The European Parliament adopted the NIS 2 Directive (NIS 2) in November 2022 and a planned UK alignment is set to follow. NIS 2 replaces and repeals the existing NIS Directive, and aims to modernise the current legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape.
NIS 2 introduces reporting obligations across a number of new sectors and entities to improve cybersecurity risk management. With an October 2024 deadline by which to adopt and publish the measures necessary to comply with NIS 2, it’s important to determine what this means for security businesses working with, or wishing to work with, affected companies.
A network camera, for example, while used for both security and operational means across a range of industries that may come under the NIS 2 Directive, is not classed as a critical asset. This technically places it outside the original NIS Directive’s scope. However, the new scope of works focuses on a more holistic view of devices connected to the network, as they may represent a vulnerability through which an attack could be launched.
What steps, then, should security businesses, their partners, and customers be taking to ensure compliance?
Download the Axis Partner Briefing Paper on the NIS 2 Directive: https://www.emea-comms.axis.com/nis-2-directive-briefing
Demonstrating cyber maturity
To comply with NIS 2 a holistic approach is required that considers all possible threat vectors. It is expected that those businesses that need to comply with NIS 2 will have to carry out a greater level of due diligence on their technology partners. As part of this evaluation process and a vendor risk assessment, it is highly likely that policies and processes will play a much greater role.
Securing a network, its devices, and the services it supports requires active participation by the entire vendor supply chain, as well as the end-user organisation. For the physical security industry, working closely with customers and other stakeholders will help to ensure a joined-up approach that everyone can agree on. Dedicated tools, documentation and training will help mitigate risks and keep products and services up-to-date and protected.
Equally, end-users will now seek suppliers and / or vendors who follow appropriate policies and processes, as well as holding third-party certifications. It’s therefore imperative that physical security businesses can demonstrate cybersecurity compliance, for example, that they adhere to a Vulnerability Management Policy, hold certification for ISO/IEC 27001 for Information Security Management Systems (ISMS), and Cyber Essentials Plus accreditation.
Device and system controls and hardening
Product integrity controls and features help to ensure that both hardware and firmware are protected from unauthorised change or manipulation. Signing a firmware image with a private key prevents firmware from being installed or upgraded without presentation of the appropriate credentials.
Additionally, secure boot, based on the use of signed firmware, consists of an unbroken chain of cryptographically validated software, starting in immutable memory, that ensures a device can boot only with authorised firmware. A move to the use of signed video ensures that video evidence can be verified as untampered, making it possible to trace the video back to the camera from which it originated and verify that the video has not been modified or edited.
The use of system hardening processes aims to protect and secure devices and systems against cyberattacks by reducing the attack surface – essentially protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing or disabling all superfluous drivers, services, and software, and setting system updates to install automatically are all recommended approaches.
While it’s unlikely that physical security systems will be classed as a critical asset as far as the scope of NIS 2 is concerned, it is important that organisations consider a holistic approach during the scoping of such technology.
To ensure the requirements of NIS 2 are met, physical security businesses must be able to deliver a system that is secure from both a physical and cybersecurity perspective. Stringent security measures, backed by policies and processes, tools, documentation and training, will help reduce risk, protect customers and create a smarter, safer world.