The NIS Directive and Supply Chain Resilience

Summary

Evaluating the impact of NIS implementations on Supply Chain Resilience of critical infrastructures

This project investigated the experience of implementing the NIS Directive from the different perspectives of competent authorities, operators, and suppliers. The effectiveness and impact of responsibilities assigned by the Cyber Assessment Framework (CAF) were analysed across the Water, Energy, and Transport sectors. The extent to which improvements in supply chain cybersecurity were being achieved through NIS implementations were evaluated.

The NIS Directive is acting as a tool for change by introducing new roles and responsibilities in cybersecurity, with a focus on maintaining essential services to society. The NIS principles and objectives provide a set of contributing outcomes and a profile per sector is guiding the achievements of NIS. The expectation of a deep understanding of extensive supply chains and an oversight of supply chain risks has presented a challenge to operators of essential services. Furthermore, procurement practices have been assuring the cybersecurity of supplier companies rather than assuring the product or service being used within a customer context. In some cases, the adoption of common approaches, in cooperation and trusted partnerships, has been able to progress further with cybersecurity improvements than individual organisations working in isolation. In essence, the project emphasised supplier relationships as a strategic asset and striking a balance between control and cooperation, such as utilising formal controls of contractual arrangements alongside collaborative commitments to integrate skills and processes.

The project recommended some enhancements to Supply Chain guidance including:

  • Emphasis on risk reduction and reducing the impact of incidents.
  • Common security requirements per sector.
  • Combined supplier assurance process to reduce overhead on OES and suppliers.
  • Cyber exercises involving suppliers.
  • Utilising points of governance in the supply chain, where controls or cooperation are required with important suppliers.
  • Regular review of commitments to maintain accountability between operators and suppliers.

Further information can be found at:

Wallis, Tania, Chris Johnson, and Mohamed Khamis. “Interorganizational Cooperation in Supply Chain Cybersecurity: A Cross-Industry Study of the Effectiveness of the UK Implementation of the NIS Directive.” Information & Security: An International Journal 48, no. 1 (2021): 36-68.

https://doi.org/10.11610/isij.4812

isij.eu/article/interorganizational-cooperation-supply-chain-cybersecurity-cross-industry-study

Wallis and C. Johnson, “Implementing the NIS Directive, driving cybersecurity improvements for Essential Services,” 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2020, pp. 1-10, doi: 10.1109/CyberSA49311.2020.9139641.

https://ieeexplore.ieee.org/document/9139641

Impact

The project provided engagement with industry and policymakers, offering feedback to public-private partnerships, and influencing policy enhancements. This included the following contributions:

  • Forum Europe panel debate with ENISA on ‘Coherent and Consistent Cyber Security’
  • Presentation to European industry events including Smart Grid Forums and EUTC.
  • Presentations on building capability in supply chains to UK OES, CAs and NCSC.
  • Academic review of supplier assurance activities.
  • Input to UK and EU NIS Reviews.