Organisations across industries, including healthcare, manufacturing and finance, are evaluating the next steps to comply with NIS2. In case you’re not familiar, NIS2 is the most comprehensive European cyber directive yet. It contains strict requirements for risk management and incident reporting across a wide range of sectors, with hard-hitting penalties for organisations that do not comply.
For a bit of background, NIS2 is an EU-wide Directive aimed at boosting cybersecurity measures that went into effect in January 2023. The sweeping directive requires member states to publish “the measures necessary to comply” by 17 October 2024, with the application of those measures starting the next day. At an initial glance, NIS2 requirements appear to align closely with the intention and calls for increased cyber resilience by the UK and US governments last year. These governments each stressed a goal of resilience, referring to the ability to repel cyber attacks or bounce back from breaches when they do occur, as essential for critical infrastructure.
NIS2: The Essentials
In a nutshell, NIS2 mandates that essential and important entities (defined as having 250 employees and an annual turnover €50M or 50 employees with an annual turnover of €10m, respectively) implement 10 baseline security measures to address specific types of cyber threats and attacks. The minimum measures cover security incident handling, operational continuity and supply chain security assessments. To properly get a handle on these areas in order to comply with NIS2, quick planning and new processes may be in order for organisations’ teams, their Managed Security Service Providers (MSSPs) or others in their cyber-vendor pool.
In this post, we’ve considered four of those key security measures:
- Risk assessments and security policies for information systems.
- Security around the procurement of systems and the development and operation of systems. This means having policies for handling and reporting vulnerabilities.
- The use of multi-factor authentication, continuous authentication solutions, voice, video and text encryption, and encrypted internal emergency communication, when appropriate.
- Security around supply chains and the relationship between the company and direct supplier. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers.
NIS2: A Scenario for Cyber Security Success
Consider this hypothetical scenario. A renewable energy provider in Spain, Terra Enerjía provides solar and wind power to Castile-La Mancha, a region with more than 2 million Spanish households. Terra Enerjía employs 2,700 people and is growing at a rate of 3% annually. Up until now the business has thrived, with few cyber incidents—none of which were customer-impacting. Last week, Javier, the firm’s head of IT and cybersecurity, received the dreaded alert that his competitor in the traditional energy sector had been breached.
Hackers had accessed the software connected to a web application used to regulate residential energy usage in homes north of Madrid, with a potential for blackouts in many neighbourhoods. The energy regulator for Spain and Portugal sent out an emergency bulletin to all energy providers on the Iberian Peninsula to start testing for the vulnerability with the instruction to be vigilant for active exploits by hacker groups known to target energy.
While Javier’s team is small, last year they started planning for the NIS2 deadline approaching. Javier’s team engaged the Synack Platform eight months ago to run Open Vulnerability Discovery continuously, as well as pentesting, 3rd party testing of suppliers as required by NIS2, and Synack’s Attack Surface Discovery to maintain visibility on new assets and accurate inventory for testing.
The Synack Red Team identified an urgent web application vulnerability used by a supplier to Terra Enerjia. The vulnerability had been present in their attack surface 10 days prior to the public alert. Synack recommended a patch and then validated the remediation effort by the internal cyber team. This saved Javier’s team stress and potential fines, as they were already in line with NIS2’s baseline security measures.
Looking ahead, the firm plans to take advantage of Synack’s Splunk integration to correlate ongoing Synack security test findings with threat intel feeds and other detection data in the SOC. This will help them prioritise faster, bringing vulnerability data together with detection and response, fixing the root causes of many cyber weaknesses and vulnerabilities for Terra Enerjía.
Continuous Security Testing that Finds Vulnerabilities, Provides Mission-Critical Reporting & Tracks Improvements Over Time
A common theme of the NIS2 Directive is for cybersecurity teams to become more proactive within their respective cultures and in their actions. Improving culture and action can take time, and with the right platform and technology, organisations can meet the deadline and reduce their attack surface in the process.
For more than 10 years, the Synack Platform has been counted on to deliver continuous penetration testing with enhanced reporting and vulnerability management backed by the Synack Red Team, a community of 1,500+ expert penetration testers. Synack not only provides software patch verification, it also empowers essential services to find vulnerabilities and close the loop by identifying their root causes so they can be addressed.
Synack was built to enable adversarial testing that drives down risk for many organisations. As a core component of the platform, Synack supports four of the 10 measures required by NIS2. These overlapping solutions cover a view of the attack surface through Synack’s attack surface management solution, continuous security testing that identifies vulnerabilities quickly and potential risks, testing for specific CVEs, risk scoring and reporting that aid organisations in prioritising fixes so that the highest risks are remediated first (with patches verified by Synack).
Additionally, on-demand tests and continuous testing can be integrated into SIEM and XDR tools, data lakes or other technologies with the Synack API. Finally, the security level of suppliers can be assessed via approved 3rd party pentesting, with patterns and deficiencies visualised for gap analysis and board- or oversight-level reporting.
Whatever sector you’re in, we hope to encapsulate the importance of continuous security testing for critical sectors aligning to a zero trust architecture and/or NIS2. Synack can help you accomplish that, and you can learn more about the Synack Platform here.
