Regulations

Main Findings:

In "When the future meets the past: can safety and cyber security coexist in modern critical infrastructures?", we argue that the implementation of Network and Information Systems Security Directive is the first step in the integration of safety and security through novel risk management practices. Therefore, it is the move towards legitimising the modernisation of critical infrastructures. But we also show that security risk management practices cannot be directly transplanted from the safety realm, as cyber security is grounded in anticipation of the future adversarial behaviours rather than the history of equipment failure rates.

We present our argument in four parts. First, by establishing that safety-security integration was key for engineers accepting the modernisation agenda. Second, by outlining collective risk management practices that enabled diverse practitioners to collaborate (risk thinking hivemind, diversity in expertise, trust in collaborations). Third, by highlighting how practitioners borrowed elements from safety culture and incorporated it to security (harmonised threat and incident reporting, maintenance contracts). Fourth, by cautioning that epistemic and material differences between the old world of legacy technologies and novel big data tools pose limits to the future of critical infrastructures modernisation (namely, engineers trained to reason in prescriptive terms, secrecy in cyber, differing logics of risk assessment between safety and security professions).

In "Reconfiguring governance: How cyber security regulations are reconfiguring water governance", we argue that the Network and Information Systems Regulations acts as a 'boundary object' that gathers diverse communities of practice, enabling collaboration without the need to establish common goals. The image below theorises the relationship between boundary objects and standards.

In the process of transposing the EU NIS Directive into the sectoral and national context, NIS requires interpretation by diverse expert communities. We show how translating the regulatory scope to the sectoral landscape involves prioritising some water governance goals over others. As expert communities converge in their collaboration practices, their priorities align or stand in tension with public interests. We argue that cyber security regulations have potential to reconfigure water governance by refocusing strategic priorities away from traditional concerns of environmental governance. The following tables provide the analysis of 1) different beneficiaries of cyber security in the context of critical infrastructure (water) regulations; 2) Examples of translations of best practice from IT to OT.

We inquired into five instances of collaboration in the water industry cyber security landscape. We analysed whether they help or hinder with the alignment of NIS and public interest. See the table below for more details:

In "Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures", we found that the emerging field of Operational Technology Security is yet to formulate its norms, standards and career trajectories.

We identified a number of security tropes. We define them as widely held beliefs which require a further level of detail before they can be successfully applied to the OT context. Due to the combination of rhetorical qualities like generalisation, ambiguity and strong normativity, they lead to the creation of advice which can be easily marketed at mass scale. As they’re quite vague, they can appeal to professionals from diverse backgrounds.

The tropes identified are: 1) Separation means security; 2) IIoT is inevitable; 3) Security solutions are the same across the sectors; 4) Raising awareness leads to security.

We presented a classification of cyber security practices mapping the diversity of policy interpretations: 1) Compliance; 2) Workaround; 3) Going above and beyond policy remit; 4) Negotiation. This classification questions a common assumption that infrastructure operators merely comply with regulations. In fact, they take a very active role in shaping NIS.

Policy Recommendations:

