NIS regulations compliance

May 9th, 2019 Posted in Compliance, Information Security

The Network and Information Systems Regulations (NIS Regulations) came in to force on the 10th May 2018 and require operators of critical national infrastructure services to meet information and cyber security standards for the information technology (IT) and operational technology (OT) systems their essential services depend upon. NIS also applies to relevant digital services providers (DSPs) but these are outside the scope of this blog.

Like GDPR, which came in to force in the same month and largely overshadowed it, NIS is derived from EU law. As an EU Directive, member states had room for interpretation and the UK transposed the NIS Directive in to UK law as the NIS Regulations.

The NIS Regulations apply to ‘Operators of Essential Services’ or ‘OES’. Essential services in scope cover the water, health, transportation, digital and energy sectors. A ‘Competent Authority’ or ‘CA’ has been designated for each sector to provide guidance, carry out audits and enforce compliance. As with GDPR, the maximum fines for failing to comply extend up to £17m or 4% of global turnover. It’s too early to know how aggressive the CAs could be when issuing sanctions under NIS.

NIS Security Objectives & Principles

NIS requires OES to manage risks to the security of IT and OT systems which support delivery of essential services by implementing appropriate technical and organisational controls. To support this, the National Cyber Security Centre (NCSC) has developed 4 security objectives to be met and 14 underpinning security principles. These are:

  • Objective A: Managing Security Risk

    • A1: Governance
    • A2: Risk Management
    • A3: Asset Management
    • A4: Supply Chain
  • Objective B: Protecting Systems Against Cyber Attack

    • B1: Service Protection Policies & Processes
    • B2: Identity & Access Control
    • B3: Data Security
    • B4: System Security
    • B5: Resilient Networks & Systems
    • B6: Staff Awareness & Training
  • Objective C: Detecting Cyber Security Events

    • C1: Security Monitoring
    • C2: Proactive Security Event Discovery
  • Objective D: Minimising the Impact of Cyber Security Incidents

    • D1: Response & Recovery Planning
    • D2: Improvements

The NIS Regulations security objectives and principles are outcome based. This approach is common with GDPR. Rather than set prescriptive measures, NIS expects OES to take a risk led approach to achieving the security outcomes. How the outcome is achieved is down to the OES but they need to take account of the risks and be able to justify their approach and decisions through evidence and good governance (similar to the ‘accountability’ principle in GDPR).

NIS Regulations Scope

The starting point for OES is to determine their scope. The focus is on network and information systems that are necessary for the delivery of essential services. For many OES this is primarily going to be OT systems such as SCADA, RTUs, PLCs and supporting systems including the IT systems on which these rely.

If the systems don’t underpin and support the delivery of essential services, they can be excluded from scope. In our experience, there will be grey areas when determining scope. Some systems will clearly be in or out whereas others will be subject to debate.

We’ve found that the CAs have provided useful principles to follow in their guidance and are happy to discuss and answer questions, albeit without giving prescriptive feedback.

NIS CAF Framework & Indicators of Good Practice

With the scope determined, the next stage for OES is to carry out a self-assessment as determined by their CA.

For most OES this will be the NIS Cyber Assessment Framework (CAF) which is a standardised (i.e. not sector specific) framework developed by the NCSC. The healthcare and aviation CAs are taking a different approach, but water, energy, digital infrastructure and other transport OES must use the CAF.

The NIS CAF is built using Indicators of Good Practice (IGPs). For each of the 14 principles, the CAF lists ‘Contributing Outcomes’. Each Contributing Outcome is provided in a table which sets out IGPs which are used to assess the contributing outcome as:

  • Achieved
  • Not Achieved
  • Partially Achieved (in some cases)

If you’re new to the NIS CAF, the hierarchy from 4 Objectives to 14 Principles to 39 Contributing Outcomes and their Indicators of Good Practice probably justifies a strong cup of tea and good concentration. The CA for Downstream Gas and Electricity, OFGEM, includes the following helpful illustration of the CAF hierarchy in their NIS guidance:

OFGEM NIS Hierarchy

The image is a screenshot, so its a bit fuzzy. The original is in the OFGEM NIS guidance, here.

