DDA - Cyber-Awareness NIS2 2023 [PDF]

Zitiervorschau

1 - White Paper Cyber Awareness: NIS2

Colophon Information T. @dutchdatacenter E. [email protected] W. http://www.dutchdatacenters.nl/ Contributors Stijn Grove (DDA) Pim Kokke (DDA) Fred Streefland (Secior) Sander Nieuwmeijer (Secior) Arie van der Horst (Honeywell) Arvind Bihari (Honeywell) Martin Matse (ATS Global) Marketing & Artwork Zoë Derksen (DDA) Shana Raghoebier (DDA) Edition Cyber Awareness: NIS2, April 2023 Our publications are available at www.dutchdatacenters.nl © 2023

Disclaimer Cyber Awareness: NIS2 (herein: “Report”) presents information and data that were compiled and/or collected by the Dutch Data Center Association (all information and data referred herein as “Data”). Data in this Report is subject to change without notice. Although Dutch Data Center Association takes every reasonable step to ensure that the Data thus compiled and/or collected is accurately reflected in this Report, Dutch Data Center Association: (i) provide the Data “as is, as available” and without warranty of any kind, either express or implied, including, without limitation, warranties of merchantability, fitness for a particular purpose and noninfringement; (ii) make no representations, express or implied, as to the accuracy of the Data contained in this Report or its suitability for any particular purpose; (iii) accept no liability for any use of the said Data or reliance placed on it, in particular, for any interpretation, decisions, or actions based on the Data in this Report. Other parties may have ownership interests in some of the Data contained in this Report. Dutch Data Center Association in no way represents or warrants that it owns or controls all rights in all Data, and Dutch Data Center Association will not be liable to users for any claims brought against users by third parties in connection with their use of any Data. Dutch Data Center Association, its employees do not endorse or in any respect warrant any third-party products or services by virtue of any Data, material, or content referred to or included in this Report.

2 - White Paper Cyber Awareness: NIS2

Table of Contents Introduction ........................................................................................................................... 4 NIS2 ........................................................................................................................................ 5 What is the NIS2 Directive? ................................................................................................ 5 Why NIS2 Directive? ........................................................................................................... 5 Who will be influenced by the NIS2 Directive? .................................................................... 6 What industries are considered essential according to NIS2? ............................................ 6 Implications ......................................................................................................................... 7 Liability ................................................................................................................................ 8 Timeline ............................................................................................................................... 9 Cyber resilience .................................................................................................................. 10 Cases ................................................................................................................................ 10 Next steps ......................................................................................................................... 12 Join the Cyber Security Summit ........................................................................................ 14 APPENDIX ............................................................................................................................ 15 References: ....................................................................................................................... 15 Important organizations ..................................................................................................... 18 About the authors .............................................................................................................. 18 Dutch Data Center Association .................................................................................................... 18 Secior ........................................................................................................................................... 18 Honeywell ..................................................................................................................................... 18 ATS Global ................................................................................................................................... 19

3 - White Paper Cyber Awareness: NIS2

Introduction Data centers play a crucial role in our modern society. They are responsible for storing, managing, and processing large amounts of data used by governments, businesses, and citizens. Without data centers, our digital world and economy would not function. Because of the above facts, data centers are now among the very critical infrastructure, just like hospitals and utilities. Because of this, it is important to emphasize that data center cybersecurity is critical to security and trust in our digital society. The crucial position of data centers and suppliers within the digital ecosystem ensures these organizations will have to comply with the NIS2 Directive as of January 1, 2025. The European Union directive is the successor to the original NIS (Network & Information Security) and was put into effect to ensure the cybersecurity of organizations, which belong to the critical infrastructure. Data centers will therefore need to take measures to protect themselves against cyber attacks. In this white paper, the Dutch Datacenter Association (DDA), Secior, Honeywell and ATS Global explain what the NIS2 Directive will mean for your organization and what implications it will have. In addition, you will read which steps you can take to increase the cyber resilience of your data center. In the context of this (new) legislation, the authors of this document under the direction of the DDA decided to organize a Cyber Awareness Summit on 23rd of May 2023. In this summit, several cybersecurity best practices will be presented, and you will get even more insights from some cybersecurity experts so that your organization will soon be fully compliant with NIS2.

