Complying with the NIS 2 Directive to help customers secure critical assets

Axis Communications’ Steven Kenny takes a look at the latest cybersecurity compliance regulation – the NIS 2 Directive – and what security businesses should be doing to prepare.

The European Parliament adopted the NIS 2 Directive (NIS 2) in November 2022 and a planned UK alignment is set to follow. NIS 2 replaces and repeals the NIS Directive that established cybersecurity requirements for the operators of essential services (OES) and digital services providers (DSP).

NIS 2 modernises the existing legal framework in the EU to keep up with increased digitisation and an evolving cybersecurity threat landscape and will improve cybersecurity risk management and introduce reporting obligations across a number of new sectors and entities.

With an October 2024 deadline by which to adopt and publish the measures necessary to comply with NIS 2, it’s important to determine what this means for security businesses working with, or wishing to work with, affected companies.

A network camera, for example, while used for both security and operational means across a range of industries that may come under the NIS 2 Directive, is not classed as a critical asset.

This technically places it outside the Directive’s scope. Yet such a device nevertheless represents a vulnerability through which a malicious threat actor could launch an attack. What steps, then, should security businesses, their partners and customers be taking to ensure compliance?

Demonstrating cyber-maturity

The new directive eliminates the distinction between OESs and DSPs, instead it clarifies businesses as either essential or important and uses a size-cap rule to determine which medium and large-sized entities fall within its scope. To comply with NIS 2, a holistic approach is required that considers all possible threat vectors.

It is expected that those businesses that need to comply with NIS 2 will have to carry out a greater level of due diligence on their technology partners. As part of this evaluation process and a vendor risk assessment, it is highly likely that policies and processes will play a much greater role.

Securing a network, its devices and the services it supports requires active participation by the entire vendor supply chain, as well as the end user organisation. For the physical security industry, working closely with customers and other stakeholders will help to ensure a joined-up approach that everyone can agree on. Dedicated tools, documentation and training will help mitigate risks and keep products and services up-to-date and protected.

Equally, end users will now be seeking to work with those suppliers and/or vendors who follow appropriate policies and processes, as well as holding third party certifications.

It’s therefore imperative that physical security businesses can demonstrate, for example, that they adhere to a Vulnerability Management Policy, hold certification for ISO/IEC 27001 for Information Security Management Systems (ISMS) and Cyber Essentials Plus accreditation.

Device, system controls and hardening

Product integrity controls and features help to ensure that both hardware and firmware are protected from unauthorised change or manipulation. Signing a firmware image with a private key prevents firmware from being installed or upgraded without presentation of the appropriate credentials.

Additionally, secure boot, based on the use of signed firmware, consists of an unbroken chain of cryptographically validated software, starting in immutable memory, that ensures a device can boot only with authorised firmware. A move to the use of signed video ensures that video evidence can be verified as untampered, making it possible to trace the video back to the camera from which it originated and verify that the video has not been modified or edited.

The use of system hardening processes aims to protect and secure devices and systems against cyber-attacks by reducing the attack surface – essentially protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing or disabling all superfluous drivers, services and software and setting system updates to install automatically are all recommended approaches.

The likelihood of unauthorised or unauthenticated user access is further reduced by applying a zero trust policy, in line with the National Institute of Standards and Technology’s (NIST) risk management framework which promotes a never trust and always verify approach to any request for systems access.

While it is very unlikely that physical security systems will be classed as a critical asset as far as the scope of the NIS 2 Directive is concerned, it is important that organisations consider a holistic approach during the scoping of such technology.

Physical security businesses, working closely in partnership with supply chains and customers, can deliver a system that is secure from both a physical and cybersecurity perspective, while helping to meet NIS 2 requirements. Stringent security measures, backed by policies and processes, tools, documentation and training, will help reduce risk and keep customers protected.  

Click here to read the NIS 2 Directive – Axis briefing paper to support cybersecurity compliance.