The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack.
Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?
Resilience of Critical Entities
As written by OpenKRITIS, the RCE “is the resilience baseline for EU operators”. EU nations have parameters to determine whether or not an organisation can be classified as ‘critical infrastructure’. Examples are energy suppliers, transport services, water and waste water, financial institutions, the health sector, public administration, and more. Such organisations will be subjected to a scan to see if its digital resilience and risk management is up to par. If it isn’t, or is lacking in certain areas, it can face a fine.
Now, before any IT team might hastily start checking their assets, it’s important to note that the regulation is not yet in effect. OpenKRITIS: “RCE is EU legislation that still needs to be enacted by the EU. It will then be transposed into national law by EU member states.” That might not happen for a little while. It’s likely that EU member states start actively regulating the critical infrastructure as of 2022+, depending on internal processes. Still, both the NIS2 and RCE need to be transposed into national law within 18 months.
How do external audits work?
The RCE builds on the NIS2 directive, for a bundling of the regulations for a higher cybersecurity standard. Also, it draws parallels with the discussions around mandatory IT audits. Similarly to having your car serviced by a licensed car shop, there are pros and cons to having your (critical infrastructure) organisation audited for cybersecurity processes and general IT governance.
Critical infrastructures are obliged to implement resilience frameworks and security measures. The levels they have to meet are based on the type of services they provide and the risks and threats they face. The EU defines the baseline, individual nation states will implement their adapted versions.
What it comes down to is that all such organisations will have to prove they are in control of their attack surface. That means knowing what kind of digital assets they have, where they are hosted (including those at connected third parties), what risks they pose (even via the supply chain), and what actions they should take to mitigate the most relevant risks accordingly.
The direct result of such regulatory audits are a report and list of items the organisations might need to work on. Or better yet, continuous insights into their live attack surface. This improves the market’s cybersecurity maturity. Furthermore, there is also a long-term benefit. As this is a EU-regulated directive, cooperation and information sharing between nation states is facilitated. That means organisations can learn from each other’s best (and worst) practices. Additionally, cross-border incidents and events can be mapped in greater detail, providing a better view of the cybersecurity and threat developments.
Just as an audit or a threat actor can scan the attack surface from the outside-in, so too should the organisations themselves approach their IT infrastructure. Whether it be from an increasing regulatory push, security threats, or digitalisation, the bottom line is that insights into the attack surface are central to it all. To stay compliant to regulations, but more importantly: to stay cyber-secure.
To find out more about the attack surface and how to stay in control of the risks, read our whitepaper on Attack Surface Management.