What does NIS2 mean for network professionals?

NIS2 places new demands on organizations working with networks. Together with my colleague Rasmus Hammarborg, an IT security specialist, I (Simon Lundgren) have reviewed NIS2 and MCF’s advice on security measures and training. In this blog, we describe how the legislation affects network infrastructure and how it can be an important piece of the organizational security puzzle.

1. documentation of your network infrastructure

Start by gathering information about your internal digital infrastructure. Use a Configuration Management Database (CMDB) to map your IT assets and their relationships with each other, both software and hardware. According to the referral, you should document your internal network infrastructure and its connection to the Internet. This includes internal and external servers, applications and cloud services. Use data from, for example, the Network Management System (NMS) and logging from firewalls, switches, controllers and routers.

Once you have mapped the network infrastructure, you can analyze what communication takes place internally and externally. Based on that, you create a guideline for what communication is allowed. Do this in collaboration with application owners in your organization. They have information about which Services and ports the application uses. Next-Generation Firewalls (NGFW) are a good tool for logging ports, applications and services running internally and externally.

2. NIS2 intrusion protection

The NGFW firewall is one of the most important building blocks for securing one’s environment. Intrusion protection and detection are crucial tools to counter cyber attacks. The Intrusion Prevention System (IPS) detects and denies malware traffic in real time. It also blocks traffic that tries to exploit known vulnerabilities in systems. With all its features, the NGFW firewall effectively protects your internal environment against intrusions.

3. Segmentation and Zero Trust requirements in NIS2

In order not to overload the firewall, I recommend blocking traffic as close to the source as possible. This also strengthens protection against malicious traffic, intrusions and data leakage. Block on switches, access points and routers that make decisions before the traffic reaches the firewall. A good tool for this is Network Access Control (NAC), which identifies, authenticates and authorizes users and devices.

NAC is an important part of a Zero Trust strategy and prevents the spread of malware, for example via micro-segmentation. If your organization has implemented identity and policy-based authorization of network and application flows, it also meets several security requirements of NIS2. NIS2 requires guest networks to be segmented. This can be done via demarcated networks, VLANs, policy-based, identity-based or application-based segmentation, or a combination. Segmentation should also be applied to production, development, test and training environments, both within and between IT and OT. The same applies to VPN communication to suppliers, partners and cloud services.

Traditional VPN clients are increasingly being replaced by Security Service Edge (SSE). SSE is a cloud-based security architecture built on Zero Trust principles. With SSE, you create uniform and granular access rules across your organization. It centralizes security functions such as policy enforcement, traffic inspection, and identity-based access control, regardless of the location of users and devices.

4. Authorization management and authentication

Another building block is authentication, authorization and logging, which should be implemented in the business for all systems. Use individual user credentials and multi-factor authentication for authentication. In addition, apply the principle of least privilege for users and systems. This limits the potential damage if someone gets into the environment. I have seen businesses using default passwords that are never changed – this is very dangerous.

5. Monitoring and logging

Good traceability requires logging of unauthorized access attempts, activities, changes and access events. This applies to authenticated users, applications and Services, both for internal and external attacks.

Today, several tools exist for detailed tracking of cyber attacks. NGFW firewalls log network traffic. Endpoint Detection Response (EDR) agents monitor and block malicious activities on endpoints. SSE platforms log user sessions and identity-based access events to applications and Services.

The tools cover different areas. Firewalls focus on network traffic and application flows. SSE handles identity- and access-based events. EDR monitors activities and potential threats on clients and servers. To correlate events and streamline incident management, organizations should consolidate everything into a Security Information and Event Management system (SIEM).

6. Redundancy and backup

Backing up configuration and system information allows you to quickly restore network devices in the event of a disruption, software failure, corruption or configuration error. Therefore, strategically evaluate how long a system can be unavailable before restoring it. Also decide how much data is acceptable to lose. In my experience, this is far from a given in businesses. Find out what downtime and lost data actually cost you.

Once you know which traffic is critical, you can implement redundancy for that communication and associated systems and services. Don’t forget redundant supply systems such as electricity supply. These should also be assessed, managed and monitored to avoid interruptions.

7. Incident management

In the event of a data leak, loss or corruption incident, you need to quickly identify the problem. This includes what happened, when it happened and from where. SIEM can automatically create an incident in your organization’s incident management platform. Alerts reach you via firewall, SIEM, NMS, cloud services and telemetry from network devices.

Also prepare proactively for a possible escalation. Define roles, responsibilities and authorities in advance so that you know how they are allocated in a crisis. In addition, train for a breach scenario and develop a clear incident response process. It should describe how you report and handle breaches, when you report to the Computer Security Incident Response Team (CSIRT), and in which scenarios a police report is appropriate.

In conclusion

For those of you who work with networks, this means that the infrastructure takes on an even more central role in security work. I’m excited about that and I hope that those of us who work with networks can help each other and that this blog is a step in the right direction. Do you work in a municipality? We’ve written a blog post that better addresses the challenges you face here.