Resilience can be described as the ability to anticipate, identify, respond to, absorb and recover from setbacks. It’s something that we’re familiar with as a positive trait in people, but it’s now being demanded by law as an attribute of organizations playing a role in providing services and resources vital to society and the functioning of economies. In this post, we look at the reasons why resilience needs to be embedded in the operations of critical entities and through their entire value chains.
The ways in which any organization’s operations can be interrupted are numerous and growing each day.
The proliferation of cyberattacks driven by the “commercialization” of ransomware is another obvious example. But not all potential interruptions come from criminal intent. Human error and accidents remain the most common cause for operational interruption.
A shortage of raw materials and disruption to globally interconnected supply chains can also have an immediate impact. I’m sure we all remember the chaos caused when the Ever Given cargo ship became stuck in the Suez Canal for six days in 2021. The list continues with issues as broad as failure in key machinery and processes, to geopolitical conflict, trade wars, and more.
The need for resilience has therefore become a priority for all organizations. For those delivering any aspect of a nation’s critical infrastructure, however, resilience has become so important that it’s become a regulatory imperative.
For this reason, the focus has broadened from “critical infrastructure” to “critical entities”, thereby encompassing any organization that plays a role, however small, in supporting a growing list of industries defined as being central to a nation’s economic or societal well-being.
The increasing regulatory demands for critical entities
In Europe, the cybersecurity-focused NIS2 Directive and the broader Critical Entity Resilience Directive (CER) are now being enacted as law in EU member states. These both place significant demands on organizations defined as “critical entities”. These are those organizations involved in any way in providing what are regarded as essential services in upholding key societal functions, supporting the economy, ensuring public health and safety, and preserving the environment.
The two regulations are deeply connected. It’s the first time that two regulations are affecting the same and clearly defined list of critical entities. Not only that, but the laws also apply to the entire supply chains of these organizations, considerably extending the impact of the regulations.
Defining (and proving) “resilience”
The European Commission’s CER Directive defines resilience as a “Critical Entity's ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident.”
The definition itself highlights the breadth of the requirements. Further, when the variety and number of causes for potential disruption of operations is also considered, added to the need to ensure an organization’s supply chain supports this definition of resilience, the scale of the challenge becomes clear.
At a fundamental level, critical entities must show that they have a comprehensive understanding of all the potential risks to which they are exposed. These risks range from a physical attack on infrastructure to a failure of a critical piece of machinery or component, and everything in between.
Comprehensive risk assessments, and the potential cost of breaches
Critical entities need to carry out risk assessments of the evolution of those risks every four years, once again assessing all relevant risks that could disrupt the provision of their essential services.
Inevitably, the risk assessments carried out by critical entities themselves will also highlight the role in resilience of their own supply chains. This will create a “waterfall effect” of risk assessments, as critical entities’ own efforts to meet the demands of regulations in relation to resilience require their suppliers to demonstrate a similarly robust approach.
Should an incident occur that interrupts provision of essential services, critical entities must prove that they had taken the appropriate steps to avoid, respond to, and recover from the incident.
Should such essential entities be found in breach or having failed to properly consider and prepare for all risks, the potential penalties are significant. NIS2 defines potential fines of up to 10 million euros, or 2% of the total worldwide annual revenue for the previous financial year of the parent company or group to which the critical entity belongs, whichever is higher. The penalties for breaches of CER will be for individual nation states to define but could easily be of similar size to those of NIS2.
Openness in communication is another demand of the regulations. Any incidents need to be reported, and reports shared openly and transparently regarding the nature of the incident, the response and resolution. This is in the interests of other organizations learning from the experience and being able to adjust their own approaches to mitigating risks.
Supporting the need for resilience with network technologies
In meeting the need for resilience, critical entities are rethinking the use of IP-based technologies they already have in place – including video surveillance cameras, audio devices, access control solutions, intercoms, environmental sensors and more – alongside increasingly advanced analytics capabilities.
Almost every aspect of the definition of resilience can be supported by such technologies, including initial risk assessments themselves. The data and metadata created by network video and other connected devices and sensors can be analyzed to build awareness of almost every situation that could present a risk, an essential factor in providing the proof of resilience demanded by regulation.
Thanks to advances in image quality and AI-enabled analytics, the ability to more accurately identify issues of all kinds ahead of time has been greatly enhanced. The digital stream of information created, when properly managed, increases overall awareness, which is key to anticipating and avoiding issues. Automated alerts enable rapid response and focused action, meaning that threats and potential issues can be addressed before they become incidents.
Mitigating the entire risk landscape
While traditional security use cases are an obvious example of where video surveillance has played a central role, a better understanding and ability to analyze the environment supports numerous use cases in health and safety, and operational efficiency.
Being employed to add an extra layer of transparency in production areas, the combination of sensors - video, audio, and thermal - can give early warning of issues in critical assets, such as key machinery or processes. This allows for remediation ahead of potential failure, and the data collected over time will support predictive maintenance of critical assets.
Failures in adherence to relevant health and safety processes also represent a significant risk, with any incident likely to cause an interruption to operations. Robust access control – ensuring that only authorized personnel are admitted to sensitive areas of a site – alongside analytics to ensure that appropriate health and safety measures are being adhered to, are just two examples of how network technology can help mitigate internal risks.
Physical attacks by external parties often grab the headlines, but most incidents that cause interruptions to operations are the result of internal actions or failures, usually innocent but sometimes deliberate. For example, studies have consistently shown that human error is responsible for the vast majority of cyberattacks, and the same is often true of health and safety incidents, failure in machinery, or supply chain bottlenecks.
Cybersecurity remains a key area of risk
It’s essential that any technologies used by critical entities support the organization’s overall security posture and help reduce the risk of cyberattack. A device designed to secure one aspect of a critical entity’s operations should not present a risk or vulnerability itself. Devices should be both secure by design and have processes in place to keep them as secure as possible throughout their lifespan, with vendor and critical entity working in close partnership.
This is being increasingly mandated by regulation, both broad and specific. These include the European Cyber Resilience Act, which applies to any electronic device connected directly or indirectly to a network, from a smart speaker in the home to a server in a data center, to those such as CER and NIS2 with more specific relevance to critical entities. Working with vendors that demonstrate a clear commitment to transparency around cybersecurity is essential.
Resilience now a must have, not an option
Every organization should have an interest in increasing resilience. At best, any interruption to operations can have a short-term impact on profitability. At worst, it can threaten the organization’s entire business. The costs can be direct and indirect, tangible and intangible, predictable and unforeseen. The cost to an organization’s reputation over the long-term can far outweigh the short-term financial impact.
In relation to critical entities - from healthcare to finance, from water treatment to energy - regulators have recognized the seriousness of the potential impact of interruptions in the supply of these services. A threat to profitability is one thing: a threat to public health is another entirely.
The new regulations should be seen as a positive, but the work required to meet them cannot be underestimated. While larger critical entities and organizations have started the journey, many others across the critical infrastructure supply chain have not. The regulations cover a vast number of small- and medium-sized businesses, many of which may lack the knowledge, expertise, and capability to comply with them. Third-party expertise and skills are available to help, but demand for these may well soon outstrip supply. The time to act is now.
