The EU directive on the security of Network and Information Systems (NIS) was approved in August 2016, giving member states 21 months to embed the directive into their respective national laws. The directive became UK law in May this year and all organizations deemed ‘Operators of Essential Services’ (OES) must have complied and will do so from this date forward – if they fail they could face a fine of up to £17m.

A matter of vulnerability management

With the directive now in place, each state needs to ensure the continuity of their essential services besides any cause that could affect the networks and information systems enabling  those critical infrastructures. What this really means is that those services need to improve not only their resistance to cyber attacks, but their resilience which refers to the ability to continuously deliver the intended business objective despite adverse cyber events.

Critical infrastructures – example transportation systems

Critical infrastructures, like energy, health, finance and transportation, share one common prerequisite: they mostly consist of converged technologies. It is this interdependency of industry control systems (ICS) and IT systems that increase the attack surface drastically. A major element of resilience as I mentioned above, then, is to minimize the attack surface of the overall infrastructure by identifying vulnerabilities which could be exploited by an adversary. So far, so good. But how do organizations tackle this?

We have outlined information on steps organizations need to take to address their vulnerabilities – taking into account their business needs at all times. The first issue in a series of whitepapers to come from us looks at the systems and processes of the transportation industry. In the light of the new EU directive, how can internal security guidelines be changed due to the new regulations?

Learn more: Download our Whitepaper ‘Sustainable Cyber Resilience for Critical Infrastructures – Transportation Systems and Networks’ here for free.