Vitale infrastructuur heeft Security Awareness-training nodig
Vitale infrastructuur wordt een onderwerp wanneer een hacktivistisch collectief dreigt met cyberaanvallen. Recentelijk zijn dergelijke aankondigingen vaker gedaan door groepen als Killnet. Vitale infrastructuur omvat de stroomvoorziening, het transport van goederen en grondstoffen, de watervoorziening voor de bevolking, maar ook de afvalverwerking. Als reactie op de toenemende bedreiging voor deze vitale infrastructuur-branches werd op Europees niveau een richtlijn gelanceerd in de vorm van NIS-2, die nu door nationale wetgevers moet worden omgezet in nationale wetgeving voor 17 oktober 2024. De richtlijn zou dan vanaf 18 oktober 2024 van toepassing zijn. Voor Nederland wordt verwacht dat de Wet beveiliging netwerk- en informatiesystemen (Wbni) en de bijbehorende verordeningen dienovereenkomstig zullen worden herzien.
Written by: Dr. Martin J. Krämer - Security Awareness Advocate KnowBe4
According to the NIS-2, the industries that have been identified as essential include energy, transportation, banking, financial market infrastructure, and digital infrastructure. Public administration is also explicitly mentioned here. The category of critical sectors includes, for example, postal and courier services, digital service providers, but also manufacturers of medical equipment, mechanical engineering and vehicle manufacturing. The scope of NIS-2 will therefore entail changes compared to the classification of organisations in the existing Wbni.
Cooperation
Close cooperation between the government and the private sector is necessary to secure critical infrastructure. This is also evident from the joint approach in this area by parties from the national government such as the National Cyber Security Centre (NCSC) and the National Coordinator for Counterterrorism and Security (NCTV), cluster associations such as Cyberveilig Nederland (CVN), Cyber Resilience Centre Brainport and various sector associations involved. And that with a common goal; increasing cyber resilience and the resilience of critical infrastructures.
Companies with more than 50 employees or a turnover of more than €10 million are covered by the NIS2 directive and must now also guarantee the Cyber Security of their supply chains. To this end, the directive strengthens cooperation in the EU between authorities and operators, while also strengthening jurisdiction. Organizations face higher fines and enforcement measures, which can amount to 10 million euros, depending on the industry. With a total of 18 industries, the directive also mentions postal and courier services and research and development as critical areas.
Security Awareness Training
Senior management is forced to take responsibility for the maturity of Cyber Security and must place the risk assessment and treatment in good hands. This is necessary to prepare their organization for the new compliance requirements and to protect them from the increasing cyber attacks. An important measure is to organize regularly recurring Security Awareness Training. Management must set a good example and also participate in such training. After all, the NIS Directive suggests exactly such training for all employees to become more resilient and to maintain the all-important operation of the critical infrastructure in question.
This training has certain requirements and challenges. Not all employees have access to a computer or workstation. This makes it even more important to design the training specifically for this target group and make it available via mobile devices. Training and education should be designed for people with different skills, responsibilities, and talents. The content for technical positions differs from that for people in opetational management and business management.
A good training program is not only aimed at training individuals, but also contributes to the further development of the entire organization. It is important to promote the security culture of the organization in a targeted way and to guarantee a certain level of Cyber Security knowledge for all participants. This requires continuous and ongoing training that meets the learning needs of individuals.
Conclusion
Security awareness training is necessary, especially for supply chain protection, and should be delivered throughout the value chain. Employees are therefore not only the first, but also the most important line of defense for organizations with critical infrastructure, provided they are prepared for this. After that, the further discussion about the implementation of NIS-2 in national legislation can follow with the necessary attention and calm.