Assets or systems of considerable importance are known as critical infrastructures. A potential disruption or a failure in the services provided has substantial ramifications for the public's safety as well as in coverage of basic living needs. Critical infrastructures are on the front lines of ensuring the health and safety of millions of people. These organisations, therefore, should take extra measures to protect their security and privacy.
In August 2016 came into force the first piece of EU-wide cyber security legislation, the directive on security of network and information systems, also known as the NIS directive. NIS aims to enhance cybersecurity across the EU by suggesting security measures to boost the overall level of cybersecurity for critical infrastructures (operators of essential services and providers of digital services) and also ensuring Member States' preparedness by requiring them to be appropriately equipped. From the time it was first published up until now, the cyber security threat landscape has changed dramatically. Digital transformation has become a well-known concept worldwide, and many organisations are adopting new strategies and models. New threats have been introduced; different and complex attacks are conducted frequently against the EU’s critical infrastructures, and cybercrime has become increasingly monetized. In addition, the defense perimeter has become wider, and the critical infrastructures must encounter more cyber threats and implement new solutions and technical measures to avoid disruptions.
To address all the emerging threats posed by digitalization and strengthen the security requirements, the Commission has proposed to reform the NIS Directive. At the time of writing, the proposal for the directive is in draft, and the final document is expected to be published very shortly. In contrast to its predecessor (NIS), the NIS2 directive extends its scope by including new sectors (medium and large companies) based on their importance to the economy and society. The proposed NIS2 directive suggests abolishing the distinction between (i) operators of essential services and (ii) important services as defined below:
Apart from the upcoming NIS2 directive, this year, a new standard was released, that of ISO/IEC 27002. The ISO/IEC 27002:2022 standard is a collection of information security guidelines that intend to assist organisations of all sizes in order to implement, maintain, and improve their information security management and achieving compliance by providing hundreds of potential security controls. Critical infrastructure entities must continuously put more effort into detecting, preventing, and mitigating threats focusing on the effectiveness of security controls and capabilities – not just on the verification of their existence. Technical and organisational controls that are defined in the new standard ISO/IEC 27002:2022 can be implemented in different critical infrastructure sectors regardless of their business activity and the services they provide. Cybersecurity concept attributes (identify, protect, detect, respond, and recover) are introduced in the 2022 revision of the standard. There are 93 security controls divided into the following four categories:
- Organisation controls (37)
- People controls (8)
- Physical controls (14)
- Technological controls (34)
The three most impactful controls that can help critical infrastructures achieve compliance with the upcoming EU regulation (NIS2) are as follows:
Secure Coding: Software is created by a growing number of businesses therefore, a defective code could lead to severe vulnerabilities (e.g. absence of input validation can lead to XSS attacks, SQL injections, etc.). Secure coding concepts should be used as described in technical control "8.28 Secure coding" while developing software.
Threat Intelligence: Identifying potential risks is one of the most important components of securing services and assets. Each threat identified as risk can be calculated and mitigated and information about potential risks should be gathered and examined as part of organisational control "5.7 Threat intelligence." The control takes into account operational, tactical, and strategic threat intelligence.
Information security for use of cloud services: Businesses are quickly transitioning to cloud infrastructures. Moreover, organisations frequently believe that the cloud service provider bears most of the information security risk. The control states that the obligations of the company and the cloud service provider must be precisely outlined. Furthermore, applying an extra layer of cloud technical measures could prevent various cyber threats and attacks that often may lead to lost revenue and have a negative effect on the organisation.
The following table presents a high-level mapping of the ISO/IEC 27002:2022 control categories against the NIS2 directive key security requirements that are prescribed in the draft. Finally, organisations which fall under these two regulatory regimes (important and essential entities) should demonstrate compliance with the below security requirements mentioned in different articles; otherwise, they will face penalties as proposed in article 33 of the proposal.
NIS2 Article # / RequirementISO/IEC 27002:2022 Control(s)
Article 175.1 Policies for information security
5.4 Management responsibilities
6.3 Information security awareness, education and training
Article 185.19 Information security in supplier relationships
5.20 Addressing information security within supplier agreements
5.21 Managing information security in the ICT supply chain
5.22 Monitoring, review and change management of supplier services
5.23 Information security for use of cloud services
5.24 Information security incident management planning and preparation
5.25 Assessment and decision on information security events
5.26 Response to information security incidents
5.27 Learning from information security incidents
5.28 Collection of evidence
5.29 Information security during disruption
5.30 ICT readiness for business continuity
5.36 Compliance with policies, rules and standards for information security
6.8 Information security event reporting
8.8 Management of technical vulnerabilities
8.20 Networks security
8.21 Security of network services
8.24 Use of cryptography
8.25 Secure development life cycle
8.26 Application security requirements
8.27 Secure system architecture and engineering principles
8.28 Secure coding
8.29 Security testing in development and acceptance
8.30 Outsourced development
8.31 Separation of development, test and production environments
8.33 Test information
8.34 Protection of information systems during audit testing
Article 195.21 Managing information security in the ICT supply chain
Article 205.5 Contact with authorities
5.24 Information security incident management planning and preparation
5.25 Assessment and decision on information security events
5.26 Response to information security incidents
5.27 Learning from information security incidents
5.28 Collection of evidence
6.8 Information security event reporting
Article 265.14 Information Transfer
As mentioned above, the directive is just a breath away before the final document is published, and no significant changes are expected regarding the proposed security requirements included in the draft proposal.
It is expected that the controls of ISO/IEC 27002:2022 will be adopted and implemented by many organisations that fall under NIS2, enabling them to reinforce their line of defense against the constantly evolving digital environment.
Author: Vassilis Papachristos, Senior Information Security & Data Privacy Consultant