The forthcoming EU NIS2 Directive aims to raise levels of cybersecurity and secure infrastructure and critical services against disruptions and cyber threats through a high, uniform level of cyber and information security across the EU. Indeed, the systems that underpin the delivery and availability of basic societal functions are increasingly targeted for attack by criminals, terrorists, and even hostile powers. But while the directive will take up some management resources, it should be seen as a useful tool.
On 10 November 2022, the NIS2 Cybersecurity Directive was adopted by the European Parliament. After final adoption by the Council, the Directive must be implemented in Danish law within 21 months of its entry into force - i.e., in autumn 2024.
Morten Eeg Nielsen, the co-author of Denmark's first national Cyber and Information Security Strategy, describes NIS2 as a directive aimed at securing infrastructure and critical services against disruptions and cyber threats through a high, uniform level of cyber and information security across the EU.
"The directive is an update of NIS1, which we got at the same time as GDPR, but NIS1 was not harmonized enough within and across member states. The focus of the NIS2 Directive is the availability of services that are important to society - including, of course, energy and utilities - and the requirements of the Directive must ensure that the delivery of these services to society can be maintained," says Morten Eeg Nielsen.
NIS2 can be of great help
The NIS2 Directive requires security measures and contingency plans to be put in place to eliminate and correct weaknesses in systems and procedures, based on risk assessments across the organization. This is an extensive process that will involve the whole management team and will involve risk assessment of e.g., IT, OT (Operations Technology), and external suppliers, which will inevitably require a lot of resources.
"The good thing is that NIS2 can be very helpful because the requirements aim to ensure the availability of the service, which is already important for energy companies," says Morten Eeg Nielsen.
"Strategically, this is far from new for companies. It supports the culture that already exists in organizations, where the security of supply is simply their license to operate. But the NIS2 Directive goes in and imposes tougher requirements for protecting the availability of services. And compared to NIS1, it is clearer who is covered and how. It is also clearer how it is supervised and what the possible sanctions are."
Cybersecurity must be combined with physical security
The original Directive identified seven sectors as important for society. Then came Corona and the invasion of Ukraine, and it became clear how dependent our incredibly digital society is on many different sectors. Therefore, the criterion for importance was extended from seven to 18 sectors, and here waste management, drinking water, wastewater, and energy are some of the sectors in the Danish supply sector.
"Cybersecurity is obviously very important, but it cannot stand alone - there must also be physical security. That's why, in parallel with NIS2, there is a kind of sister legislation, CER, which stands for Critical Entity Resilience. Because even if you spend 10 million protecting cybersecurity, it's not worth much if there's a rusty padlock that you can break with bolt cutters and then come in and kick the servers - because then the whole thing will collapse anyway," says Morten Eeg Nielsen.
"That's why you have directives for both, NIS2 for cybersecurity and CER for physical security in more or less the same sectors. Therefore, when NIS2 is to be implemented, it will make the most sense to think of it together with CER in the strategies of utilities."
Safety first for production and distribution
As mentioned above, the NIS2 Directive covers many more sectors than its predecessor NIS1. Under each sector, the areas concerned are further defined and the definitions are broad. For example, under electronic communications, it is fiber, copper, wi-fi, radio, telecommunications, and satellite. In addition, the Directive covers any device or connected device that processes data automatically - i.e., routers, computers, and any digital data that is stored, processed, retrieved, or transmitted.
For utilities, criteria are set for what is most important for the delivery and availability of each service, i.e., primarily the systems associated with generation and distribution. A little further down the hierarchy of importance may be the HR system where, for example, non-payment of salaries may affect operations.
Management responsibility must be taken seriously
"All areas must undergo a thorough risk assessment, after which the relevant security measures must be implemented. This is the responsibility of management, and most managers understand a lot about business risks, but now they also need to understand cyber risks. This responsibility must be taken very seriously, as failure to comply with the Directive could, in the extreme, result in those responsible being banned from running the business. Therefore, all managers involved are required to take courses in cybersecurity and risk assessment," explains Morten Eeg Nielsen.
"Among other things, management must learn to understand risks based on uniform criteria, so that efforts can be prioritized where the cyber and operational risks are highest. It is important that money is not just thrown into a big hole called security. Money should be prioritized where the utility gets the most security for the money available because there will always be limited resources," says Morten Eeg Nielsen. He estimates that supplier relations and emergency measures will be areas of focus.