4 - White Paper Cyber Awareness: NIS2

NIS2 Cyber resilience becomes more important as cybercriminals can cause a lot of damage to business continuity. Besides the billions of euros of damage, the societal impact also needs to be considered. Systems are highly interconnected, so a small vulnerability in a data center system can lead to a major problem with potential large consequences for society.

What is the NIS2 Directive? The first Network and Information Security Directive (NIS) was EU’s-wide cybersecurity legislation, and its specific goal was to achieve a high common level of cybersecurity in all Member States. Although it increased the cyber security capabilities of member states, its implementation proved difficult, resulting in fragmentation at different levels in the internal market. To cope with the growing threats of digitization and the wave of cyber-attacks, the European Commission has put forward a proposal to replace the NIS Directive to strengthen security requirements, address supply chain security, streamline reporting requirements, strengthen oversight measures and more strict enforcement requirements, including harmonized sanctions across the EU. The proposed expansion of the scope of NIS2, by effectively requiring more entities and sectors to act, would help raise the level of cybersecurity in Europe in the long-term. Within the European Parliament, the dossier was assigned to the committee on Industry, Research and Energy. The full name is "Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity in the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive)." The upgrade from NIS to NIS2 as new European cybersecurity legislation is applicable from 2023. SMEs, who do not provide B2B ICT services, appear to be exempted for now.

Why NIS2 Directive? NIS2 was developed to better secure the essential chain of companies and institutions. . Everyone in a chain must start complying with NIS2. This new legislation is the perfect basis for any organization. So even if an organization is not required to comply with it (because it does not fall under the "critical infrastructure" category), NIS2 as a guide is recommended for every organization.

5 - White Paper Cyber Awareness: NIS2

Who will be influenced by the NIS2 Directive? It is not the size of your organization, but how essential its business activities are, that guides NIS2. NIS2 also focuses on the activities of the organization itself, and on the activities of all organizations with which it collaborates. If this includes an organization from an essential industry, they are designated as part of the NIS2 and must comply with the legislation. Furthermore, NIS2 will also impact the clients of data centers as they have to demonstrate compliance to data centers. The practical implementation of the latter is still on progress and further details will be communicated.

What industries are considered essential according to NIS2? The industries already covered by the original NIS legislation are: ● ● ● ● ● ● ●

Healthcare Transportation Infrastructure for banks and financial markets Digital infrastructure Water suppliers Energy Digital service providers

In addition to these original NIS industries, nine sectors were added to the NIS2 legislation: ● ● ● ● ● ● ● ● ●

Food and beverages Networks Platforms Waste Space Data centers Government Critical manufacturing Postal services

6 - White Paper Cyber Awareness: NIS2

Implications Similar to the GDPR, a penalty scheme is also included in NIS2. Organizations will therefore also need to have their affairs in order. Art 32(6) states that every director of an organization must be authorized to take cybersecurity measures and that these directors can be held liable should they fail to do so. One of the consequences of NIS2 is that there will be tighter scrutiny of governance. Failure to properly implement this regulation is going to have large consequences. Also, more inspections and audits will be performed by regulators. If this shows that organizations are not compliant, various fines can be imposed. In addition, more will be expected of the organizations themselves. For example, many organizations have a duty to report when an incident is detected, similar to the GDPR. This report must be posted within 24 hours, followed by a final report one month later. Cyber threats must then also be reported. In addition, the NIS2 also forces you to sit down with suppliers. Because what if there is a cyber incident at one of your suppliers? Cybercriminals can also attack your organization through the network of one of your (external) partners. The way suppliers and partners have arranged their security therefore directly affects your own security. Here too, risks must be identified, and agreements be made. Who is liable for the (lost) costs in the event of a cyber incident? Also, this must be regulated in contracts. Because cybersecurity is a specific discipline, it is advisable to use the expertise of a legal service provider specializing in it when making contractual arrangements. The new rules introduced for the first-time are explicit governance requirements that require the board of the entities falling within the scope of the NIS2 to approve and oversee measures for managing cybersecurity risks. It also requires the board to undergo cybersecurity training. Minimum security elements As for the management of cyber security risks temselves, the proposed revision maintains the open standard that "appropriate" and "proportionate" measures must be taken given the state of technology and the risk involved. What is new is the addition of a few minimum basic security elements that must be observed in any case. These include the following measures: • Risk analysis • Incident handling • Business continuity (backups, etc.) • Supply chain security • Apply security in acquiring, developing, and maintaining IT/OT systems, vulnerability management • Policies and procedures to assess the effectiveness of cyber security measures. • Basic cyber hygiene and cybersecurity training • Cryptography and encryption (if applicable) • HR, access control & asset management security • Multi-factor authentication where possible in the organization

