NIS2 is due to pass into law across the European Union by October this year and is set to change the security landscape of the entire single market.
One of the EU’s most fundamental purposes is to smooth the passage of business and people across European borders. To wit – NIS2 is a recognition that from a security point of view, we are all connected and it applies to a wide variety of organisations deemed crucial to the proper functioning of business and public life within the EU. NIS2 prescribes basic guidelines for the security of network and information systems; the handling of encryption; risk management and analysis as well as the policies and procedures required for incident response.
In chief, it will make European organisations – and their international partners – think very closely about the complex web of relationships and technical dependencies that they maintain. It’s that need for secure interconnection which makes compliance necessitate a focus on vulnerability management and supply chain security.
Vulnerability management
Vulnerability management should be a key point of focus for organisations who need to comply with NIS2. Section 58 of NIS2’s preamble text notes, “since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying such vulnerabilities is an important factor in reducing risk. Entities that develop or administer network and information systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered.”
As such, the NIS2 regulation compels organisations to test their security measures regularly with vulnerability assessments. Organisations will have to start actively and comprehensively scanning their environments, infrastructures and applications for vulnerabilities, opening up management programmes to do so and documenting their efforts. They’ll also build, manage and document policies and procedures around sharing those vulnerabilities with the relevant parties and authorities.
The Supply Chain
Another crucial aspect of NIS2 is its focus on supply chain security. The document makes it clear that vendors, partners and third parties will have to provide a sufficient level of resilience in order to account for the potential security issues that might arise and endanger the broader supply chain. Section 85 of the preamble notes that compliant organisations “should therefore assess and take into account the overall quality and resilience of products and services, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures.”
Compliant organisations will be required to assess the security of their supply chains including, Article 21, continues, “security-related aspects concerning the relationship between each entity and its direct suppliers or service providers.” That means that a partner without the necessary resilience may not be able to transact with NIS2 compliant entities, for fear of throwing those entities out of compliance.
If you liked this content…
Many organisations unprepared for NIS 2 regulation
UK gov’s consultation shows that software development is now a public safety issue
Local authorities aim to save £1 billion by 2022 with new scheme
Britain turns to security allies to find Huawei 5G alternative
UKCloud Launches New Disaster Recovery Service for the UK Public Sector
The problem: Vulnerabilities in the Supply Chain
Organisations attempting to comply with NIS2 may face a mounting problem in this area. More and more vulnerabilities are emerging throughout the software supply chain. The demand for new software is at an all time high and this has introduced incredible pressure onto the software development process and the developers at the center of it. As they chase smaller and smaller release windows, security suffers. According to Invicti data, developers will often skip crucial security steps due to the pressure to release fast. As a result, many applications make it to production with baked in vulnerabilities. Given that, it is likely that many organisations today are either dealing with a large amount of security debt from their supply chain or are ultimately contributing to it.
Scan to comply
This should prompt a re-examination of how organisations treat their development practices, their vulnerability management procedures and their supply chain security.
Regular vulnerability scanning and penetration testing will be crucial for apps that a compliant organisation both produces and uses. These can be undergirded by a combination of regular pentesting and automated testing approaches. For those that are regularly developing software or are a key supplier of software, Static Application Security Testing will allow them to scan source code to bytecode to the final compiled Binary code and find the vulnerabilities therein, before it goes into production or released to a partner or customer.
Software Composition Analysis (SCA) will also be crucial for understanding the security of the open source components within an application, which can often provide up to 80 percent of a given application’s codecase and are a key source of supply chain insecurity.
Dynamic Application Security Testing (DAST) – otherwise known as Vulnerability Scanning – performs security testing on running web applications. DAST first scans the given application with a web crawler, discovering the links, functions and application pages or API entry points. It then actively tests each of those inputs, simulating a real attack and measuring the response and reactions of that application. When it finds an exploitable vulnerability, it records it so it can be followed up by the DAST user. It can both find and then confirm these vulnerabilities with a close to 100% success rate and as such produces almost no false positives and does not require further investigation by a human analyst.
NIS2 inaugurates yet another marquee security regulation in the European Union. This has been designed to bolster the resilience of EU organisations and institutions, thus preserving the interconnection that so defines business in the world’s largest single market. In fact, NIS2 makes that interconnection – and the ancillary supply chain entities who supply to the single market – dependent on a robust vulnerability management process.