• Recommendation 1 (for CNIs operators deciding on improvement plans): Know about and protect yourselves against threats which circumvent air-gapped systems. Check whether alternatives to air-gapping comply with safety standards.
• Recommendation 2 (for regulatory bodies overseeing NIS): Align the timescales of innovation funding, regular upgrades and NIS improvement plans. When approving price reviews for network upgrades, seek robust evidence for the claims on the operational benefits of proposed innovations.
• Recommendation 3 (for CNI operators responsible for cyber security training): Tie the training to employees’ personal concerns to make it relatable and interesting. Do not rely on "awareness" alone - complement it with other training methods. Above all, place “awareness” in the usability context of daily work; i.e. plant supervisors have different concerns to admin staff.
• Recommendation 4 (for all stakeholders): Practitioners should pay continuous attention to the idea of “translation” across IT and OT as well as across the sectors to improve their capabilities of policy formulation and interpretation. This will ensure that the scope and latter auditing of NIS pertains both OT and IT and that the improvements are tailored to each system.
• Recommendation 5 (for all stakeholders): We recommend that security practitioners ought to improve their capabilities in the areas of human and social factors of technology, so they while implementing NIS, they do not compromise on other public values such as privacy, sustainability or equity.
• Recommendation 6: The bottom-up involvement of experts in Operational Technologies, Safety Engineering and Environmental Politics experts is key to ensure a NIS implementation is inclusive of water governance issues.
• Recommendation 7: Security experts in Operational Technologies ought to train themselves to better communicate business benefits of security measures.
• Recommendation 8: We encourage the formation of sector-specific informal working groups for sharing information about NIS implementation, security maturity and evolving threats. Such groups ought to have clear terms of reference and scope to enable trustworthy information sharing.
• Recommendation 9: Following the translation of high-level NIS Directive into sector-specific assessments, regulators should reflect on residual spaces left unaccounted for by the emerging standard.

Project team:

Prof. Awais Rashid (PI), Dr Dirk van der Linden (Co-I), Dr Sveta Milyaeva (Co-I), Dr Ola Michalec (PDRA). We were funded by the Research Institute in Trustworthy Inter-connected Cyber-Physical Systems (RITICS).

Outputs:

• Journal article: "When the future meets the past: can safety and cyber security coexist in modern critical infrastructures?". 2022. By Michalec, O., Milyaeva, S. and Rashid, A. In: Big Data and Society. Full text
• Journal article: "Reconfiguring governance: How cyber security regulations are reconfiguring water governance". 2022. By Michalec, O., Milyaeva, S. and Rashid, A. In: Regulation and Governance. Full text
• Journal article: "Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures". 2022. By: Michalec, O., van der Linden, D., Milyaeva, S. and Rashid, A. In: Symposium on Usable Privacy and Security. Full text

Main Findings:

In the report "What’s next for the NIS Regulations? Findings from the RITICS Fellowship", we investigate the Cyber Assessment Framework (CAF) introduced in the NIS Regulations. It is designed as a guidance outlining desired outcomes of good cyber security practices that facilitate independent risk management among the Operators of Essential Services. However, my project found a paradox regarding the use of CAF. Despite being designed to guide independent risk assessment and discourage ‘box ticking’, in some cases, CAF has been used as a prescriptive document, outlining exactly what needs to be achieved for compliance. This was justified with poor understanding of industrial assets and associated security risks across the Operators. We argue that outcome-based regulations are more likely to be successful once the stakeholders identify and apply a set of baseline security improvements. Such improvements ought to be benchmarked across the sector, linked to the traditional requirement of safety, and culturally accepted by Operational Technology engineers. The diagram below illustrates the paradox of CAF deisgned as 'outcome-based' document, yet in practice treated as 'prescriptive guidance'.

My project found that the implementation of NIS is the first step to integrate safety and security through novel risk management practices observed in our fieldwork, such as broadening of threat and incident reporting scope to include security incidents and safety accidents. Successful implementation of NIS involves a variety of collaborations, e.g., across managers and technical professionals, across the operators, and across safety and security experts, as shown on the figure below.

However, we also show that security risk management practices cannot be directly transplanted from the safety realm. This is because cyber security is grounded in anticipation of the future uncertain adversarial behaviours, while safety risk management relies on a long history of data on equipment failure rates. As such, we call for exercising care while transplanting concepts from ‘safety culture’ into the realm of cyber security. Going forward, we recommend that NIS stakeholders encourage collaborative practices to implement NIS and advance security at a societal level, rather than working at organisational level only.

In the guidance Resolving anti-patterns, written collaboratively with the Industrial Control Systems Community of Interest, we identified five 'anti-patterns' (or poor practices), common in OT environments. We unpicked the thinking behind those anti-patterns, explains why they are examples of poor practice and proposed better alternatives. The anti-patterns analysed in the report are: 1) Flat, unsegmented/unsegregated architectures; 2) Uncontrolled access to ICS/OT networks; 3) Lack of authentication and data security; 4) Inaccurate asset inventory; 5) Unchecked backups.