The CAF is, quite frankly, a bit of a beast. There are 39 contributing outcomes to be assessed and to make things a bit more complex some include a ‘Partially Achieved’ option whereas others just offer ‘Achieved’ or ‘Not Achieved’. The image below shows an example of a CAF table with ‘Achieved’ and ‘Not Achieved’ scoring only:


This image shows a CAF table which also include ‘Partially Achieved’ scoring:


The NCSC makes it clear that it is for CAs to define what represents appropriate and proportionate cyber security for NIS Regulations purposes. It suggests that to score an ‘Achieved’ level for a principle, every ‘Achieved’ IGP listed must be met. If a single ‘Not Achieved’ IGP applies, then the score for that principle must be marked as ‘Not Achieved’ even if all other ‘Achieved’ IGPs are met.

We have found that this can make the process quite binary, especially as the CAF isn’t sector specific. Because of this, the NCSC clarifies that assessment of the contributing outcomes does not remove the requirement for the informed use of cyber security expertise and sector knowledge.

Given this and the outcome-based approach of NIS, we have taken a risk led approach when helping OES to complete their CAF assessment. This means that where an OES hasn’t met all of the ‘Achieved’ IGPs or met one ‘Not Achieved’ or ‘Partially Achieved’ IGP for a contributing outcome, we have considered the risk in the context of the organisation we have been working with.

In practice, this means that we would ask ‘would the security risks be materially lower than they are now if the OES meets an IGP that it didn’t currently satisfy?’. If the answer was ‘no’ we would mark the OES as having met the assessed standard, albeit with recognised opportunities for improvement for any IGPs not met (which could be addressed in the OES’ improvement plan). In our experience, this has been the difference between ‘Partially Achieved’ and ‘Not Achieved’ scores in some cases but has also provided a more realistic outcome-based assessment result.

OFGEM suggests a similar approach in their NIS guidance, in which they say “an OES could mark ‘Achieved’ with exceptions listed under the justification section. Any exceptions need to be made explicit and it should be indicated how the exceptions have been risk assessed and managed accordingly”.

Likewise, the CA for the potable water industry, the Drinking Water Inspectorate (DWI), indicates in its NIS guidance that it “will take a holistic view of a company’s whole security practice when conducting its CAF assessments and subsequent discussions with the company”.

Improvement Planning

With the CAF self-assessments complete, OES then have to develop improvement plans. Some CAs have indicated they will release a target CAF profile for OES to work towards. These will obviously be industry specific and show what ‘good looks like’ in the opinion of the CA. Others have indicated that a security management system should be implemented to address risks and implement security controls, starting with quick wins.

Interestingly, OFGEM encourages its OES to make improvements in the order of people, process and then technology on the basis that the very best technical controls can be undermined by people issues and a poor security culture.

Improvement plans will then be agreed with the CA and then implemented as part of a programme of improvement work and the operational cycle of audits and inspections by or on behalf of the CA will commence.

NIS Regulations Audits & Inspections

It’s too early as yet to know how CAs will handle audits and what their enforcement policies will be. Most have indicated that audit plans and enforcement policies will be developed in parallel with the review of CAF self-assessments and discussion of improvement plans with OES.

OFGEM have said they expect to start auditing in Q4 2019 with OES initially inspected in the first year and then as part of an ongoing auditing regime thereafter, with each audit potentially taking 3-5 days onsite. The DWI has provided less detail so far but has confirmed that it will not take enforcement action during their review of initial CAF self-assessments.

The Department for Transport has indicated it may appoint independent auditors to gather more evidence to support CAF self-assessments and, beyond the first year, will implement a risk-based programme of ongoing activities including audits.

The Civil Aviation Authority plans to accredit testers and auditors to test their OES against a series of cyber security competencies aligned to their CAP1574: Twenty-six security controls for security regulation publication.

How Evalian Can Help

In addition to helping complete CAF self-assessments and validating your NIS scope, Evalian can help you plan and deliver your NIS Regulations improvement plans from short term quick wins to developing and implementing longer term strategies and information security management systems.

This includes developing and delivering employee awareness programmes, implementing policy frameworks including standards and procedures, and helping to scope and identify suitable technical controls.

We can also carry out internal audits of your NIS security management systems and support you during the CA auditing process.

If you’d like to discuss your requirements, please do get in touch.

Sean Huggett Evalian

Written by Sean Huggett

Sean specialises in data protection, information risk and cyber security. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in privacy and security strategy, management and compliance. Sean is also Managing Director at Evalian®. His qualifications include CISM, CISA, CRISC, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISMP, CIPP-E, CIPT & GDPR Practitioner Certificate.