7 - White Paper Cyber Awareness: NIS2

Importantly, the proposed NIS2 Directive, unlike the current NIS Directive, introduces explicit requirements for managing third-party risks in supply chains and supplier relationships. This addresses one of the most important cybersecurity challenges today. The proposal provides that the European Commission will determine the technical and methodological specifications of the minimum requirements and provides that entities can (and certain Essential Entities: must) demonstrate compliance by obtaining cybersecurity certification pursuant to the recent EU Cybersecurity Act (CSA). Reporting Reporting requirements are also extended. For example, all essential and major entities will be required to report on incidents that significantly impact the delivery of their services. Within 24 hours of becoming aware of an incident, the entity must provide an early warning to the national Computer Security Incident Response Team (CSIRT). Also, within 72 hours, these entities must submit an incident report including the severity and impact of this incident. Finally, no later than one month after submitting the incident report, organizations must submit a final report that includes the following: • a detailed description of the incident, including its severity and consequences. • the type of threat or root cause that likely led to the incident. - applied and ongoing mitigation measures. • where appropriate, the transboundary impact of the incident Higher penalties & personal liability The most salient element of the package of new measures is that EU member states may impose significantly higher administrative fines of up to at least €10 million or 2% of total global turnover (at company level) with the intention that these will also be more rigorously enforced. In line with the stricter enforcement regime applicable to them, for essential entities in default, licenses may also be suspended or senior management might be suspended from performing their executive functions (in each case until necessary corrective action is taken). It remains unknown for now whether this will lead to potential directors' liability under law in The Netherlands.

Liability Once NIS2 is active, it will increase the (minimal) effort that organizations must devote to cybersecurity. Governments could be able to hold management personally liable if gross negligence is proven after a cyber incident. However, the security requirements are an open standard. Therefore, only if you have shortcomings that do not meet the requirements in all aspects the discussion about personal liability will arise. In addition, there are monetary compensations that may be imposed to directors.

8 - White Paper Cyber Awareness: NIS2

Timeline Oct. 28, 2021: The European Commission approved its report. Dec. 3, 2021: The European Council adopted its position. May 13, 2022: Co-legislators reached preliminary agreement on the text. Nov. 2022: European Parliament and Council reached formal political agreement. Jan. 16, 2023: Agreement entered into force, European member states have until Oct. 17, 2024, to transpose NIS2 measures into national laws and regulations. Jan. 1, 2025: All organizations covered by the 15 previously mentioned sectors must comply with the NIS2 Directive.

