[SystemSafety] Implementation of the EU NIS Directive

Martyn Thomas martyn at 72f.org
Sun Mar 11 21:30:25 CET 2018 

Thanks Chris, but the HSE operational guidance can’t be used for admin systems and the shutdown problem remains - unless you can see a solution. 

Regards

Martyn

> On 11 Mar 2018, at 19:26, Chris Johnson <christopher.johnson at glasgow.ac.uk> wrote:
> 
> Hi Martyn
>   I have been supporting aspects of implementation in the U.K. for transport and energy.   The relevant departments (DfT and BEIS) are still working through the details of what this means; including reporting thresholds for each sector. 
> 
>  I think it will be sufficient in the early days to show alignment with the NCSC principles published a couple of weeks ago.  However, they are overly general and the interpretation in specific industries remains to be seen.
> 
> None of this answers your question but I do think the HSE SCADA guidance, that you were involved in, is a good step forward.
> 
> Also the level of fines are (I believe) set by member states, with Germany choosing €400k - 
> 
> All the best
>   Chris
> 
> 
> 
> C.W. Johnson, 
> Professor and Head of Computing, University of Glasgow
> 
>> On 11 Mar 2018, at 18:29, Martyn Thomas <martyn at thomas-associates.co.uk> wrote:
>> 
>> The NIS Directive comes into force on 9 May 2018 throughout the EU. It requires that EU countries must have Competent Authorities for each area of Critical National Infrastructure and that these CAs must then ensure the adequacy of cybersecurity of organisations that provide CNI services (such as energy supplies and water) to a substantial proportion of the population (in the UK, supplying 200,000 people is one threshold).
>> 
>> The intention is to assure the uninterrupted delivery of CNI services. In the UK, the obligation is to have adequate protection and resilience, which means that  an operator can be fined for having inadequate cybersecurity even if no incidents have arisen that actually interrupted supplies. The penalties mirror those for GDPR - up to 4% of global turnover.
>> 
>> I'm at a loss to understand how the assurance by CAs can be done in practice, because it seems to me to be a much harder challenge than assuring safety, mainly because shut-down systems are a fundamental part of safety system design and the NIS Directive requires that the CNI doesn't shut down but keeps operating. So the cybersecurity of every system that could be used to trigger a shutdown is in scope for NIS assurance.
>> 
>> Does anyone have relevant practical experience that they can share?
>> 
>> Regards
>> 
>> Martyn
>> _______________________________________________
>> The System Safety Mailing List
>> systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20180311/c66f184c/attachment-0001.html>

More information about the systemsafety mailing list