View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Critical Infrastructure Security: “The NIS Directive Sucks”

Lack of vulnerabilities sharing creating "both a black and a white market"

By CBR Staff Writer

The EU directive on the security of Networks and Information Systems (known as the NIS Directive) “sucks” according to Jaya Baloo, the CISO of the Netherland’s KPN Telecom, speaking at an FT-sponsored event on critical infrastructure security this morning.

The multiple award-winning cybersecurity executive was sitting on a panel of industry experts at Siemens headquarters The Crystal, in London’s Docklands. She hit out at the directive for absolving hardware and software providers of responsibility for vulnerabilities.

Neither industry qualifies as a digital service provider under the legislation, she noted: “The NIS says hardware and software don’t need a cert. The NIS Directive sucks”.

The elephant in the critical infrastructure security room, meanwhile, is the fact that the protection industry tries to provide across an IT and OT landscape is compromised by intelligence and law enforcement agencies who aren’t disclosing 0days, she added.

“There is no vulnerabilities equity process. No sharing. If we want critical infrastructure security we need law enforcement and intelligence to share the info they know. Otherwise we are just creating both a white and a black market for vulnerabilities.”

Threats Mounting, Forward-Thinking Vital

The comments came amid an intense panel discussion on the best approach to securing critical infrastructure in an increasingly perilous online environment.

The CISO of Italian utility Enel, Yuri Rassega was among those emphasising the need for regular and extensive penetration testing to build resilience.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

He said: “We do around 400 deep vulnerability tests on our critical assets every year. It’s not true that you can’t carry out vulnerability tests on live systems. That’s absolutely the wrong idea. We had zero WannaCry infections and we have a presence in 37 countries. We had zero infection because of preparation. This needs commitment from top management; you need to embed a security framework as if it were a constitution.”

NCSC – “We’re Here to Help”

Earlier, the CEO of the UK’s National Cyber Security Centre (NCSC) Ciaran Martin, emphasised that the centre was there to help support industry.

“Even richest company in the room is not expected to defend itself against an attack from the most sophisticated nation state adversary,” he said.

“We run 22 different information exchanges with industry. There are formal and informal mechanisms to engage with us.”

He also emphasised that attention needed to be paid to social media as a potential weakest link.

Referring to a 2009 G20 summit at which announcements were made to bail out banks (which he described as a “festival of cyber espionage”) an unnamed adversary compromised a system through the credentials of “an obscure official in the bowels of government”.

“We couldn’t understand how he had been found. Someone younger on the team said ‘is he on Twitter’? Sure enough, on his bio he said he was working on G20 preparations…”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.