Resilience As Regulation: Preparing For The Impact Of CER

Uploaded on 2024-08-19 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law

While NIS2  has dominated headlines in recent times, the Critical Entities Resilience Directive  (CER) appears to have slipped under the radar despite, arguably, commanding a much larger response. The two go hand-in-hand: NIS2 and CER will change the way the public and private sectors think about security and alter the course of the strategies they use to keep their businesses running.

Both directives cover the same, expanded list of sectors and industries defined as ‘critical entities’, and place the same people in a position of responsibility should they be breached.

But while NIS2 defines vital boundaries surrounding cybersecurity, CER’s core principles state, to put it simply, that every affected business must be able to continue operating their business whatever happens. That could mean a natural disaster, a physical attack, human error or even a cyber attack. 

NIS2, therefore, could be thought of as the mandatory infrastructural foundation of CER’s far broader scope: it is, basically, ‘everything else’. One props up the other. Without the kind of secure IT infrastructure that NIS2 leads, there is no foundation for resilience; without the resilience of critical infrastructure - defined very broadly by CER as ‘an asset, a facility, equipment, a network or a system ’ -  the aims of NIS2 cannot be met.  

Working Against A Tight Time Limit
Any business which now falls under the EU’s critical infrastructure umbrella without appropriate measures must now seriously rethink its risk assessment process and redesign the way it approaches its business to match. It must do so immediately. While the European Commission has offered member states a deadline of July 2026 to identify their own list of critical entities, which may seem to imply that there is a lot of time to work with, measures must be in place before that date. 

Just as every new device introduced into a ‘critical entities’ business has to be aligned with NIS2, any project which is now ongoing, any small refresh, any infrastructure change must be reevaluated with business continuity at the top of the spec sheet. Even existing infrastructure will not escape CER’s broad net; new risk assessments will be required for every critical process.

Most importantly, businesses will need to employ new thinking to discover risks they may not have monitored before - and new ways to monitor those which they are all too aware of.

CER: A New Level Of Diligence
Many new sectors have entered the scope of such regulations with the introduction of CER and NIS2 such as water treatment, transportation, healthcare, food and waste management. There is no suggestion that businesses in these sectors were not prioritising business continuity previously, but these new regulations force a level of proof. 

EU member states will have the right to conduct on-site audits and inspections and issue penalties for critical entities failing to implement the appropriate level of technical, security and organisational resilience.

Events which have the potential to cause business disruption must be reported to the relevant governing body, whether they actually impact business continuity or not. Monitoring, training and diligence have therefore never been more critical. 

Improving one’s monitoring function does not need to involve a complete redesign of one’s equipment. We return to the idea of new thinking: in many cases, the equipment required to detect novel incidents, observe critical machinery or systems, and even prevent dangerous human activity is already installed. It simply needs to be thought of in a different way.

Rethinking The Camera As A Sensor
Today’s surveillance cameras are far more than physical security tools. They are, in many cases, the most powerful sensor operating on an entity’s premises. What’s more, digitalisation offers an opportunity to use them for more than their primary, original security-related purpose. The best modern cameras are backed by powerful analytics and AI technology which can be harnessed for whatever use case matters.

To allow a camera to do just one job feels like a waste when it is potentially the most capable IoT device on one’s network.

Point a thermal camera at an array of machinery, for example, and it can offer an operator visual feedback on that equipment’s temperature. Simple enough. Harness its data collection abilities, though, and you could define 100 points within its image, collect precise numbers from each, output them via an industrial protocol like Modbus or MQTT, and fully integrate that data into an operational interface.  

Doing More With Sensor Data
Critical entities will be forced to improve the continuity of remote locations. A camera at, for example, an electricity substation could perform its traditional role of monitoring the perimeter for intrusion, but also do a lot more besides. It could detect the status of equipment, watch for weather conditions, generate an alert if a human gets too close to dangerous devices, or even anonymously inspect on-site workers to ensure they are wearing appropriate protective equipment (PPE). 

