Complying with NIS2 does not equate to cyber resilience

By: Ron Wagterveld, Director of cybersecurity solutions at Thales, and Eric ten Bos, co-founder and technical lead of the Thales cyber OT convergence center

The necessity for government bodies to engage in security efforts has grown significantly due to NIS2 obligations. With the label "essential," municipalities no longer have a choice: they are legally required to implement appropriate security measures. Other government entities, such as ministries, are in a gray area regarding NIS2. They are not critical but are connected to organizations, like municipalities, that are. The message is essentially the same: as a government entity, you cannot lag in the field of security. Whether you have to deal with NIS2 or not, you must consider your cyber resilience. This is sometimes perceived as a tick-box exercise to be NIS2-compliant, but that is false security.

More than monitoring

Most municipalities are already busy monitoring their networks and infrastructure due to NIS2. Additionally, they often receive information about potential hacks and vulnerabilities through the National Cyber Security Center (NCSC). These are two very important steps. But the big question is: what next? In the best-case scenario, your monitoring system alerts you to suspicious activity on your network. But are you able to act on that alert? That is essential.

Imagine installing a fire safety system with extinguishers on the wall and sprinklers on the ceiling. But as soon as the alarm goes off, you don't know where the extinguishers are, that they need to be inspected for approval and accessibility, or even what the fire department's phone number is. How useful is your fire safety system then? That is exactly how it works with cybersecurity. You must know the next step once the monitoring system indicates that you need to take action. This could happen at any time, often outside office hours or during vacation periods. Who do you call? Monitoring is, therefore, an important first step toward cybersecurity, but not a matter of relaxing. It requires active investigation and knowing what actions to take in case of an emergency. That is crucial and still not well-organized in many places.

Trinity

Besides monitoring, cyber resilience requires well-organized processes and a method that ensures safety in advance and provides action perspective when something goes wrong. This means that you need to take measures in another area besides monitoring: security by design. By this, we mean that you always include a chapter on cybersecurity during changes at the IT or process level to build in safety in advance. For example, in new procurements or during the design or implementation of applications. You can also apply this to your existing suppliers or partners by requiring them to make adjustments within a certain timeframe to ensure both their and your cybersecurity.

Security by design and monitoring will likely also bring changes to your processes. That is the third step to becoming cyber secure. For instance, multi-factor authentication should be the standard for logging into an application or system, and it is wise to complement monitoring with an emergency plan. This way, you will know exactly how to reach the fire department the next time your fire alarm goes off.

Better limited and well-executed than extensive and half-done

Whether you are under NIS2 as a government body or in the gray area, ethically, you cannot lag in security. The government must set a good example. It is, therefore, important to look at security proactively and not depend solely on the NIS2 directive. And be realistic about what is feasible. It's better to have a limited set of well-implemented security measures across the axes of monitoring, processes, and security by design than to focus solely on the right security reports because NIS2 requires it. Compliance is not the same as cyber resilience. Just like hanging a fire extinguisher is not equivalent to fire safety.