Resilience As Regulation: Preparing For The Impact Of CER

Uploaded on 2024-08-19 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law

While NIS2 has dominated headlines in recent times, the Critical Entities Resilience Directive (CER) appears to have slipped under the radar despite, arguably, commanding a much larger response. The two go hand-in-hand: NIS2 and CER will change the way the public and private sectors think about security and alter the course of the strategies they use to keep their businesses running.

Both directives cover the same, expanded list of sectors and industries defined as ‘critical entities’, and place the same people in a position of responsibility should they be breached.

But while NIS2 defines vital boundaries surrounding cybersecurity, CER’s core principles state, to put it simply, that every affected business must be able to continue operating their business whatever happens. That could mean a natural disaster, a physical attack, human error or even a cyber attack.

NIS2, therefore, could be thought of as the mandatory infrastructural foundation of CER’s far broader scope: it is, basically, ‘everything else’. One props up the other. Without the kind of secure IT infrastructure that NIS2 leads, there is no foundation for resilience; without the resilience of critical infrastructure - defined very broadly by CER as ‘an asset, a facility, equipment, a network or a system ’ - the aims of NIS2 cannot be met.

Working Against A Tight Time Limit
Any business which now falls under the EU’s critical infrastructure umbrella without appropriate measures must now seriously rethink its risk assessment process and redesign the way it approaches its business to match. It must do so immediately. While the European Commission has offered member states a deadline of July 2026 to identify their own list of critical entities, which may seem to imply that there is a lot of time to work with, measures must be in place before that date.

Just as every new device introduced into a ‘critical entities’ business has to be aligned with NIS2, any project which is now ongoing, any small refresh, any infrastructure change must be reevaluated with business continuity at the top of the spec sheet. Even existing infrastructure will not escape CER’s broad net; new risk assessments will be required for every critical process.

Most importantly, businesses will need to employ new thinking to discover risks they may not have monitored before - and new ways to monitor those which they are all too aware of.

CER: A New Level Of Diligence
Many new sectors have entered the scope of such regulations with the introduction of CER and NIS2 such as water treatment, transportation, healthcare, food and waste management. There is no suggestion that businesses in these sectors were not prioritising business continuity previously, but these new regulations force a level of proof.

EU member states will have the right to conduct on-site audits and inspections and issue penalties for critical entities failing to implement the appropriate level of technical, security and organisational resilience.

Events which have the potential to cause business disruption must be reported to the relevant governing body, whether they actually impact business continuity or not. Monitoring, training and diligence have therefore never been more critical.

Improving one’s monitoring function does not need to involve a complete redesign of one’s equipment. We return to the idea of new thinking: in many cases, the equipment required to detect novel incidents, observe critical machinery or systems, and even prevent dangerous human activity is already installed. It simply needs to be thought of in a different way.

Rethinking The Camera As A Sensor
Today’s surveillance cameras are far more than physical security tools. They are, in many cases, the most powerful sensor operating on an entity’s premises. What’s more, digitalisation offers an opportunity to use them for more than their primary, original security-related purpose. The best modern cameras are backed by powerful analytics and AI technology which can be harnessed for whatever use case matters.

To allow a camera to do just one job feels like a waste when it is potentially the most capable IoT device on one’s network.

Point a thermal camera at an array of machinery, for example, and it can offer an operator visual feedback on that equipment’s temperature. Simple enough. Harness its data collection abilities, though, and you could define 100 points within its image, collect precise numbers from each, output them via an industrial protocol like Modbus or MQTT, and fully integrate that data into an operational interface.

Doing More With Sensor Data
Critical entities will be forced to improve the continuity of remote locations. A camera at, for example, an electricity substation could perform its traditional role of monitoring the perimeter for intrusion, but also do a lot more besides. It could detect the status of equipment, watch for weather conditions, generate an alert if a human gets too close to dangerous devices, or even anonymously inspect on-site workers to ensure they are wearing appropriate protective equipment (PPE).

None of this demands that a camera operator be watching constantly. With the right camera, software running directly on its hardware may be able to use algorithmic techniques or an AI engine to monitor its entire field of vision. A camera could predict a landslide or a flood. Its microphones could listen to the sound of a turbine and detect tiny pitch changes which indicate a potential failure. Its speaker could sound an alarm as part of an access control system. It is a truly flexible platform.

A United Path Forward
However, every use case is unique. A lot can be done with AI, but AI models must be trained extensively before they can be effective. While in many cases drop-in solutions exist, the camera’s role in monitoring is still being explored and thought through. And such decisions must come from the top down, meaning executives must be made aware of not only the importance of CER but also the potential for the camera hardware to help to accelerate the process of alignment with CER’s aims.

The key is that it must be the right hardware - equipment which backs up its internal processing capabilities with an open platform ready for the kind of development which allows for creative coding and innovative detection procedures, allowing critical industries to cross-collaborate to improve stability, security, and resilience for everyone.

These must be devices which help meet the demands of NIS2 and CER in equal measure, supported by vendors and suppliers that know that equipment inside out. That knowledge and unity is the path to a smarter, safer world.

Andrea Monteleone is Segment Development Manager, EMEA, Critical Infrastructure at Axis Communications

Image: Ideogram

You Might Also Read:

From AI to ESG: Key Security Technology Trends Of 2023:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.