Skip to main content

Intelligence assured

Subscribe to future blog posts featured in our newsletter

Read more about how we handle personal data

The purpose of the NIS directive is for providers of essential services to work with risk-based security. This entails, among other things, requirements for both a reporting obligation for incidents as well as continuous work in a structured and methodical manner according to accepted standardized frameworks. Safety assessments and subsequent action plans must also be documented and monitored annually. How is this work progressing in your organisation? Have you started to work for compliance with all the requirements? 

The background and purpose of the NIS Directive

Digitisation not only enables business opportunities but also creates more attack vectors for business information and systems. In recent years, the number of cyberattacks have increased substantially, and behind them are not only criminals and hackers, but also state-supported actors who have great endurance and substantial resources.

In response to this development, the EU adopted the NIS Directive (The Security on Network of Information Systems) in 2016, a regulatory framework that translates into national legal requirements in all member states. The purpose of the directive is to establish a security standard in the digital world; a standard that protects the infrastructure that builds our society and our economy.

compliant to NIS
Which companies are affected by the NIS Directive?

The directive aims to select selected providers of essential services as well as certain providers of digital services to take security measures to deal with potential risks and incidents in their IT infrastructure. If your organisation provides essential services in the sectors of energy, transport, banking, financial market infrastructure, healthcare, water supply or digital infrastructure, then you are likely to be covered by the NIS directive and need to follow its rules.

Has your organisation started the work required by the NIS Directive?

The NIS Directive imposes several requirements on the organisations concerned, including the following:

  • The organisation has an obligation to notify the supervisory authority that they are affected by the NIS regulation
  • The organisation must continuously work structured and methodically with information security according to accepted standardized frameworks (ISO 27000 standard or equivalent)
  • The organisation must take appropriate security measures
  • The organisation shall document and annually follow up Security analyzes and subsequent action plans
  • The organisation has a reporting obligation in the event of incidents

How is this work progressing in your organisation? Do you know how to go about conducting security assessments and choosing appropriate security measures?

help you with NIS
We can help you comply with the NIS Directive

Advenica has a long experience with analyzing the security of solutions and products with the specific purpose of identifying the necessary countermeasures and measures to ensure stability. We can help you ensure that the data and critical information you own and manage is well protected.

When you start working with security protection, the first step is to carry out a security protection analysis. Identifying the most important information assets of the business also identifies the measures that need to be taken in order of priority. A good way to do this is by using our risk and security analysis.

With the business in focus, this analysis gives you a comprehensive picture of digital business flows with the aim of realizing the value chain's potential and identifying opportunities for cost savings. This while ensuring protection against unauthorized access to systems and information, as well as law and regulatory compliance.

The analysis gives you an overview of cyber security in the company's business context. You get suggestions on approaches and priority areas to work on to reach full digital potential - today and tomorrow. In this way you can ensure that you comply with the requirements regarding security analyzes and security measures in the NIS Directive.

Interested in a risk and security analysis? Contact us here.

 

The NIS directive and, in some countries, stricter national security legislation impose new, higher requirements on companies within critical infrastructure in terms of information security. Secure IT/OT integration is one of the areas that is a challenge for these companies. How to ensure information security while maintaining the accessibility and integrity of the systems?

ICS and SCADA - systems with important information

Operational Technology (OT) is a concept that includes all the subsystems that are needed to control and monitor a physical process, such as a power plant. OT usually consists of programmable control systems (PLCs), measurement data collection and control systems. ICS (Industrial and Control Systems) and SCADA (Supervisory and Control Data Acquisition) are terms used for such systems.

ICS

The digitalisation becomes a security challenge

Historically, OT systems have often been completely disconnected from the outside world. In pace with the digitalisation of the society, the need to connect OT systems with IT systems has increased. This integration is a major challenge from a safety point of view as there is a risk that someone will affect or change the system. Since the information in ICS and SCADA systems is extremely important for the company that uses the system, sometimes even important for the whole society, it is most important that such influence cannot take place.

SCADA

Secure integration of IT and OT– this is how to do it

In order to upgrade the security to meet the new stricter requirements and at the same time maintain the access to digital information, solutions are needed that can separate and control data flows.

To safeguard ICS and SCADA systems, segmentation must be applied with high assurance solutions to guard the physical isolation yet enable completely secure communication. With this in place, logging security data is the next priority. By monitoring logins, failed login attempts, transactions, USB usage etc, effective preventive measures can be mapped out and damage control can be taken without delay. To ensure integrity and security, military-graded solutions are required. 

In short, the following solutions are needed:

  • Physical separation of IT and OT using zoning
  • Use data diodes in the zone border for outbound data flows from OT
  • Information whitelisting in the zone border

Advenica has extensive experience of solutions where networks can be physically isolated at the same time as information can be securely connected. Solutions that enable the digitalisation to be accelerated without jeopardising the accessibility and integrity of the OT systems.

If you are interested in knowing more about secure IT/OT integration, you can read our solution description "Secure IT/OT integration".

Also read our customer case "Cyber security in critical infrastructure - a matter of national interest and business value" - a case that describes how a large energy company secures its operation with solutions from Advenica.

Do you also need help with information security? Welcome to contact us!