Policy Recommendations for Competent Authorities:

• Recommendation 1: Encourage voluntary sector-wide initiatives to benchmark responses to the NIS Regulations.
• Recommendation 2: Provide reassurance and remove the stigma from reporting incidents and vulnerabilities.
• Recommendation 3: Highlight the overlaps between the NIS Regulations and commonly accepted sector-specific safety guidelines and standards.
• Recommendation 4: Be cognizant of the cultural differences between safety and security which limit the potential for harmonisation, i.e. prescriptive thinking of safety engineers or secrecy of security practitioners.
• Recommendation 5: Clarify communications about the aims of Cyber Assessment Framework, i.e., specify whether the document serves the purpose of compliance or independent risk assessment.

Policy Recommendations on the Cyber Assessment framework:

• Recommendation 6: Competent Authorities to clearly communicate the aim of self-assessments to the operators as well as the executive boards (i.e., CAF as a way to identify gaps, manage risks and agree on implementation plans). As a result, operators will not under pressure to achieve ‘green’ Indicators of Good Practice at all costs.
• Recommendation 7: Competent Authorities to emphasise the need to evidence operators’ cyber security journey over time. The evolution of cyber security posture over time is more important than self-assessing an outcome as ‘green’.
• Recommendation 8: Competent Authorities to highlight the need to continuous maintenance of ‘green’ CAF status. Operators ought to include CAF cyber security measures as their business-as-usual and prepare a long-term program of maintaining good cyber security outcomes.
• Recommendation 9: In the future, CAF inspections should move towards the analysis of emerging risks, gaps and evaluating operators’ responses over time.

Policy Recommendations regarding the scope of NIS in the UK:

• Recommendation 10: The UK Government ought to balance between the proposed broadening of the scope of the EU NIS2 and advancing maturity of safety-critical systems.
• Recommendation 11: The UK Government should share the strategic directions with regards to the future of NIS to enable alignment with similar initiatives.
• Recommendation 12: The UK Government ought to respond to the dilemma between achieving a common baseline and proactive risk management.
• Recommendation 13: All stakeholders should consider the cascading effects on small operators that currently do not fall under scope, especially as interoperability and digitalisation initiatives are under way.
• Recommendation 14: The UK Government ought to balance between the proposed broadening of the scope (DCMS, 2022) and advancing maturity of safety-critical systems.
• Recommendation 15: The UK Government should share the strategic directions with regards to the future of NIS to enable alignment with similar initiatives (e.g., standardisation of Energy Smart Appliances (BEIS, 2022)).
• Recommendation 16: The UK Government ought to respond to the dilemma between achieving a common baseline and proactive ‘outcomes-based’ risk management. A consideration of two-tier regulatory measures ought to take place to address this dilemma.
• Recommendation 17: All stakeholders should consider the cascading effects on small operators that currently do not fall under scope, especially as interoperability and digitalisation initiatives are under way (BEIS, 2022).
• Recommendation 18: Future UK Government activities ought to prioritise communicating clarity in the strategic direction. We need a timely response to the EU proposals on NIS2 to enable harmonisation at the international level and cross-referencing NIS to upcoming standards (e.g., consumer IoT security) and sectoral security initiatives (e.g., Energy Smart Appliances). We can expect renewed discussions on scope, incident thresholds and the notion of the ‘appropriateness and proportionality’.

Project team: Dr Ola Michalec (Fellow)

Outputs:

• Report: "Resolving Anti-Patterns in Industrial Control Systems Environments". 2023. Contribution to the Report by the National Cyber Security Centre Industrial Control Systems Community of Interest. Full text
• Report: "What’s next for the NIS Regulations? Findings from the RITICS Fellowship". 2023. Michalec, O. Full text