NC Nov-Dec 2023

More documents

Recommendations

Info

SECURITY UPDATE COMPLYING WITH THE NIS 2 DIRECTIVE TO HELP SECURE CRITICAL ASSETS STEVEN KENNY, INDUSTRY LIAISON, ARCHITECTURE & ENGINEERING, AXIS COMMUNICATIONS, EXAMINES THE LATEST CYBERSECURITY COMPLIANCE REGULATION - THE NIS 2 DIRECTIVE - AND WHAT SECURITY BUSINESSES SHOULD BE DOING TO PREPARE FOR IT The European Parliament adopted the NIS 2 Directive (NIS 2) in November 2022 and a planned UK alignment is set to follow. NIS 2 replaces and repeals the NIS Directive that established cybersecurity requirements for the operators of essential services (OES) and digital services providers (DSP). It modernises the existing legal framework in the EU to keep up with increased digitisation and an evolving cybersecurity threat landscape, and will improve cybersecurity risk management and introduce reporting obligations across a number of new sectors and entities. With an October 2024 deadline by which to adopt and publish the measures necessary to comply with NIS 2, it's important to determine what this means for security businesses working with, or wishing to work with, affected companies. A network camera, for example, while used for both security and operational means across a range of industries that may come under the NIS 2 Directive, is not classed as a critical asset. This technically places it outside the Directive's scope. Yet such a device nevertheless represents a vulnerability through which a malicious threat actor could launch an attack. What steps, then, should security businesses, their partners and customers be taking to ensure compliance? DEMONSTRATING CYBER MATURITY The new directive eliminates the distinction between OESs and DSPs, instead it clarifies businesses as either essential or important and uses a size-cap rule to determine which medium and large-sized entities fall within its scope. To comply with NIS 2 a holistic 16 NETWORKcomputing NOVEMBER/DECEMBER 2023 @NCMagAndAwards WWW.NETWORKCOMPUTING.CO.UK
SECURITY UPDATE approach is required that considers all possible threat vectors. It is expected that those businesses that need to comply with NIS 2 will have to carry out a greater level of due diligence on their technology partners. As part of this evaluation process and a vendor risk assessment, it is highly likely that policies and processes will play a much greater role. Securing a network, its devices, and the services it supports requires active participation by the entire vendor supply chain, as well as the end-user organisation. For the physical security industry, working closely with customers and other stakeholders will help to ensure a joined-up approach that everyone can agree on. Dedicated tools, documentation and training will help mitigate risks and keep products and services up-todate and protected. Equally, end-users will now be seeking to work with those suppliers and / or vendors who follow appropriate policies and processes, as well as holding third-party certifications. It's therefore imperative that physical security businesses can demonstrate, for example, that they adhere to a Vulnerability Management Policy, hold certification for ISO/IEC 27001 for Information Security Management Systems (ISMS), and Cyber Essentials Plus accreditation. DEVICE AND SYSTEM CONTROLS AND HARDENING Product integrity controls and features help to ensure that both hardware and firmware are protected from unauthorised change or manipulation. Signing a firmware image with a private key prevents firmware from being installed or upgraded without presentation of the appropriate credentials. Additionally, secure boot, based on the use of signed firmware, consists of an unbroken chain of cryptographically validated software, starting in immutable memory, that ensures a device can boot only with authorised firmware. A move to the use of signed video ensures that video evidence can be verified as untampered, making it possible to trace the video back to the camera from which it originated and verify that the video has not been modified or edited. The use of system hardening processes aims to protect and secure devices and systems against cyberattacks by reducing the attack surface - essentially protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing or disabling all superfluous drivers, services, and software, and setting system updates to install automatically are all recommended approaches. The likelihood of unauthorised or unauthenticated user access is further reduced by applying a Zero Trust policy, in line with the National Institute of Standards and Technology's (NIST) risk management framework which promotes a never trust and always verify approach to any request for systems access. While it is very unlikely that physical security systems will be classed as a critical asset as far as the scope of the NIS 2 Directive is concerned, it is important that organisations consider a holistic approach during the scoping of such technology. Physical security businesses, working closely in partnership with supply chains and customers, can deliver a system that is secure from both a physical and cybersecurity perspective, while helping to meet NIS 2 requirements. Stringent security measures, backed by policies and processes, tools, documentation and training, will help reduce risk and keep customers protected. The NIS 2 Directive - Axis briefing paper to support cybersecurity compliance: https://www.emeacomms.axis.com/nis-2-directivebriefing ABOUT STEVEN KENNY Steven Kenny has spent 18 years in the security sector in roles that have seen him take responsibility for key elements of mission critical, high-profile projects across a number of different vertical markets. His current role sees him lead a team of Architect and Engineering managers across the EMEA region whilst supporting various industry associations and standards organisations. He currently sits on the EMEA Advisor Council as the emerging technology lead for TiNYg (Global Terrorism Information Network), and on various standards committees to support IoT security, as well as the BSI Private Security Management and Services. NC WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards NOVEMBER/DECEMBER 2023 NETWORKcomputing 17
Page 1 and 2: NETWORKcomputing I N F O R M A T I
Page 3 and 4: COMMENT COMMENT MANAGING THE SKILLS
Page 6 and 7: INDUSTRY NEWS NEWSNEWS NEWS NEWS NE
Page 8 and 9: COMPANY PROFILE COMPANY PROFILE: NE
Page 10 and 11: OPINION: STORAGE ENSURING STORAGE S
Page 12 and 13: OPINION: SASE IS SD-WAN THE RIGHT F
Page 14 and 15: CASE STUDY "MADE IN GERMANY" QUALIT
Page 18 and 19: OPINION: IOT IOT AND THE FUTURE OF
Page 20 and 21: OPINION: DATA CENTRES HOW DATA CENT
Page 22 and 23: OPINION: DATA CENTRES Hot and Cold
Page 24 and 25: CASE STUDY GLOBAL TRANSFORMATION AN
Page 26 and 27: OPINION: DDoS ATTACKS SPANNING SECU
Page 28 and 29: OPINION: NTNs TO 5G - AND BEYOND! K
Page 30 and 31: OPINION: CLOUD SECURITY BOOSTING YO
Page 32 and 33: OPINION: ESM ENGAGING AI FOR ENTERP
Page 34: OPINION: PROVIDERS NECESSARY PROVIS

NC Nov-Dec 2023

Create successful ePaper yourself

Delete template?

Save as template?