Practical solutions for compliance with the NIS directive
5 years after the advent of the NIS Directive, Operators of Essential Services (OSEs) still have work to do to optimally deal with compliance requirements. In the meantime, however, a revised version of the Directive appeared (NIS 2 published in January 2023), correlated with the current evolution of threats and technology.
According to the provisions of the European Commission, in the next stage the technical and methodological norms will be adopted for the compliance of the various sectors of activity, which fall under the scope of NIS 2, following that by October 17, 2024, the new Directive will be transposed into the legislation of the Community countries and become active.
To facilitate the alignment of operators of essential services with the present and future requirements of the NIS Directive, Safetech Innovations organized a webinar describing the NIS requirements and the services and technical solutions needed for ensuring the compliance with those.
The recording of the webinar “Practical solutions for compliance with the NIS Directive transposed by Law 362/2018” can be watched
Planning and auditing
The first part of the webinar was supported by Marinel Stanilă, manager of the Audit, Risk and Compliance Department at Safetech Innovations, who summarized what actions an operator of essential services must take to comply with the NIS requirements during two years of activity.
For an operator of essential services, the management of security is a continuous process, which involves multiple recurring actions, from the notification of the entry in the OSE register, to the presentation of an audit report at a six-month term. The process is repeated every two years with the revision of the register and the provision of a new audit report. At the same time, within 60 days of registration in the register, the operator must implement the interconnection with CERT.RO. This interconnection allows the organization to receive information about security incidents and be able to take action accordingly.
The Safetech expert presented a step-by-step guide with all the necessary actions for this two-year cycle:
• Inventory of assets
• Analysis of the risks generated by the operational activity
• Procedural controls for compliance with SMSI (Information Security Management System)
• Technical controls and implementation of objectives
• Human resources training
• Analysis and verification of indicators
• Accreditation and accountability of management
• Continuous monitoring and revision of controls to maintain the security level
These stages correspond to technical actions that include the implementation of a specific NIS security architecture with various software and hardware mechanisms.
Safetech’s approach is structured around four main directions of action:
• Building an organization-wide security management system,
• Implementation of appropriate organizational and technical measures,
• Permanent monitoring of the security level,
• Periodic testing of the organization’s resilience capacity.
Through this integrated approach, Safetech supports operators of critical services to achieve compliance goals, monitor and reduce risks, and improve organizational resilience.
In projects, Safetech relies on an integrated management system, which offers a 360-degree perspective on IT security. The company has the knowledge, skills and ability to implement a security architecture compliant with NIS requirements, the main pillars being a deep understanding of the regulatory framework and knowledge of the best practices in the security industry. Moreover, Safetech has the ability to detect security gaps and vulnerabilities in the IT/OT systems of essential service operators.
Solutions and services
The second presentation from the webinar was given by Mihai Rauţă, manager of the Security Solutions department at Safetech. The presentation highlighted the security solutions and services needed to meet the requirements and ensure compliance with the NIS Directive. According to the legislation, security systems can be deployed and managed locally by the operators of essential services, or integrated into a CERT (Computer Emergency Response Team) and operated by a partner such as Safetech. (https://safetech.ro/ro/sti-cert-ideal-solution-monitoring-cybersecurity-incidents/)
The webinar summarized the security solutions recommended for NIS compliance – endpoint and mobile device security solutions, perimeter and data center security, incident detection and response – for both IT and OT/SCADA environments and highlighted the need to integrate them into a unitary and functional architecture, through a SIEM (Security Information and Event Management) system.
The Safetech portfolio includes new generation products, based on artificial intelligence and machine learning, as well as associated services, thus offering practical solutions to the most common challenges of security departments.
The solutions presented were:
• Cynet 360 – XDR platform for automating security operations at the level of the entire organization, that provides extensive detection and end-to-end protection (https://safetech.ro/ro/blog/cynet_xdr_platform/)
• Microsoft Defender for IOT – solution dedicated to the protection of Industrial Control Systems and OT environments
• Darktrace Cyber AI Loop – solution based on machine learning algorithms to improve the ability to detect vulnerabilities and the most advanced cyber attacks
• Check Point Quantum NGFW, Spark, Lightspeed, and Maestro – solutions that centralize and simplify the management of security instances through a single console (https://safetech.ro/ro/blog/check-point_maestro_hyper-scalability_in_cybersecurity/)
Safetech is a certified partner of Check Point, Microsoft, Cynet and Darktrace and offers the aforementioned solutions as “turnkey systems”. For projects related to the compliance with NIS requirements transposed by Law 362/2018, Safetech Innovations provides design, installation, configuration, training, project management, maintenance and optimization services.
In over 12 years of activity, Safetech has carried out numerous compliance audit projects for the financial-banking, insurance, pension funds, insurance brokers sectors for companies in sectors such as energy, utilities, public administration, health, transport, etc. The experience accumulated in more than 25 finalized projects of compliance with the NIS Directive ensures the optimal value delivered by Safetech to its clients.
For more information on how Safetech Innovations can support you in aligning with the requirements of the NIS Directive, we invite you to schedule a discussion with a Safetech Innovations representative at [email protected] or by phone at 021 316 05 65.