An Identity Security Approach to NIS2 Readiness

December 9, 2022 David Higgins

With its new and improved Network and Information Security Directive, NIS2, the European Union joins a growing list of governments around the world that are enacting stronger cybersecurity mandates to protect critical infrastructure.

NIS2 was formally adopted by EU Member States and the European Parliament last month. Now comes the complicated part: All 27 countries must transpose the Directive. Only time will tell exactly how NIS2 guidance gets folded into country-specific laws, such as KRITIS in Germany, or the rules governing opérateurs de services essentiels (OSE) in France. But recent attacks have made one thing clear: Traditional perimeter-based security models — conceived to control access to trusted enterprise networks — aren’t suited for the digital era. Consider that in 2022:

Zero Trust Architectures Protect Against Modern Cyber Threats

Today’s defenders must be able to verify, manage and secure identities continuously to prevent breaches. NIS2 guidance promotes Zero Trust principles, which assume that all identities (human and machine) are implicitly untrusted and must be authenticated and authorized regardless of network or location. Unlike a traditional perimeter-based security model, a Zero Trust architecture:

  • Protects cloud-based IT and OT systems as well as on-premises IT and OT systems
  • Defends against inside threats as well as external threats
  • Provides inherent security for remote workers and mobile users

As a core pillar of Zero Trust, Identity Security provides a consistent point of security control beyond the perimeter. It limits access to the human or machine identities that need it and only grants the minimum privileges required. This includes continuous authentication to validate a user’s entire session — not simply a single multifactor authentication request — and monitoring user behavior to identify when an identity has been compromised.

Identity Security to Improve NIS2 Readiness

If your organization falls within the scope of NIS2’s broadened parameters, reviewing these eight Identity Security steps can help you improve NIS2 preparations and advance Zero Trust initiatives:

1. Assess your security posture. Though security leaders say credential theft is their No. 1 area of risk, many organizations still assign and track identities manually, making it difficult to understand their true security posture. A security assessment can help identify areas of weakness, such as unmanaged passwords, misconfigured or dormant accounts or machines that are highly susceptible to credential theft attacks.

2. Take steps to safeguard privileged access. Adversaries exploit powerful, privileged accounts to orchestrate attacks, take down critical infrastructure and disrupt essential services. In response, NIS2 guidance promotes limiting administrator-level access accounts and regular password changes, among other foundational cyber hygiene recommendations. To fulfill requirements, covered entities will likely need to implement or strengthen privileged access management controls such as vaulting and rotating credentials, isolating privileged sessions and auditing privileged activities. Automating access decisions, for instance, by enabling just-in-time privileged access, can help streamline these compliance requirements while measurably reducing risk.

3. Proactively protect against ransomware. A 2022 European Union Agency for Cybersecurity (ENISA) report found that ransomware accounts for more than 10 terabytes of stolen data monthly. As ransomware attacks continue to increase in frequency and severity, Member States are urged to develop ransomware policies as part of their national cybersecurity strategies. In preparation for stricter security rules, it would be wise for organizations to focus on locking down critical endpoints (servers, VMs, etc.) by removing local admin rights and implementing policies that help prevent lateral movement and privilege escalation as part of a defense-in-depth approach.

4. Assume breach and put analytics to work. Breaches will happen — that’s a given. Detecting threats and responding quickly is key to minimizing the “blast radius” when they do. Consider how AI and machine learning can aid in risk modeling and scaling detection capabilities, for instance, to immediately spot when a privileged user suddenly tries to access credentials at an unusual time of day or from an unusual location.

5. Scrutinize your supply chain. Take a look at your current third-party vendor assessment, onboarding and ongoing risk management processes. Do you have a clear sense of how each vendor is securing its own systems and how they’re accessing your environment and sensitive resources? In particular, managed services providers (MSPs) have become prime attack targets because of their close integration with operations and warrant heightened scrutiny. Consider your third-party vendors’ DevSecOps practices as you consider your own: What steps are they taking to protect applications, automation tools and third-party software? It’s important to note that while NIS2 doesn’t directly impact small businesses they will be bound by the due diligence and requirements of covered entities within their supply chain ecosystem.

6. Formalize and test your incident response plan. NIS2 calls for faster incident reporting — with the first of several reports due to authorities within the first 24 hours of an incident. If you haven’t already, formalize an incident response plan and test it regularly. Like regulatory bodies, cyber insurance carriers are evaluating data backup practices and incident response plans to understand how quickly organizations can restore operations in the wake of an attack.

7. Prepare your people. The continued barrage of impersonation and spear-phishing attacks targeting high-value identity credentials necessitates a change in culture. Teams and departments must be regularly educated on cybersecurity best practices. If you haven’t rolled out a cybersecurity training program, now’s the time to do so.

8. Step up voluntary information sharing. Thankfully, not every threat results in theft or damage. Yet information sharing is an important part of critical infrastructure protection. Take advantage of intelligence from the threat research community, while doing your part to contribute information on indicators of compromise (IOCs) and vulnerabilities. Though this is not likely to become a compliance mandate, increased collaboration is key to moving cybersecurity forward.

If you’re looking for more tips on assessing your organization’s current strategy and tackling identity-related risk to meet NIS2 compliance requirements, check out the CyberArk Blueprint for Identity Security Success.

Our team will continue to track NIS2-related developments to help EU businesses navigate changing compliance requirements. If you have questions in the meantime, please get in touch — we’re here to help.

Previous Article
Latest Uber Breach Underscores Third-Party Vendor Security Challenges
Latest Uber Breach Underscores Third-Party Vendor Security Challenges

Uber is back in the spotlight, this time for a breach involving a third-party vendor. According to reports,...

Next Article
NIS2 to Boost Cybersecurity Requirements for Many EU Businesses  
NIS2 to Boost Cybersecurity Requirements for Many EU Businesses  

On November 28, 2022, NIS2 officially replaced the European Union’s Network and Information Security (NIS) ...