At 3.30pm on December 23, 2015, denizens of Ivano-Frankivsk, a city in the west of Ukraine, were thinking about the end of the working day. Operators at the region’s Prykarpattyaoblenergo control centre, a facility that provides thousands of local residents with power, were also close to the conclusion of their shifts. Then disaster struck.
One worker, while tidying his desk before the trudge home through the icy streets, did a double-take as the mouse cursor on his computer whizzed across the screen without his touch. First he watched in disbelief and then powerless panic as the cursor began to navigate through the system masterfully. The invisible user closed down substations, switching off lights and heat for thousands of people, in a trice.
Hackers successfully hit two other Ukraine power stations at the same time and managed to take almost 60 substations offline, leaving close to quarter of a million people in the dark, literally, for hours.
The Ukranian city of Ivano-Frankivsk, where the first verified hack to disable power stations occurred
This was the first verified hack to disable power stations, though it was far from the last cyberattack on critical national infrastructure. For instance, in America the levels of chemicals used to treat tap water were altered at a plant in 2016. Closer to home, the worldwide WannaCry ransomware attack, which lasted four days in May 2017, affected the UK’s National Health Service, among numerous other targets, and further damaged the efficiency of already-embattled hospitals, with staff being forced to revert to using pens and paper.
In a bid to limit such attacks, the Network and Information System (NIS) Directive was approved by the European Union in August 2016. The legislation became enforceable in the UK from May 10 this year, the same month as the much-publicised General Data Protection Regulation (GDPR) was launched, with 20 other EU member states working within similar timelines.
The NIS directive aims to ensure operators in passenger and freight transport, water, energy, health and digital services are prepared to deal with the increasing numbers of cyberthreats. It primarily applies to organisations identified as operators of essential services with compliance overseen by the sector regulator and/or responsible government departments acting as the competent authorities.
The directive concerns loss of service rather than loss of data, which falls under the GDPR. The penalties can be just as punishing, though. Organisations that fail to implement effective cybersecurity measures, as outlined by the directive, could be fined as much as £17 million-plus. In addition, they could fall foul of double jeopardy if the incident also relates to a breach of personal data, so it is possible they will be fined, under the GDPR, up to 4 per cent of their global turnover or £20 million, whichever is greater.
In January, the National Cyber Security Centre (NCSC), the government organisation tasked with shoring up the country’s digital defences, distributed instructive documents designed to explain the NIS. According to the guidance: “Network and information systems, and the essential services they support, play a vital role in society, from ensuring the supply of energy and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.”
Nik Whitfield, chief executive of Panaseer, a London-based organisation that claims to monitor some of the world’s most prominent companies’ technology estates, says: “The NIS Directive is so important because you are only as safe as your weakest link. Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on United States water utilities and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that cybersecurity incidents can have on the economy, a society and an individual’s welfare.”
But would the NIS directive have prevented the attacks? “In today’s digital world, there is no such thing as 100 per cent secure,” says Mr Whitfield. “It’s always easy, with the 20/20 vision you have when looking back, to say things could be prevented in a perfect world.
“The fact is there is the perfect world and then there is the real world. In the real world, there are limited budgets and resources, which get in the way of best practice. If you are to stand a genuine chance of combating threats successfully and addressing myriad compliance issues facing all industries, you need a different playbook.
It is not a stretch to think that at least some of the major security breaches could have been avoided if all organisations followed the guidelines set out in the NIS Directive
“With limited budgets and resources, and demands for insight and proof, organisations must move from firefighting – detecting, monitoring and responding – to fireproofing – preparing and protecting.”
Matt Lock, UK director of sales engineers at New York-headquartered software organisation Varonis Systems, says: “It is not a stretch to think that at least some of the major security breaches could have been avoided if all organisations followed the guidelines set out in the NIS Directive.
“A subset of organisations repeatedly fail to take basic cybersecurity measures and perform updates on their IT systems – and that’s exactly what happened with WannaCry. The NHS reverted to pen and paper because they failed to patch their operating system when they were hit by a ransomware attack.
“Requiring that organisations to take the appropriate technical and organisational measures to prevent cyberattacks and ensure continued operation of their systems is a step in the right direction.”
When the NIS directive came into force, NCSC chief executive Ciaran Martin urged organisations to protect themselves against those who would do us harm, adding: “The government is committed to making the UK the safest place to live and do business online, but we can’t do this alone. Every citizen, business and organisation must play their part.”
