Resilience As Regulation: Preparing For The Impact Of CER

While NIS2  has dominated headlines in recent times, the Critical Entities Resilience Directive  (CER) appears to have slipped under the radar despite, arguably, commanding a much larger response. The two go hand-in-hand: NIS2 and CER will change the way the public and private sectors think about security and alter the course of the strategies they use to keep their businesses running.

Both directives cover the same, expanded list of sectors and industries defined as ‘critical entities’, and place the same people in a position of responsibility should they be breached.

But while NIS2 defines vital boundaries surrounding cybersecurity, CER’s core principles state, to put it simply, that every affected business must be able to continue operating their business whatever happens. That could mean a natural disaster, a physical attack, human error or even a cyber attack. 

NIS2, therefore, could be thought of as the mandatory infrastructural foundation of CER’s far broader scope: it is, basically, ‘everything else’. One props up the other. Without the kind of secure IT infrastructure that NIS2 leads, there is no foundation for resilience; without the resilience of critical infrastructure - defined very broadly by CER as ‘an asset, a facility, equipment, a network or a system ’ -  the aims of NIS2 cannot be met.  

Working Against A Tight Time Limit
Any business which now falls under the EU’s critical infrastructure umbrella without appropriate measures must now seriously rethink its risk assessment process and redesign the way it approaches its business to match. It must do so immediately. While the European Commission has offered member states a deadline of July 2026 to identify their own list of critical entities, which may seem to imply that there is a lot of time to work with, measures must be in place before that date. 

Just as every new device introduced into a ‘critical entities’ business has to be aligned with NIS2, any project which is now ongoing, any small refresh, any infrastructure change must be reevaluated with business continuity at the top of the spec sheet. Even existing infrastructure will not escape CER’s broad net; new risk assessments will be required for every critical process.

Most importantly, businesses will need to employ new thinking to discover risks they may not have monitored before - and new ways to monitor those which they are all too aware of.

CER: A New Level Of Diligence
Many new sectors have entered the scope of such regulations with the introduction of CER and NIS2 such as water treatment, transportation, healthcare, food and waste management. There is no suggestion that businesses in these sectors were not prioritising business continuity previously, but these new regulations force a level of proof. 

EU member states will have the right to conduct on-site audits and inspections and issue penalties for critical entities failing to implement the appropriate level of technical, security and organisational resilience.

Events which have the potential to cause business disruption must be reported to the relevant governing body, whether they actually impact business continuity or not. Monitoring, training and diligence have therefore never been more critical. 

Improving one’s monitoring function does not need to involve a complete redesign of one’s equipment. We return to the idea of new thinking: in many cases, the equipment required to detect novel incidents, observe critical machinery or systems, and even prevent dangerous human activity is already installed. It simply needs to be thought of in a different way.

Rethinking The Camera As A Sensor
Today’s surveillance cameras are far more than physical security tools. They are, in many cases, the most powerful sensor operating on an entity’s premises. What’s more, digitalisation offers an opportunity to use them for more than their primary, original security-related purpose. The best modern cameras are backed by powerful analytics and AI technology which can be harnessed for whatever use case matters.

To allow a camera to do just one job feels like a waste when it is potentially the most capable IoT device on one’s network.

Point a thermal camera at an array of machinery, for example, and it can offer an operator visual feedback on that equipment’s temperature. Simple enough. Harness its data collection abilities, though, and you could define 100 points within its image, collect precise numbers from each, output them via an industrial protocol like Modbus or MQTT, and fully integrate that data into an operational interface.  

Doing More With Sensor Data
Critical entities will be forced to improve the continuity of remote locations. A camera at, for example, an electricity substation could perform its traditional role of monitoring the perimeter for intrusion, but also do a lot more besides. It could detect the status of equipment, watch for weather conditions, generate an alert if a human gets too close to dangerous devices, or even anonymously inspect on-site workers to ensure they are wearing appropriate protective equipment (PPE). 

None of this demands that a camera operator be watching constantly. With the right camera, software running directly on its hardware may be able to use algorithmic techniques or an AI engine to monitor its entire field of vision. A camera could predict a landslide or a flood. Its microphones could listen to the sound of a turbine and detect tiny pitch changes which indicate a potential failure. Its speaker could sound an alarm as part of an access control system. It is a truly flexible platform.

A United Path Forward
However, every use case is unique. A lot can be done with AI, but AI models must be trained extensively before they can be effective. While in many cases drop-in solutions exist, the camera’s role in monitoring is still being explored and thought through. And such decisions must come from the top down, meaning executives must be made aware of not only the importance of CER but also the potential for the camera hardware to help to accelerate the process of alignment with CER’s aims.

The key is that it must be the right hardware - equipment which backs up its internal processing capabilities with an open platform ready for the kind of development which allows for creative coding and innovative detection procedures, allowing critical industries to cross-collaborate to improve stability, security, and resilience for everyone.

These must be devices which help meet the demands of NIS2 and CER in equal measure, supported by vendors and suppliers that know that equipment inside out. That knowledge and unity is the path to a smarter, safer world.

Andrea Monteleone is Segment Development Manager, EMEA, Critical Infrastructure at Axis Communications   

Image: Ideogram

You Might Also Read: 

From AI to ESG: Key Security Technology Trends Of 2023:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Business Identity Theft: Saving The Digital World From Fake Businesses
Cyber Insurance: The Cost Of Doing Business »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Waratek

Waratek

Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP.

Applied Risk

Applied Risk

Applied Risk is an established leader in Industrial Control Systems security, focused on critical infrastructure security and combating security breaches that pose a significant threat.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

VaultOne

VaultOne

VaultOne is a next-generation security solution that addresses security issues from different domains (Password Manager, Secure Access, PAM, Identity Management) as a single, integrated solution.

ITsMine

ITsMine

ITsMine’s Beyond DLP™? solution is a leading Data Loss Prevention (DLP) solution used by organizations to protect against internal and external threats automatically.

Envieta

Envieta

Envieta is a leader in cryptographic solutions. From server to sensor, we design and implement powerful security into new or existing infrastructure.

Berezha Security Group (BSG)

Berezha Security Group (BSG)

BSG is a cybersecurity consulting firm specializing in all aspects of application security and penetration testing.

link22

link22

link22 offers a high level of expertise within IT security and system solutions. We help public and private actors with highly secure IT-solutions.

Pangu Laboratory

Pangu Laboratory

Beijing Qi an Pangu Laboratory Technology Co., Ltd. was established on the basis of Pangu laboratory, a well-known cyber security team.

Flotek

Flotek

Flotek is an IT & Comms service provider delivering SMEs with trusted, innovative and cost effective cloud technology, with confidence, clarity and clout.

vpnMentor

vpnMentor

We started vpnMentor to offer users a really honest, committed and helpful tool when navigating VPNs and web privacy.

Vultara

Vultara

Vultara provides web-based product security risk management tools for electronics manufacturers.

Cloudbrink

Cloudbrink

Cloudbrink is purpose-built to deliver the industry’s highest performance connectivity to remote and hybrid workers, anywhere in the world.

Vortacity Cyber

Vortacity Cyber

Vortacity is a boutique cybersecurity provider specializing in associations, nonprofits, and mission-based organizations.

DataTrails

DataTrails

DataTrails enables organizations to prove and verify the provenance and authenticity of any data they use in their business operations.