Guestblog – Peter Rus, Enterprise Architect for Passport
The first country in the world that has implemented laws and not directives concerning protecting critical infrastructure were the United Arab Emirates.
We in the Netherlands already have the Bill on Notification of data leaks (Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp, the Bill). The Bill introduces a duty for data controllers in the Netherlands to notify a breach of security measures protecting personal data to the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP). In addition, fines for violations of the Dutch Data Protection Act (Wet bescherming persoonsgegevens, DPA) will significantly increase. Failure to comply with the rules may lead to fines of up to € 810,000 or 10% of the company’s net annual turnover.
Over the past few years, the European Commission has adopted a series of measures to raise Europe’s preparedness to ward off cyber incidents. The NIS Directive is the first piece of EU-wide legislation on cyber security.
The Directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016. European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, and Commissioner Günther H. Oettinger, have issued a statement at this occasion. The Directive will enter into force in August 2016. Member States will have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services.
What is critical infrastructure?
According to the definition given by Homeland Security
Critical infrastructure is the backbone of our nation’s economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.
Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof
The recent security outbreaks have concerned government representatives in Germany. According to new German Cybersecurity Law the objectives are to protect the infrastructure, which particularly will have an impact on providers of critical infrastructures. They will be required to implement and maintain appropriate minimum organizational and technical security standards in order to ensure the proper operation and permanent availability of those infrastructures and to report significant IT security incidents
According to the National Law Review, the draft will have the following impact:
Operators of critical infrastructure must:
- implement minimum security standards after a transitional period of two years and prove that they satisfy the requirements at least every two years; operators and industry associations may propose sector-specific security standards;
- designate a warning and alarm contact through which they can be reached by BSI at any time;
- promptly report to the BSI any impairment of their IT systems, components or processes which can or does lead to a failure or impairment of their critical infrastructures (examples include security gaps, malware, security attacks that have either been carried out, attempted or successfully fended off as well as extraordinary and unexpected technical defects with an IT connection). Pseudonymous reporting would be permitted unless the impairment results in a failure or impairment of the critical infrastructure.
- Commercial information society services(essentially content and host providers) must:
- implement technical and organizational measures to generally protect the telecommunications and data processing systems against unauthorized access. According to the legislative reasoning, this aims to reduce so-called drive-by-downloads attacks and malware which could be achieved by regular software updates and security patches as well as contractual arrangements with third party content providers.
- offer a reasonably secure authentication procedure in case of personalized services ( and that is not done with passwords only..as the data breach in Netherlands shows where students ordering their books and the remediation is resetting passwords..)
The biggest concern is, of course, how the risk mitigation actions taken, will reflect the other standards that are applicable to these industries. Most of the components that are used are made for availability and are fit for purpose and not with security in mind.
That’s why we would opt in a tactical layer in the organization that will operate between strategical and operational layer representing the business and the IT.
How will this risk mitigation help your organization you might ask? The tactical layer will have oversight of all the components, the way the interfaces need to operate and they can map the risks that are involved with a remote. So, when investigations are taken place in which the BSI ( German Security Service), they will look at what measurements have been taken by the organization. Or the procedures that need to be followed during a data breach here in the Netherlands.
For this you will need an accurate architectural overview which barriers you have in place.
An overview that can show if the current controls are viable and in line with up to date procedures and policies over systems and services used with the special mambo jambo statements we like to use.
Anyone still believe that by changing passwords ( passwords are dead according to Bill Gates in 2004) and phishing mail recognition will help the mitigating risk that still get through even we have patch management, malware monitoring, still using network perimeter defenses, secure configuration, device controls. What we see is that they have not done their homework on innovation as we can see time after tstill usingdefense mechanisms that are older than your team that handles your business it operations.
By adding this new layer your risks can become mitigated start with bringing in reports on hardware and software currently in use and then look at what vulnerabilities can become an operational risk.
We use the Togaf 9 methodology in alignment with the Barrier Based Risk Management Method to assign the risk mitigation roadmap that you will need to address the Governance, Risk and Compliancy imperatives. Also, it will help to bridge the gaps currently and historically grown between business and operations.
And you will be able to expand this into your knowledge transfer strategy since the shortage of professionals will explode soon and that means that the internal business processes need to be easily transferable and documented and not in the minds of the people handling your business processes.
We will talk about risk concerning cyber security so you can see if it gets the right priority and resources in the organization, and especially that it is aligned with the business strategy and is enabling the business transformation while mitigating the risks concerning remote access, third party access, and data leakage.