European Union NIS Directive Compliance
Overview
SIS’ bespoke approach towards the assessment of critical infrastructure enabled a UK power company to determine compliance to the EU NIS Directive, and to develop an improvement plan towards strengthening resilience to cyber threats.
Challenge
An electrical power generation company in the United Kingdom (UK), supplying a key proportion of the country’s energy needs, required specialised industrial cyber security advisory towards the assessment of critical networks and information systems (NIS), as part of obligations under the European Union’s NIS Directive. The Directive is the first EU-wide piece of legislation on cyber security and applies to sectors which are vital for the economy and society, providing services such as the supply of electricity, oil, gas and water and the provision of healthcare and transport – otherwise known as Operators of Essential Services (OES).
In accordance with the regulation, as an OES, SIS’ Client must take appropriate and proportionate security measures to manage risks to NIS. Cyber security risks must also be managed and actively monitored to ensure a resilient energy system, now and in the future.
To strengthen their cyber security posture and avoid penalties for the failure to adhere to the Directive, SIS’ Client required a self-assessment of security maturity and assistance with identifying security enhancement initiatives to ensure the company was resilient from the threat of cyber attack.
Solution
To increase the OES’ overall cyber security maturity and cyber resilience, SIS partnered and collaborated with the energy provider to identify critical NIS assets, and assess compliance to the Directive. SIS could then identify and implement an improvement plan to ultimately provide assurance that risks are being identified and managed appropriately and reasonably.
The establishment, maintenance and continual improvement of a robust Cyber Security Management System (CSMS) is fundamental in ensuring compliance with NIS requirements and OES’ ability to appropriately manage cyber security risks, in a pragmatically and systematically. The CSMS aligns with other internal management systems already established within the OES such as ISO 9001, and the supporting security architecture facilitates a fit for purpose cyber security controls implementation, to mitigate risk and provide resilience to cyber attack.
If you’d like to know more about our many years of experience in providing industrial cyber security solutions,
More Case Studies
| Sector | Scope |
|---|---|
| Power | SIS’ bespoke approach towards the assessment of critical infrastructure enabled a UK power company to determine compliance to the EU NIS Directive, and to develop an improvement plan towards strengthening resilience to cyber threats. |
| Oil & gas | Via a technical vulnerability and risk assessment of OT infrastructure for a gas pipeline company, SIS successfully assisted the gas pipeline company to understand their current-state risk posture in order to determine what an appropriate risk appetite (risk level) is, and the prioritisation of mitigation actions in order to reduce the level of risk exposure to cyber threats |
| Transport | SIS’ industrial cyber security audit services enabled a government statutory authority to benchmark the security posture of state transport agencies, identifying cyber security risks and prioritisation of key actions for risk mitigation. |
| Water | As a result of SIS’ Operate and Maintain services, a regional water agency in Australia was able to implement a Cyber Security Management System (CSMS) provides the organisational rigour to ensure infrastructure is resilient to escalating cyber threats, and ensuring the right security controls are in place to mitigate risk. |
| Mining | SIS adopted a top-down, risk-driven approach to develop an enterprise-wide security architecture for a resources company, driven by, and integrated with the organisation’s broader business strategy, focused on technology optimisation to deliver secure mine operations. |
| Critical Manufacturing | SIS’ industry-leading industrial cyber security training was able to help a metals manufacturer create a stronger culture of security, harmonising with the organisation’s rigorous safety culture, fostering a commitment to industrial cyber security from plant operators and administrators, encouraging users to act responsibly and thus operate more securely |
| Health | SIS’ specialist industrial cyber security testers applied the latest exploit tools and techniques to perform stress and penetration testing of network connected medical device technologies, to assess risks to the reliability of devices, and ultimately the safety of patients. |