Crucial to have a contingency plan that works
While GDPR is mostly about the risks and rights of the individuals whose data is collected and processed, the NIS2 Directive addresses the risk to society if critical services are affected and become unavailable. This means, among other things, that the operational aspect will be given a special emphasis and that not only IT but also OT will be included in assessments and actions - operational technology being, for example, computer-controlled pumps, robots, or other hardware.
"In cyber attacks, it can take 100 days before you realize you've been hit. And when it comes to business continuity, backup, recovery, and crisis management, having a contingency plan that works is crucial. It shouldn't be 20 pages long, but an action card that everyone can understand and act on, even if you're new to the field," explains Morten Eeg Nielsen.
"How do we practice? How do we test to make sure it works? How do we test our backup? All these things need to be included in the risk assessments because, in the event of an attack, they suddenly become necessary for services to be maintained. On the supplier side, it's not just about being able to get the materials or energy sources needed, but also about which suppliers can affect the security of each service. This will be a big challenge because in general we have not been used to thinking about supply chains in this way."
It also means that an issue such as security of service availability becomes a natural part of utilities' dialogue with suppliers, and in some cases, it will make sense to draw up contingency plans with suppliers.
The importance of an appropriate model for supervision
It will also focus on basic security measures such as training, staff security, action management, and asset management, as well as secure communication plans and emergency communications. Information sharing is not just about reporting the number of incidents and data breaches in a specific period, but also about sharing knowledge to help others avoid being affected.
To meet the overall task of meeting the cybersecurity and preparedness requirements of NIS2, utilities and public authorities in general need to be provided with many resources and technical skills. Morten Eeg Nielsen also stresses the importance of creating an appropriate model for overall resort responsibility and oversight.
"Potentially it could end up with 18 authorities supervising at 18 different times in 18 different ways. I think it is crucial for the implementation that we do it smartly and that we have more centralized supervision with fewer units so that we are not drowned in supervision," says Morten Eeg Nielsen.
We need to get security right now
Although the sectors and companies covered by NIS2 have 21 months to catch up and be ready to fully comply with the directive, Morten Eeg Nielsen says they should not wait for a second to start implementing.
"My recommendation is: start implementing NIS2 now! What the Directive is supposed to protect against will not wait 21 months to become a reality. Most of it is something utilities should be doing already, and it makes so much sense in a world where both Corona and the Ukraine war have shown how vulnerable we are. The next conflict is probably just around the corner, and as we are extremely digitalized, we are also extremely open to attacks and potential threats, so we need to get security right now," says Morten Eeg Nielsen.
Call for professionals with cybersecurity knowledge
However, according to Morten Eeg Nielsen, the lack of competencies and professionals with knowledge in the field may well become a bottleneck in relation to the practical roll-out. One reason for this is that not enough people are currently trained in cybersecurity, but some are being trained, for example at the Centre for Cyber Security, and by all accounts, there will be a shortage of them.
"You just have to go out and steal them and get them employed in your utilities because you're going to need them. This will be one of the many challenges of NIS2. However, you should not see it as a burden, but rather as a useful tool to help you reach a level of security sufficient to protect your own service and thus the well-being of society," says Morten Eeg Nielsen.
Cyber terrorism, even cyber ‘mischief’ can be calamitous when it comes to society’s use and provision of services. The NIS2 Directive is designed to ensure key services, particularly energy and utilities, remain functioning and available to the public. It is no doubt a big undertaking and resource heavy, but what price failure to act and prepare? Having an over-arching cyber and information security directive that means measures providing protection, identifying and correcting weaknesses and delivering contingency plans if required should not feel in any way optional. The stakes are simply to high and the potential damage too costly.
Morten Eeg Nielsen has presented a strong and clear case for the critical and immediate importance of cybersecurity in a fast moving and often tumultuous world of disruption and conflict. Effective strategies to devise and deliver proper cybersecurity are a fact of life and prevention will always be better than turmoil, crisis management and gradual recovery.
In November 2022, a conference on how the energy crisis and utility strategies are now one of the biggest challenges for all companies, was held at the Danish Parliament. To get all valuable insights from this conference, feel free to download the Magazine with everything that you need.
