BSidesMCR 2019: 1 Year On, It's Not All About GDPR.An Intro To The NIS Directive - Romeo Embolo

okay hi everyone i'm romeo and I'll be talking today about introduction to the network information system directive an iced tea and also we all know that there's been a lot of birds about gdpr but there was a silent one moving along with GDP are called this directive and that's the one I'm going to be talking about today prior to doing that you know it'll be the case of introducing myself and also going through some case study the aims of the directive and the guidance that support that directive and the toolkit that the NCSC develop and how we have customized it in in CGI and also what it means for sector that are concerned well CGS has at the plants we

are in know 40 country in more than 400 location our revenue is 1.5 billion and also we've developed 175 IP solution now and we are servicing basically 5000 cities and the same with our friend teller swath so we went back to university recently as a mature student Cardiff University graduated with a BS in information system and carried on doing a master in information security and privacy since then was engaged in working with the Welsh government assembly I don't know if you guys remember the or hm I see CD you know being lost and things like that at the time the government decided to review all the information assurance so I was part of the audit team were basically

surveys that party to make sure that they were complying with those new directive and control that input put in place I've also worked with financial services insurance Admiral pretty insurance the likes of at radius mainly involved in GDP our readiness also flirted a little bit with financial in text our top developing being part of development team to do with developing messaging up to a true payment system and and a socialite since the nine months that that up joined CGI as a cyber security consultant and at the minute I'm walking in smart metering program and I'm a PK administrator the dealing with crypto system you know issuing a digital certificate and the searchlight when I'm not doing all of

these play brucha basketball and I'm trying to see if I can run the London Marathon but that's not that's quite a big deal for me I don't actually know if um when do that is quite hard okay now before I start I like us to go through like your help there through a scenario let's say there's a power outage in London for next eight two hours in one of the train station can you possibly give me Distin area that could occur anything that you can think of yeah so is be overactive in this final sonic word yeah so this reception services people are stranded and what else could think of actually assaulted okay and also yeah that

that's one thing what about no police being sent because there will be a chaos people wanting to go in other part of the country and all those different system being connected that's going to be a massive kind of like disruption so basically this actually happened the beginning of the month and in a matter of two hours about a million people were affected by power a page that only lasted two hours and it was a thin cross station services there you know God can counsel and it even affected if switch hospital because they had a backup generator that couldn't they couldn't basically make him function and for about thirty minutes they they run out of power imagine if they were carrying

out operations there and things like that what will happen people you know when not being able to to join to make phone call you know any things like that they said they were problem with power power station it wasn't a cyberattack but he could have well been a cyberattack and that would have been you know kind of the scenario that could have happened had it died I didn't I had it occur like that so on the more factual basis the coverage and center Forrester the carry out model some cost that could generate the derive as a result of sophisticated attack and it was basically resulted it there was this impact you would have impact between nine and thirteen million

household those would have lost electricity and also disruption around the same amount of people would have you know you would have affected transportation jitter communication and water services and in terms of the month the lost out of course between 11.6 and eighty five point five billion and over the next five years the GDP the GDP would have been affected around forty nine billion to four hundred forty two billion so I don't know if you guys remember also in 2017 it was the one crying somewhere phenomenom okay although people didn't die but that affected a lot of people NHS the twenty-sixth trusts were affected out of the twenty six we had 81 that were affected and so does scenario

is basically to let you know how with technology evolving now the threat landscape as well is evolving we have computing the to pervasive in information IOT been increasing so the the landscape is really increasing and as we know legislation always play catch-up so if it was the case then for the EU member state to try to come up with a strategy to to basically provide like a move the legal measure to ensure that the overall level of security was basically managed within the EU so it was the case of setting up computer system response and Incident Response approach those nation it was the case of improving communication making sure that the culture of cybersecurity was kind of

like spread across member state it was also the case of making sure that they can put some sort of best practice and information took it that those member would be able to to derive all different control from that and so they identified the different different vital sector that we can see their digital services energy have transport banking digital infrastructure financial market and basically water as well so those different sector here in the UK are actually part of the critical national infrastructure and so in term of scoping the NASD it covers the vast majority of those sector apart from banking and financial services that are already regulated they or they have their own legislative of framework so when we

speak about we talk about in this directive there are three main stakeholders or a component that we need to bear in mind we have what we call operator of essential services and those are basically organization that provides an essential services that to do with our daily life and that can have a massive impact as well on the economy and also based on the fact that the network and information system is concern any disruption to that will the very will really disturb the whole whole dual setting so the mist-covered aspect as well and we didn't it we also have digital service provider the likes of search engine online like a place and then throughout service provider okay

