In my previous blog post, CNI: Information Security vs Cyber Security, we explored why traditional cyber security approaches don’t fully apply to Critical National Infrastructure (CNI). This brings a unique challenge to these organisations, requiring a tailored approach and skillset.
A major ongoing challenge for CNI organisations is navigating complex regulatory requirements. In the following blog post we’ll discuss the unique regulatory requirements faced by these organisations and how it affects their approach to cyber security and business.
This topic has become common over the recent years due to regulatory bodies making changes to thresholds and more organisations now being classified as Critical National Infrastructure.
What regulatory requirements?
GDPR, PCI DSS and the Data Protection Act are requirements which most organisations are required to follow and stringently abide by. However, in addition to these requirements, CNI organisations are required to meet additional regulatory requirements such as the Network and Information Systems (NIS) Regulations. In some cases, the CNI organisation will be required to meet multiple requirements which can be a financial and time-consuming process. Therefore, CNI organisations have a responsibility to stay up to date and constantly compliant. As many of us know, regulations are constantly changing and therefore these organisations are constantly having to adapt to ensure they’re meeting these regulations while maintaining uninterrupted service delivery.
Key changes in new regulations
Current regulations have required Critical National Infrastructure organisations to improve in four main areas. These include:
- A risk based approach
- Improving supply chain management
- Cyber resilience
- Asset management.
A risk based approach allows these organisations to ensure that decisions made within the organisation are based on the asset or systems risk. For example, an asset with a higher risk will require urgent actions to be addressed quicker than assets with a lower risk. This approach allows organisations to utilise resources to the most critical risks and ensure that they’re within the organisation’s risk tolerance. Supply chain attacks have increased massively over the past years, therefore regulators have introduced stricter requirements to ensure organisations can effectively manage supply chain risks. Changes cover all aspects of supply chain management including procurement, risk assessment/management, and termination. Having this approach allows organisations to have control of the data and provides clarity of where and how their data is stored and processed.
Cyber resilience has been implemented within regulations to ensure appropriate knowledge, skills and tools are available to identify, respond to, and promptly recover to incidents whilst ensuring the continuation of the service provided. This not only covers key steps during an incident, but provides training prior to an incident and provides clarity of learnings after an incident. The final key topic is asset management. Many organisations, whether big or small, have a number of systems and devices. This number is always increasing due to the sheer number of technologies being introduced and implemented. Asset management covers physical and software assets, and allows organisations to understand what data and assets they hold. In addition, a process can be implemented to cover the asset’s lifecycle from procurement all the way through to destruction.
Aligning ISMS with Regulatory requirements
For CNI organisations, aligning an Information Security Management System (ISMS) with regulatory requirements is no easy task. Regulatory requirements for CNI organisations are quite specific and usually are non-negotiables, therefore adapting a system to meet these regulations can be quite tough. In most cases, these changes will need to be done whilst offering the same services, and while staff continue with their everyday duties. These were two of the main reasons why we, at Cydea, provide our expertise and skills to CNI organisations to help them align with the regulatory requirements efficiently without compromising on their services and daily duties.
Dealing with Audits
In addition to having to meet multiple requirements, CNI organisations are constantly being monitored by official regulators. Regulators such as OFGEM, FCA and OFWAT require some organisations to submit documents to provide evidence of alignment and future progress with regulatory requirements. This is far from a routine task, and requires specific skills and knowledge to effectively submit the documents. Inaccuracies in these documents may lead to higher resource requirements in order to comply with the regulations. In addition, regulators may also audit these CNI organisations, therefore it’s vital that organisations submit honest documentation. If found to have been given false information, these organisations may be faced with a huge fine. In addition, when implementing the controls and security measures, organisations must have a thorough understanding of the regulations and what is required from them. Even large organisations can find this overwhelming. For smaller ones, limited resources can make compliance especially challenging.
Meeting regulatory demands while maintaining uninterrupted services is a constant challenge for CNI organisations. In addition to this, the constantly changing cyber threat landscape does not help to reduce the burden of these organisations. In the next part of this series, we’ll explore the evolving cyber threat landscape and how it uniquely impacts CNI organisations.
Photo by Scott Graham on Unsplash
Robin Oldham
Andrei Draghiciu
Nicolas Aristegui