New Network and Information Security Directive Aims to Mitigate Risks of a Cyber Attack on Critical Infrastructure

As security incidents increase in frequency and impact, the European Union (EU) Council has approved the Network and Information Security (NIS) directive. This mandate is designed to help member states mitigate the risks of a cyber security incident, and it represents the first legislative framework to cover the interconnected European critical infrastructure.

The NIS directive was adopted on May 17, 2016 and it will require operators of essential services and digital service providers in critical sectors such as energy, banking, water and health to develop programs to mitigate cyber security risks. It also imposes new requirements for collaboration amongst member states and establishes new guidelines for the reporting of major security breaches within each of their critical infrastructure sectors. The new directive goes into effect in August of 2016, but member states will have 21 months to design their national programs and six additional months to identify the affected operators of these essential services.

As we’ve seen from recent incidents such as the Ukraine power grid attack that left 225,000 customers in the dark, privileged accounts are at the center of cyber attacks and their compromise can pose a great risk to critical infrastructure. The damage from a cyber-attack is no longer contained to the digital  world as attacks can have grave consequences in the physical realm. The security of privileged accounts represents a top priority for critical infrastructure organizations in order to mitigate these risks.

It is recommended that a cyber security framework for national critical infrastructure includes a comprehensive privileged account security program as a significant step towards mitigating the risks associated with advanced persistent threats. Some recommendations to consider around privileged account security for critical infrastructure include:

  1. Understand the privileged account problem and proactively secure privileged credentials, including user and application passwords and SSH keys
  2. Keep privileged credentials from people with malicious intent and keylogging malware by establishing a secure way to connect to critical assets without revealing passwords
  3. Establish a central point of control for accessing critical systems through the isolation of privileged sessions
  4. Monitor privileged sessions and establish workflows to terminate a session if malicious activity is suspected
  5. Leverage analytics tools that can help detect anomalous activity and alert security teams of in-progress attacks
  6. Don’t neglect security at the endpoint; gain control of application permissions on endpoints and servers to reduce the damage caused by malware

Read more about practical steps to secure critical infrastructure here.

The move by the EU to establish a cyber security framework around critical infrastructure reflects the increasing risk of attack and the devastating impact that an attack could have on European infrastructure. Today, industrial enterprises increasingly view privileged account security as a strategic priority that must be included in a national cyber security strategy and deployed horizontally across critical infrastructure sectors.