Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures

Authors: 

Ola Aleksandra Michalec, Dirk van der Linden, Sveta Milyaeva, and Awais Rashid, University of Bristol

Abstract: 

As traditional legacy systems that run critical national infrastructures (CNI) are increasingly digitized for performance monitoring and efficiency, significant attention has been brought to improving their cyber security. Network and Information Systems Security (NIS) Directive is the first European scale attempt to establish a high standard of cyber security among CNIs. NIS raises questions about defining scope, providing evidence or mobilizing funding. Most importantly, there is the fundamental question whether it would become a tick-box exercise or lead to long-term improvements in security practices. We interviewed 30 cyber security practitioners in the UK to gather an in-depth understanding of NIS implementation and its probable futures. Our analysis found that the emerging field of Operational Technology Security is yet to formulate norms, standards and career trajectories. We are, therefore, at a critical junction, where the scope of the profession is shaping together with the need for evidence-based policy advice. Our findings are twofold: (1) a number of security tropes (e.g., “security solutions are the same across the sectors”), which may drive implementation of regulations such as NIS; (2) a classification of cyber security practices mapping the diversity of policy interpretations. We conclude with recommendations for policymakers and CNI operators.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {255672,
author = {Ola Aleksandra Michalec and Dirk van der Linden and Sveta Milyaeva and Awais Rashid},
title = {Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures},
booktitle = {Sixteenth Symposium on Usable Privacy and Security ({SOUPS} 2020)},
year = {2020},
isbn = {978-1-939133-16-8},
pages = {301--317},
url = {https://www.usenix.org/conference/soups2020/presentation/michalec},
publisher = {{USENIX} Association},
month = aug,
}

Presentation Video