9 - White Paper Cyber Awareness: NIS2

Cyber resilience In the digital world as we know it today, we perform many things more efficiently compared to 30 years ago. Nowadays, for example, millions of people are able to use applications on their devices for banking and communication. We also have become dependent on these services to enhance efficiency continuously. A major force in achieving technological efficiency are data centers. Data centers are an important link in our infrastructure. Therefore, the failure of a data center can have major consequences for society. For example, the loss of communications and banking services can have potentially disruptive consequences in societies and (local) economies. Thus, data centers are an important link in the supply chain of critical infrastructure. Data centers and the NIS2 Because of the NIS2, data centers will be labelled as critical infrastructure. As described in the previous chapters, this means that additional requirements are imposed on data centers to improve their cyber resilience. Cyber resilience indicates the extent to which an IT environment is free from danger or damage that is caused by failure or breakdown of IT or by misuse. Therefore, it is necessary to continuously improve the overall level of cybersecurity, which will improve the cyber resilience. IT & OT In a data center, systems such as climate control, power supply and access security are crucial systems for correct daily operations. These types of Operational Technology (OT) systems are increasingly remote and connected to a central management system. OT is separate from the IT systems running in the data center for such things as the data center's service customers. The OT falls under full responsibility of the data center owner, but it is not always clear which department is responsible for the OT. This may be the facilities department, for example, or it may be outsourced to a third party. Because of this lack of clarity in accountability, among other things, it is not always clear what the level of cyber resilience is of the OT systems in a data center. Visibility in OT is important for data centers because correct operation of typical OT systems such as climate control, power supply and access security are considerate as critical. Vulnerabilities in OT due to, for example, flaws in patch management, password policies or logical separations allow cybercriminals to cause interruption in data center operations. Under the NIS2, it is therefore necessary to focus not only on IT but also on OT cybersecurity. This means that the cybersecurity best practices already known in the IT world also apply to OT environments.

10 - White Paper Cyber Awareness: NIS2

Cases In recent years, data centers have become a prime target for cyber attacks. Cybercriminals are becoming increasingly sophisticated and are always looking Ransomware attacks are one of the main cyberattacks that have hit data centers for vulnerabilities in systems. There have been many instances where data centers have been targeted, and their security has been breached. This has led to a rising concern for cyber security and how to protect these systems from attacks. DCIM systems One example of the fact that data centers are vulnerable, is the exposure of DCIM (Data Center Infrastructure Management) systems. Investigators from Cyble have found over 20,000 instances of publicly exposed DCIM systems, which could allow anyone to change settings such as temperature and humidity thresholds or backup time intervals. This highlights the importance of adequate protection for data centers and the need for cybersecurity measures to be put in place. Ransomware attacks are one of the main cyberattacks that have hit data centers. Ransomware is a type of malicious software that encrypts a victim's files, making them inaccessible until a ransom is paid. There have been several high-profile ransomware attacks on data centers in recent years. In 2019, a major US data center provider was hit by a ransomware attack, and in 2020, a global data center giant was also targeted. In 2022, a real estate management company's data center was hit by a ransomware attack, affecting the data of thousands of tenants. Asia has also seen a rise in cyber attacks on data centers from 2021 to 2023. Several major firms in Asia have been hacked, compromising sensitive data. In February 2023, data center providers worldwide were warned about the growing threat of cyber attacks. Physical infrastructure Attacks on our physical infrastructure is also a growing problem. In 2022, a report highlighted the vulnerability of uninterruptible power supply (UPS) systems in data centers. UPS systems are crucial for ensuring uninterrupted power supply to the data center's equipment, and a breach in their security could have severe consequences. In conclusion, the rising frequency of cyber attacks on data centers highlights the need for robust cybersecurity measures to be put in place. These attacks can result in data loss, financial losses, and reputational damage for data center providers. Therefore, it is essential for data center providers to take all necessary steps to protect their systems and the data they store.

11 - White Paper Cyber Awareness: NIS2

Next steps In this chapter, we discuss what steps your organization can take to comply with NIS2: Step 1: Determine which systems are covered by NIS2 Deciding what your Operational Technology (OT) and IT systems are within scope for NIS2 is the initial step towards successful compliance. Key questions include: • • • • •

What essential services is the organization providing? Does or might the organization fall within the scope of NIS2? What new requirements would need to be implemented by the organization within the scope of NIS2? If the organization is not itself does not fall directly under NIS2 scope, does it deal with suppliers or customers to which the new rules applies? What obligations should organizations attribute to their suppliers or business customers in their contractual arrangements?

As a result, understanding the regulatory requirements will be important for organizations not directly affected by the new Act. It will also be important to determine whether any additional local IT/OT security regulations need to be adopted because of any national regulations.

