Resilience As Regulation: Preparing For The Impact Of CER

While NIS2  has dominated headlines in recent times, the Critical Entities Resilience Directive  (CER) appears to have slipped under the radar despite, arguably, commanding a much larger response. The two go hand-in-hand: NIS2 and CER will change the way the public and private sectors think about security and alter the course of the strategies they use to keep their businesses running.

Both directives cover the same, expanded list of sectors and industries defined as ‘critical entities’, and place the same people in a position of responsibility should they be breached.

But while NIS2 defines vital boundaries surrounding cybersecurity, CER’s core principles state, to put it simply, that every affected business must be able to continue operating their business whatever happens. That could mean a natural disaster, a physical attack, human error or even a cyber attack. 

NIS2, therefore, could be thought of as the mandatory infrastructural foundation of CER’s far broader scope: it is, basically, ‘everything else’. One props up the other. Without the kind of secure IT infrastructure that NIS2 leads, there is no foundation for resilience; without the resilience of critical infrastructure - defined very broadly by CER as ‘an asset, a facility, equipment, a network or a system ’ -  the aims of NIS2 cannot be met.  

Working Against A Tight Time Limit
Any business which now falls under the EU’s critical infrastructure umbrella without appropriate measures must now seriously rethink its risk assessment process and redesign the way it approaches its business to match. It must do so immediately. While the European Commission has offered member states a deadline of July 2026 to identify their own list of critical entities, which may seem to imply that there is a lot of time to work with, measures must be in place before that date. 

Just as every new device introduced into a ‘critical entities’ business has to be aligned with NIS2, any project which is now ongoing, any small refresh, any infrastructure change must be reevaluated with business continuity at the top of the spec sheet. Even existing infrastructure will not escape CER’s broad net; new risk assessments will be required for every critical process.

Most importantly, businesses will need to employ new thinking to discover risks they may not have monitored before - and new ways to monitor those which they are all too aware of.

CER: A New Level Of Diligence
Many new sectors have entered the scope of such regulations with the introduction of CER and NIS2 such as water treatment, transportation, healthcare, food and waste management. There is no suggestion that businesses in these sectors were not prioritising business continuity previously, but these new regulations force a level of proof. 

EU member states will have the right to conduct on-site audits and inspections and issue penalties for critical entities failing to implement the appropriate level of technical, security and organisational resilience.

Events which have the potential to cause business disruption must be reported to the relevant governing body, whether they actually impact business continuity or not. Monitoring, training and diligence have therefore never been more critical. 

Improving one’s monitoring function does not need to involve a complete redesign of one’s equipment. We return to the idea of new thinking: in many cases, the equipment required to detect novel incidents, observe critical machinery or systems, and even prevent dangerous human activity is already installed. It simply needs to be thought of in a different way.

Rethinking The Camera As A Sensor
Today’s surveillance cameras are far more than physical security tools. They are, in many cases, the most powerful sensor operating on an entity’s premises. What’s more, digitalisation offers an opportunity to use them for more than their primary, original security-related purpose. The best modern cameras are backed by powerful analytics and AI technology which can be harnessed for whatever use case matters.

To allow a camera to do just one job feels like a waste when it is potentially the most capable IoT device on one’s network.

Point a thermal camera at an array of machinery, for example, and it can offer an operator visual feedback on that equipment’s temperature. Simple enough. Harness its data collection abilities, though, and you could define 100 points within its image, collect precise numbers from each, output them via an industrial protocol like Modbus or MQTT, and fully integrate that data into an operational interface.  

Doing More With Sensor Data
Critical entities will be forced to improve the continuity of remote locations. A camera at, for example, an electricity substation could perform its traditional role of monitoring the perimeter for intrusion, but also do a lot more besides. It could detect the status of equipment, watch for weather conditions, generate an alert if a human gets too close to dangerous devices, or even anonymously inspect on-site workers to ensure they are wearing appropriate protective equipment (PPE). 

None of this demands that a camera operator be watching constantly. With the right camera, software running directly on its hardware may be able to use algorithmic techniques or an AI engine to monitor its entire field of vision. A camera could predict a landslide or a flood. Its microphones could listen to the sound of a turbine and detect tiny pitch changes which indicate a potential failure. Its speaker could sound an alarm as part of an access control system. It is a truly flexible platform.

A United Path Forward
However, every use case is unique. A lot can be done with AI, but AI models must be trained extensively before they can be effective. While in many cases drop-in solutions exist, the camera’s role in monitoring is still being explored and thought through. And such decisions must come from the top down, meaning executives must be made aware of not only the importance of CER but also the potential for the camera hardware to help to accelerate the process of alignment with CER’s aims.

The key is that it must be the right hardware - equipment which backs up its internal processing capabilities with an open platform ready for the kind of development which allows for creative coding and innovative detection procedures, allowing critical industries to cross-collaborate to improve stability, security, and resilience for everyone.

These must be devices which help meet the demands of NIS2 and CER in equal measure, supported by vendors and suppliers that know that equipment inside out. That knowledge and unity is the path to a smarter, safer world.

Andrea Monteleone is Segment Development Manager, EMEA, Critical Infrastructure at Axis Communications   

Image: Ideogram

You Might Also Read: 

From AI to ESG: Key Security Technology Trends Of 2023:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Business Identity Theft: Saving The Digital World From Fake Businesses
Cyber Insurance: The Cost Of Doing Business »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

F-Response

F-Response

F-Response is a software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tools of choice.

Axial

Axial

Axial Systems is one of the UK’s leading solution providers and systems integrators in network, security and services.

CERT-UA

CERT-UA

CERT-UA is the national Computer Emergency Response Team for Ukraine.

ngCERT

ngCERT

ngCERT is the National Computer Emergency Response Team for Nigeria.

itbox.online

itbox.online

Itbox.online offers IT solutions to ensure that your company's technologies are always available and secure as your business demands.

SOCOTEC Certification International

SOCOTEC Certification International

SOCOTEC Certification International has been providing management systems assessment and accredited ISO certification services to organisations around the world since 1995.

Ten Eleven Ventures

Ten Eleven Ventures

Ten Eleven is a specialized venture capital firm exclusively dedicated to helping cybersecurity companies thrive.

BeyondTrust

BeyondTrust

BeyondTrust is a leader in Privileged Access Management, offering a seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access.

Cyway

Cyway

Cyway is a value-added cybersecurity distributor focusing on on-prem, cloud solutions and hybrid solutions, IoT, AI & machine learning IT security technologies.

Risk Strategies

Risk Strategies

Risk Strategies is a leading specialty risk management consultancy and insurance broker offering smarter, practical approaches to risk mitigation including Cyber Liability insurance.

ZARIOT

ZARIOT

ZARIOT's mission is to restore order to what is becoming connected chaos in IoT by bringing unrivalled security, control and quality of service.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

Xeol

Xeol

Software free of vulnerabilities, built and distributed by trusted entities. Our mission is to help customers secure their software from code to deploy.

Walacor

Walacor

Walacor’s secure data platform represents the next generation of secure data and blockchain storage with a trust-first approach that revolutionizes enterprise data, and database management systems.

Backblaze

Backblaze

The Backblaze Storage Cloud provides a foundation for businesses, developers, IT professionals, and individuals to build applications, host content, manage media, back up and archive data, and more.

Runecast Solutions

Runecast Solutions

Runecast Solutions is a global leader in AI-powered risk mitigation, security, continuous compliance and more efficient IT operations management.