique to different sectors, including energy, transport, and telecoms, and provide expertise tailored to your industry.
If you would like to learn more about how the updated regulations will impact your business, contact an NCC Group advisor here.
2 October 2023