thing with the directive is you know it covers organizations that have more than 50 employees and with the turnover of more than 10 million so those different the needs as well make sure that there is there are competent authority within the Member State that are responsible for making sure that the organization comply with with the directive in the case of nice it's actually you have sector-specific competent authorities so if we take what you have a competent authority that is related to water so all operator of essential services their sector specific but digital service provider the competent authority there is the ICU as well yeah so okay so I talked about the toolkit and best practice that each

member state would develop so the NCSC develop a framework which is basically an audit auditing tool and for 1200 ization - money better manage the cybersecurity - risk in relation to the operator of essential services the directive itself come to force as I mentioned earlier almost at the same comes at GDP I may 2018 so so how what's the structure of the world framework it's divided in basically four main objective managing the race protecting against cyber attack detecting cyber incident and minimizing the impact of cyber incident so true underneath those different objective you have 14 principle those 14 principle and on the line by what we call indicator of good practice so each objective principle of

indicator of which is basically a statement declarative statement by which that needed to be abide - in terms of making sure that that specific objective is still is being complied - and you have the three degree of rating not achieved partially achieve and also achieve itself so and those different indicator of good practice you have in 39 individual assessment that you would basically rate those objectives against so how those are basically prescriptive depending on the nature of the organization and the specificity of the organization is the case of really making sure how you can customize this and then make it work for yourself or for your organization or your organization that you're trying to assess so also with in CGI so before I

was talking about you know how we do it in CGI this is an example of indicator of good part of good practice so you have the principal there secure configuration and then followed by the whole indicator of good practice and you have the different statement that need to be filled or and control that you need to follow to to basically complete that indicator of good practice so so how did we do we so basically what we did is to take the 14 principal line them up within those principal we came up with other component for example if we take governance we will do governance will have three component both directions role and responsibility and decision making we developed we expand

on the remains to the the tuff framework by adding extra statement day we classify them in terms of degree of maturity and those degree of maturity we mark them in terms of percentages so you will have zero percent ten percent 40 percent 70 up to 100% and then scoring and so those would be you develop the control but that's why we have cyber assessment framework or the test so you would line up all your inquiries there or your examining examining document and the searchlight and basically you you will result into them so different I did not include the controls here because his internal sensitive but you'll have a lot of control indicators that need to be

fulfilled so what you do is okay let's say you take in this specific outbreak governance and we say it roll 40% you will put across there and then you fill all of those in terms of which are what level the organization is and what it gives is basically each principal would tell you where they are in their compliance and this is only a snapshot you have is a very long spreadsheet and you will give you at the end this spider diagram despite the diagram basically allows you to start the conversation with either your internal client or if you are consulting from your client so and the different aspect of it gives you really the rating and you can basically

tell to the client okay this is you know in a snapshot where you are and what direction should we be going towards to so this we actually and we have an internal tool in CGI called iris so where previously the spreadsheet will we integrate it within our database which basically means that okay with all the control data already there so integrating this within our database allow us to basically run the risk assessment if is to do with the operator of essential services you will have all those output straightaway when may you carry out your your discuss as well so so the challenge is then would be definitely they will they need to the business change program there will

be challenges in terms of those different sector that we already manage we mentioned earlier organization that are working with the government are really concerned people who are doing cloud computing offering you know shared services so your incident notification will really really need to be looking to same with reporting it and also trying you know how do you now and the great it between you know within your business continuity plan of course the option first of all you need secondly due to your risk assessment you've got to go in to fine-tune your your notification and within 72 hours because the this is 72 hours and you have to adjust it and you have to report it to the NCIC this is

not a competent authority they're just acting as a incident response team so they will certainly be giving you guidance there and aligning all of those dragging them in social the way that that can be aligned with your business continue to measure what I declared will declare benefit to that you are compliant not only are you compliant to Denise but in vast majority of cases that align your compliance to gdpr as well you will increase your business activity you'll have new business opportunity when in terms of bidding and you'll develop expertise as well not to mention that will give you a competitive advantage you will avoid penalties is 17 up to 17 million that's do little

difference with GDP are first of all when this came out the government was thinking of aligning it as well along the line of GDP uh but they said you know when there was that consultation they decided to keep it to up to 17 million yeah so that's pretty much it that's me done I hope you make a little bit of sense to you guys and welcome any questions yep ten employees we provide infrastructure service in scope I think the government so far there in the slide here the government yeah if you got NCSC website because this is since November 2018 I think the government was meant to publish a list so they were 129 company

that were listed so it's the case of trying to get in touch either with NSS yes your eyes i co2 have more clarity on that what I know is the information got circulated in terms of the organization that were basically deemed to be eligible or fall under the criteria so yeah we know just so you know just of the DSP - okay so who gives you such a framework because it's all aligned as I have established yeah yeah this is heavily aligned to ISO 27000 yeah something else okay that's me done if my email address there if you need more clarification in terms of everything to do if the nest directive I could I'll be more than

happy to to classes and I forgot to mess with my tree today but if you type in on Twitter Romeo and bowl of you'll find me there and we can follow each other okay