None of this demands that a camera operator be watching constantly. With the right camera, software running directly on its hardware may be able to use algorithmic techniques or an AI engine to monitor its entire field of vision. A camera could predict a landslide or a flood. Its microphones could listen to the sound of a turbine and detect tiny pitch changes which indicate a potential failure. Its speaker could sound an alarm as part of an access control system. It is a truly flexible platform.

A United Path Forward
However, every use case is unique. A lot can be done with AI, but AI models must be trained extensively before they can be effective. While in many cases drop-in solutions exist, the camera’s role in monitoring is still being explored and thought through. And such decisions must come from the top down, meaning executives must be made aware of not only the importance of CER but also the potential for the camera hardware to help to accelerate the process of alignment with CER’s aims.

The key is that it must be the right hardware - equipment which backs up its internal processing capabilities with an open platform ready for the kind of development which allows for creative coding and innovative detection procedures, allowing critical industries to cross-collaborate to improve stability, security, and resilience for everyone.

These must be devices which help meet the demands of NIS2 and CER in equal measure, supported by vendors and suppliers that know that equipment inside out. That knowledge and unity is the path to a smarter, safer world.

Andrea Monteleone is Segment Development Manager, EMEA, Critical Infrastructure at Axis Communications   

Image: Ideogram

You Might Also Read: 

From AI to ESG: Key Security Technology Trends Of 2023:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Business Identity Theft: Saving The Digital World From Fake Businesses
Cyber Insurance: The Cost Of Doing Business »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clearpath Solutions Group

Clearpath Solutions Group

Clearpath Solutions Group expertise covers virtualization and data storage technologies, networking, security and cloud computing.

Dome9

Dome9

Dome9 is a cloud firewall management service that stops vulnerabilities, secures remote access, and centralizes policy management.

British Insurance Brokers’ Association (BIBA)

British Insurance Brokers’ Association (BIBA)

BIBA is the UK’s leading general insurance intermediary organisation. Use the ‘Find Insurance‘ section of the BIBA website to find providers of cyber risk insurance in the UK.

OnSystem Logic

OnSystem Logic

OnSystem Logic has developed a unique, patent-pending solution to solve the problem of the exploitation of flaws in application software as a technique for cyber attacks.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER) - USA

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER) - USA

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

SafeHouse Technologies

SafeHouse Technologies

SafeHouse is a cloud-based, high-end cybersecurity platform that can secure and insure any device that is connected to it.

Gytpol

Gytpol

Gytpol is a leader in Endpoint Configuration Security (ECS) solutions, providing validation, remediation & securing of IT Policies and IT Infrastructure on-premise and in the cloud.

Red River

Red River

Red River is a technology transformation company, bringing 25 years of experience and mission-critical expertise in analytics, cloud, collaboration, mobility, networking and security solutions.

Beyond Encryption

Beyond Encryption

Mailock by Beyond Encryption is a secure email solution that allows businesses to exchange email securely, safe in the knowledge that their email can only be read by their intended recipient.

Sunartek Labs

Sunartek Labs

Sunartek are equipped with expert resources and advanced technology to identify cyber threats and prevent any breach, bypassing the security network of your organization.

Jit

Jit

Jit empowers developers to own security for the product they are building from day zero.

Paubox

Paubox

Paubox offers secure, HIPAA compliant email and marketing solutions to fit the needs of modern healthcare organizations of every size.

ID North

ID North

ID North is a Nordic service provider offering identity security to its customers by providing world class expertise and best-in-class solutions and services.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

Downdetector

Downdetector

Downdetector helps people all over the world understand disruptions to vital services such as the internet, social media, web hosting platforms, banks, games, entertainment, and more.

Corvid Cyberdefense

Corvid Cyberdefense

Corvid Cyberdefense provides military-grade cybersecurity as a service for growing organizations and municipalities of all sizes.