Step 2: Adopt cybersecurity risk management measures Risk-based cyber security management systems of essential and important entities within the scope of NIS2 will be required to take appropriate technical, operational, and organizational measures to manage the risks posed to the security of the IT/OT assets. They also need to prevent or minimize the impact of incidents. Such measures must take a riskbased approach to protect networks and systems, and their physical environment. You can divide these measures into several parts: • • • • • •

Inventory information systems Making a threat analysis Investigate which threats impact your business operations Prioritize security risks Draw up a security plan; control and mitigate Update plan frequently (e.g., 1x per quarter)

During this step, references can be made to measures taken earlier, for example. From ISO 27001 or other certification, the necessary measures and reports are already in place for encryption, for example. In addition to building management systems, and the buildings themselves, OT and Internet of Things (IoT) applications can also be added to the scope of the measure inventory. For example, the rise of IoT often makes it easier to use sensors. But not all sensors have the same level of security built in. As a result, an incident could occur within your organization.

12 - White Paper Cyber Awareness: NIS2

Step 3: Document all cases for compliance Compliance requires substantiation of your organizational measures. If there is for instance no documentation of your cybersecurity measures, then there is no prove of compliance. Auditors can ask for a wide range of evidence when assessing organizations compliance with NIS2. This step can be overwhelming especially for organizations that are just starting their compliance journey. A holistic governance system can not only aid in tracking progress and improving documentation, but it can also provide a multi-disciplinary perspective and a solid framework of how companies can manage cyber threats pro-actively and work towards counteracting cyber threats both now and in the future.

13 - White Paper Cyber Awareness: NIS2

Join the Cyber Security Summit To ensure you are well prepared as possible for the NIS2, we are hosting a special CyberSummit on Tuesday, May 23 (2:00 - 4:00 pm). During this afternoon we will discuss the whitepaper in detail and share various use cases that will broaden your knowledge about NIS2. Save the Date! Tuesday May 23, 2023 02.00 PM – 04.00 PM (including: networking drinks after the summit) Location: Dutch Data Center Association Laarderhoogtweg 18 1101 EA Amsterdam, The Netherlands

14 - White Paper Cyber Awareness: NIS2

APPENDIX References: Abrams, L. (2020, 10 september). Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom. BleepingComputer. https://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hitbynetwalker-ransomware-45m-ransom/ Brik. (2023, 28 februari). What is NIS2 and what does it mean for your organisation? Nomios Group. https://www.nomios.com/resources/what-is-nis2/ Cimpanu, C. (2019, 5 december). Ransomware attack hits major US data center provider. ZDNET. https://www.zdnet.com/article/ransomware-attack-hits-majorusdata-center-provider/ D. (z.d.). NIS2: de bredere, nieuwe Europese organisatie security wetgeving na NIS. https://www.fourtop.nl/blog/nis2-introductie Engelfriet, A. (z.d.). Wordt de directie persoonlijk aansprakelijk voor IT-fouten onder de NIS2-richtlijn? Security.NL. https://www.security.nl/posting/781887/Wordt+de+directie+persoonlijk+aansprakelij k+voor+IT-fouten+onder+de+NIS2-richtlijn%3F EU considers data centers as critical infrastructure. (2023, 20 januari). Secior. https://www.secior.com/en/resources/uncategorized/eu-considers-data-centersascritical-infrastructure/ EUR-Lex - 32022L2555 - EN - EUR-Lex. (z.d.). https://eur-lex.europa.eu/legalcontent/NL/TXT/?uri=CELEX:32022L2555 Korolov, M. (2022, 6 april). Physical Infrastructure Cybersecurity: A Growing Problem for Data Centers. Data Center Knowledge | News and analysis for the data center industry.

