ICS within the NIS Directive should be ATT&CK®ed
In August 2016, the European Parliament and the Council of the European Union implemented the first piece of legislation specifically addressing the cybersecurity of its Network and Information Systems (also known as the NIS Directive, or NISD). The NIS Directive (European Commission, 2016) required that member states transpose the Directive into local law by May 2018 and self-select the in-scope Operators of Essential Services (OES) by November 2018. To assist with the short time frames, the European Union Agency for Cybersecurity published a guideline (ENISA, 2018) that maps the security requirements set out in the NIS Directive to existing industry standards for specific sectors. Some of these included the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP), National Institute of Standards and Technology (NIST), and International Organization for Standardization (ISO). Given the increased focus of malicious actors targeting Industrial Control Systems (ICS) and Operational Technology (OT) assets, does the NIS Directive provide meaningful impact to protect industrial assets and public safety? Rather than recommending industry-specific standards, what is the effect when complemented with common Tactics, Techniques, and Procedures (TTP) determined by the Mitre ATT&CK® for ICS (Mitre, 2020) framework?
ics-nis-directive-should-be-attacked (PDF, 0.56MB)
25 Aug 2021Related Content
Cyber Guardian Exercise: A Case Study in Brazil to Address Challenges in Cybersecurity and Protect Critical Infrastructure
Research PaperDiscussions of cybersecurity, in particular those associated with critical infrastructure (CI),...
- 22 Feb 2022
Manage Open-Source Components via Secure Product Development Lifecycle in Industrial Control System
Research PaperNowadays, open-source components are becoming the essential components in industrial control systems...
- 14 Feb 2022
ICS OT Systems Security Engineering Is Not Dead
Research PaperICS OT Systems Security Engineering Is Not Dead
- 23 Mar 2020
ICS Layered Threat Modeling
Research PaperThe ultimate goal of building cybersecurity architecture is to protect systems from potential...
- 22 Jan 2019
Passive Analysis of Process Control Networks
Research PaperIn recent years there has been an increased push to secure critical ICS infrastructures by...
- 1 Jun 2018
Incentivizing Cyber Security: A Case for Cyber Insurance
Research PaperIn the wake of recent events-Ukraine, Shamoon v2, WannaCry--providing cyber security continues to be...
- 27 Jun 2017
The Industrial Control System Cyber Kill Chain
Research PaperRead this paper to gain an understanding of an adversary's campaign against ICS. The first two parts...
- 5 Oct 2015
Tactical Data Diodes in Industrial Automation and Control Systems
Research PaperIn recent years, there has been an increased interest in the use of Data Diodes (also known as...
- 30 Jun 2015
The Perfect ICS Storm
Research PaperAs manufacturing Industrial Control System (ICS) architectural designs have evolved from isolated...
- 8 Jun 2015
An Abbreviated History of Automation and Industrial Controls System and Cybersecurity
Research PaperAn Abbreviated History of Automation and Industrial Controls System and Cybersecurity
- 23 Jan 2015
Automated Defense - Using Threat Intelligence to Augment
Research PaperAutomation and industrial controls systems - often referred to as ICS - have an interesting and...
- 19 Jan 2015
Rate my nuke: Bringing the nuclear power plant control room to iPad
Research PaperShibboleth is a free, open-source web single sign-on solution (SSO) for complex federated...
- 14 Nov 2014
Protect Critical Infrastructure Systems With Whitelisting
Research PaperSecurity professionals in federal, state and local agencies face many unique challenges in...
- 5 Aug 2014
Case Study in Developing Fault Tolerant and Highly Available Systems with Secure Zones of Protection
Research PaperProcess Control is the part of a company that controls the critical processes that company...
- 8 Aug 2003