[SystemSafety] Implementation of the EU NIS Directive

Martyn Thomas martyn at thomas-associates.co.uk
Sun Mar 11 19:29:54 CET 2018


The NIS Directive comes into force on 9 May 2018 throughout the EU. It
requires that EU countries must have Competent Authorities for each area
of Critical National Infrastructure and that these CAs must then ensure
the adequacy of cybersecurity of organisations that provide CNI services
(such as energy supplies and water) to a substantial proportion of the
population (in the UK, supplying 200,000 people is one threshold).

The intention is to assure the uninterrupted delivery of CNI services.
In the UK, the obligation is to have adequate protection and resilience,
which means that  an operator can be fined for having inadequate
cybersecurity even if no incidents have arisen that actually interrupted
supplies. The penalties mirror those for GDPR - up to 4% of global turnover.

I'm at a loss to understand how the assurance by CAs can be done in
practice, because it seems to me to be a much harder challenge than
assuring safety, mainly because shut-down systems are a fundamental part
of safety system design and the NIS Directive requires that the CNI
/doesn't/ shut down but keeps operating. So the cybersecurity of every
system that could be used to trigger a shutdown is in scope for NIS
assurance.

Does anyone have relevant practical experience that they can share?

Regards

Martyn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20180311/584cbad8/attachment.html>


More information about the systemsafety mailing list