15 - White Paper Cyber Awareness: NIS2

https://www.datacenterknowledge.com/security/physical-infrastructurecybersecuritygrowing-problem-data-centers KS, G. (2023, 23 februari). Researchers Warn of Cyber Attacks Targeting Data Center Providers Globally. Cyber Security News. https://cybersecuritynews.com/datacenterproviders/ Nationaal Cyber Security Centrum. (2022, 14 oktober). NIS2 Impact Study. Publicatie | Nationaal Cyber Security Centrum https://www.ncsc.nl/documenten/publicaties/2022/oktober/13/index NIS 2 Directive. (z.d.). https://www.nis-2-directive.com/ NIS2-richtlijn | Cybersecurity: voer voor de bedrijfsjurist. (2022, 1 juni). Nederlands Genootschap van Bedrijfsjuristen. https://www.ngb.nl/nieuws/nis2richtlijncybersecurity-voer-voor-de-bedrijfsjurist Secior: 3D-security voor datacenters. (2022, 28 oktober). DatacenterWorks. https://www.datacenterworks.nl/artikelen/secior-3d-security-voor-datacenters Spring, T. (2023, 21 februari). Two data centers used by major tech firms hacked. SC Media. https://www.scmagazine.com/news/cloud-security/datacenters-major-firms-hacked Tesorion. (2023, 20 januari). De drie belangrijkste stappen om uw bedrijf klaar te maken voor de NIS 2-richtlijn. Tesorion Cybersecurity Solutions https://www.tesorion.nl/nl/posts/de-drie-belangrijkste-stappen-om-uw-bedrijf-klaarte-maken-voor-de-nis-2-richtlijn/?source=google ads&keyword=nis%202&campaign=nis2&gclid=CjwKCAiA85efBhBbEiwAD7oLQ ERLVXQlfidWAZSCZb13KilrWZtbd0Jw5n5PLAJwlCU_tSMUz2uG0xoC1rgQAvD _BwE

16 - White Paper Cyber Awareness: NIS2

Toulas, B. (2022, 29 januari). Over 20,000 data center management systems exposed to hackers. BleepingComputer. https://www.bleepingcomputer.com/news/security/over20-000-data-center-management-systems-exposed-to-hackers/ Van Buuren, E. (z.d.). Wat betekent de NIS2-richtlijn voor onze decentrale overheid? – Europa decentraal. Europa decentraal. https://europadecentraal.nl/praktijkvraag/watbetekent-de-nis2-richtlijn-voor-onzedecentrale-overheid/ Zhang, M. (2023, 20 maart). 365 Data Centers Hit with Alleged Ransomware Attack, Outage. Dgtl Infra. https://dgtlinfra.com/365-data-centers-ransomware-attack/

17 - White Paper Cyber Awareness: NIS2

Important organizations NCSC - National Cyber Security Centrum https://www.ncsc.nl/ RDI - Rijksdienst Digitale Infrastructuur https://www.rdi.nl/

About the authors Dutch Data Center Association The Dutch Data Center Association (DDA) is the trade association of data centers in the Netherlands, the bedrock of the Dutch economy. The DDA unites leading data centers in the Netherlands in a common mission: the strengthening of economic growth and the profiling of the data center sector to government, media, and society. More information: https://www.dutchdatacenters.nl/en/

Secior Secior is a 100% Dutch cybersecurity company with a focus on cyber resilience within the Data Center industry. Secior offers NIS2 Compliance and Cybersecurity Services. This includes a full-scale OT, IT & IoT vulnerability check and additional monitoring from a managed Security Operating Center (SOC). Furthermore, NIS2 Gap analyses, Incident Response, Awareness training and specialist legal support. With a strong track record in designing, building and operating Data Centers across Europe, Secior combines this in-depth knowledge with extensive cybersecurity experience and proven security compliance methodologies from the demanding banking sector. More information: www.secior.com

Honeywell As a pioneer in the Operational Technology (OT) space, Honeywell has over 100 years of experience in developing, configuring and maintaining OT systems. Honeywell’s portfolio of cybersecurity software and services helps customers to protect their OT environment and enhance their cybersecurity posture. As a trusted solution provider and industry leader, Honeywell takes a holistic approach to cybersecurity audits, helping you mitigate potential damage to your finances, operations, and reputation. We offer cost-effective solutions scalable in both size and customer cybersecurity maturity level that helps optimize the integrity, availability, and safety of customer systems worldwide. More information: https://buildings.honeywell.com/us/en/solutions/services/cybersecurity

18 - White Paper Cyber Awareness: NIS2

ATS Global At ATS Global, we understand that each data center is special with unique requirements. We are on a mission to provide data centers with an innovative and green Data Center Infrastructure Management (DCIM) solution. For this, we uphold three principles: sustainable, realistic and clean. More information: https://www.ats-global.com/nl/

19 - White Paper Cyber Awareness: NIS2

20 - White Paper Cyber Awareness: NIS2