Cybersecurity rules have been patchy at best and lacking at worst. So the adoption of the NIS Directive on security of network and information systems is a landmark development. Nomi Byström asks whether it is enough for our increasingly connected society.
Nomi Byström is a postdoctoral researcher in Digital Disruption of Industry at Finland’s Aalto University.
The new legislation was adopted on 6 July and entered into force in August. Member states will have to transpose it by 9 May 2018. To identify operators of essential services, they have been granted another six months.
Notably, the NIS Directive has been linked with the Commission’s plan to digitise European industry – also called the Industrial Internet of Things (IIoT) or Industry 4.0 – which is part and parcel of completing the Digital Single Market.
Currently, the manufacturing sector accounts for 33 million jobs, 2 million enterprises and 60% of productivity growth. In the next five years, digitisation of products and services may add over €110 billion of revenue annually. Moreover, the completion of the DSM could contribute €415 billion per year and create hundreds of thousands of new jobs.
IIoT, heralded as the new, fourth industrial revolution, will play a pivotal role in Europe’s prosperity and global competitiveness. However, much hinges on security and trust in the digital transition, and above all, its safe running.
As the NIS Directive has also been linked to the digitisation of European industry, the question remains: how does it address the cybersecurity needs of IIoT?
Particularly relevant are the NIS Directive’s provisions on requirements regarding technical and organisational measures to manage security risks and incident reporting of operators of essential services and digital service providers.
The role of effective cybersecurity is greatly magnified in the digital industrial setting. Consequences of cyber attacks can even go beyond such grave damages as theft, manipulation and denial of access to data once the cyber-physical barrier is crossed. And the attempts to this end may be non-stop.
Nuclear facilities are targeted almost on a daily basis. The serious damage caused by the hacking of the Ukrainian power grid in December 2015 and a German steel mill the previous year attest to the fact that, unfortunately, not only do attacks remain attempts, but at times, they also succeed.
Cyber-physical systems have to face ever-more potent digital threats from all over the world. The consequences to businesses and entire industries, even on a national scale, can become far from inconsequential, on the contrary. A significant number of fatalities, physical destruction, an environmental catastrophe and even impacts on the society at large could, for example, result from a serious control system security breach.
Furthermore, when it comes to businesses, neither their facilities, customers, suppliers, partners nor services are necessarily restricted to the confines of a single country. Consequences of successful cyber attacks could be commensurate. As for Europe’s critical infrastructure, it is already inter-connected.
Hence, it is a missed opportunity that in the NIS Directive merely a risk-based approach to the increasing range of threats is adopted. A country may wrongly assess the true gravity of a situation or rapid changes in the threat landscape, and fail to respond accordingly. This could also have trans-border consequences.
In addition, even more than underlining reporting of major incidents after they have already taken place, paramount emphasis should be laid on ensuring the continuously best possible protection that attacks do not succeed in the first place as well as minimise their opportunities. This applies especially to threats targeting digital critical infrastructure.
There is a crying need for due attention to critical security updates. Thus, it comes as no surprise that business leaders are so concerned that they are even deterred from deploying IIoT.
The future may be brighter, though. Asymmetric encryption with multiple keys, machine learning (supervised, unsupervised and semi-supervised – especially active); blockchain; quantum communications satellites and deep learning are but a few examples of possible venues for improved cybersecurity, and especially for the Industrial Internet of Things. Even Tor wants to secure IoT. But new solutions still require R&D.
Furthermore, perhaps the still-overhanging cloud of cyber insecurity does have a silver lining: the NIS Directive is not intended as the EU’s final say to protect the advance of the hyper-connected society.
This is crucial, for due to ongoing major technological developments, especially with the Internet of Things (IoT) and M2M communication; the convergence of IT and OT (Operational Technology); autonomous systems; 5G communication; robotisation and the emergence of the Internet of Everything, attention to traditional network and information security is no longer up to scratch. Nor would exclusive focus on the security of the mobile ecosystem suffice.
What is urgently needed is lean, yet effective regulation that will take a leap forward. As a priority, legislation will need to incorporate effective compulsory data security and uniform dissuasive penalties in cases of non-compliance, beginning with digital critical infrastructure. For the clock is ticking fast and the new bottom line is that, in the inter-connected environment, the attack vector can become limitless. Security risks are multiplying exponentially, not least those that affect the digitising European industry.