Essential services to get new cyber regulator

NCSC publishes guidance for organisations providing essential services to meet with demands of Network and Information Systems Directive

Organisations providing essential services are to be given a reporting system and subject to a new regulator to strengthen their cyber security.

The Department for Digital, Culture and Sport (DCMS) has announced the moves in preparation for the implementation of the Network and Information Systems (NIS) Directive in May of this year, along with the publication of guidance on complying with the directive by the National Cyber Security Centre (NCSC).

'cyber attack' on screenThe DCMS said the measures will apply to critical industries – including healthcare, transport, energy, water and digital infrastructure – and should ensure they are equipped to deal with the increasing number of cyber threats.

It said a simple reporting system will be set up to make it easy to report cyber breaches and IT failures so they can be quickly identified and acted upon. As well as possible cyber attacks, it will cover other IT threats such as power outages and hardware failures.

Any incidents would have to be reported to the regulator, who will assess whether the appropriate security measures were in place. It will have the power to issue legally binding instructions to improve security and impose financial penalties.

When the DCMS first announced plans for the directive last August, it said that organisations shown to be failing to comply could be subject to fines of up to £17 million – but that they would be a last resort.

Four objectives

The guidance is based on four objectives: managing the security risk; protecting against cyber attack; detecting cyber security events; and minimising the impact of cyber security incidents.

Each of these is subject into a handful of principles then a number of measures to fulfil each one. For example, the principles under the objective of protecting against cyber attack comprise service protection policies and processes, identity and access control, data security, system security resilient networks and systems, and staff awareness and training.

It then provides guidance at a more granular level. For example, it says that the logging and collection of network data systems, along with analysis tools and threat intelligence, should prioritise the network assets and systems. It should take in sources include website traffic going to the internet, email traffic, IP connections between a network and the internet, and netflow from the IT or operational technology boundary.

The measures should also address other security and intelligence requirements outside the scope of the NIS Directive, such as the protection of personal data and general network performance.

More clarity

The guidance has been developed from a consultation with industry on how to implement the directive. DCMS said the new legislation will be made clearer for companies to know whether they have to comply.

Minister for Digital and the Creative Industries Margot James said: “We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services.

“I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

Image from iStock/matejmo