In an increasingly connected world, where digital technologies infiltrate every aspect of our lives, cybersecurity has become a vital concern for businesses and government institutions. In the face of ever-growing threats from cyber-attacks, the European Union has developed the Network and Information Security Directive (NIS-2) to strengthen the resilience and security of critical infrastructure and digital service providers.
The NIS-2 Directive aims to harmonize and improve cybersecurity at EU level. It lays down minimum security requirements that must be met by operators of essential services and digital service providers, as well as measures to prevent and manage cyber threats and incidents.
Who is affected by the directive
Institutions and services must independently review whether they are impacted by the directive and are obliged to register. There is no provision for notification by national authorities.
Institutions can determine whether they are covered by the Directive based on their industry sector and depending on thresholds (number of employees or annual turnover) as well as some special cases. Affected sectors include utilities, transportation, and the healthcare sector. Further information can be found in the annexes to the NIS 2 Directive, national government portals or industry-specific associations. It is also possible to consult external cybersecurity experts or consultants who specialize in the NIS Directive. They can carry out an assessment and support in identifying the relevant requirements and obligations.
It is also possible for institutions within the sectors and subsectors mentioned in the directive to provide both essential and non-essential services. For instance, airports offer services that could be deemed essential, such as runway management, as well as services that may be considered non-critical, such as retail areas. In such cases, specific security requirements need only be met for the services deemed essential.
The challenges of the NIS 2 Directive
The requirements of the directive are to be transposed into national law in the EU member states by October 17, 2024. This requires governments and institutions to implement the measures quickly.
Member states must ensure that operators of critical infrastructure and providers of digital services take technical and organizational measures to ensure the security of their network and information systems. These measures are intended to mitigate risks associated with services utilized within the EU and must be commensurate with current technological standards and existing risks.
Obligations for providers and services
The specific measures necessary to comply with the NIS 2 Directive depend on the specific risks and threats of the sectors and services. In general, however, the regulation mentions the following aspects:
Cybersecurity measures according to the “state of the art”
Providers and services affected by the directive must implement cybersecurity measures in accordance with the “state of the art”. This legal formulation is used because technical development is progressing faster than legislation is being updated. Additionally, measures vary depending on the industry and institution, making a universally applicable description of cybersecurity measures impossible. However, institutions can align with international cybersecurity standards and norms, as well as industry best practices.
System security and risk management
In order to ensure the integrity and reliability of critical infrastructures and digital services, affected institutions should comprehensively examine potential risks to their systems and facilities and develop security measures accordingly. For example, by establishing a risk management system using standards such as ISO/IEC 27005 and 27002, which provide a framework and guidelines for identifying, analyzing, and assessing risks in the context of information security. The selection and implementation of specific cybersecurity measures should be based on the results of the risk assessment and the individual requirements and risk profiles of the organization.
Incident management
Providers of essential services are obliged to inform the relevant state institution immediately of any security incidents. The authorities examine the possible effects of these disruptions and impairments and provide support with measures to overcome incidents. Concrete procedures that companies can implement for incident management include establishing an incident response plan that defines clear responsibilities, escalation paths, and action steps; utilizing monitoring and detection systems to identify potential incidents early; and forming partnerships with external experts to assist in managing security incidents and exchanging information.
Business Continuity Management
A well-designed BCM program enables institutions to prepare for unforeseen events, maintain business continuity, and minimize the impact of disruptions. This involves developing emergency plans, implementing strategies and measures to restore business functions, and includes continuous monitoring and improvement. Regular plan updates are essential to address evolving threats and business requirements. Training and exercises are conducted to test and enhance the organization’s responsiveness. Recommendations for building a BCM program can be found from entities such as ENISA and CSRC.
Supply chain and third-party management
Operators of critical infrastructure are obliged to assess risks in the supply chain that could have an impact on their operations. This includes, for example, a classification based on the criticality of the services or products for their infrastructure. Careful risk management is also essential to assess the impact of disruptions on operational capability and develop countermeasures and alternative strategies. Guidance on this topic is provided by resources such as the NIST SP 800-161 guide, the ISO 28000 standard, and the SANS Institute.
The impact of KVM on cybersecurity in mission-critical industries
KVM solutions have been an integral part of mission-critical control rooms for years, as they offer various security benefits, improve ergonomic working conditions for operators and contribute to more efficient control of systems.
They can be used to effectively extend and distribute computer signals. Therefore, a major security benefit of KVM solutions is to remove computers from working spaces and relocate them to a secure technical area that can be protected by locking systems or surveillance technology. This prevents unauthorized persons from gaining access to the computers. Users, on the other hand, can continue to access the systems from their workplaces in real time.
Furthermore, this solution enables network segmentation, further reducing the risk of cyberattacks by isolating sensitive data and critical systems from less secure networks. This enhances overall security and protects against potential threats originating from the internet. With these advanced security features, our solutions provide ideal support in meeting the requirements of NIS-2.
Redundancy concepts for failure prevention
Particularly in the key areas defined by the NIS-2 directive, such as healthcare, energy supply or transportation, it is important that IT systems are reliable in continuous operation and are always accessible.
KVM systems offer a wide range of redundancy options to ensure continuous system availability. In case of primary connection, computer, or workplace failure, seamless and uninterrupted transition to redundant routes, backup computers, or alternate workplaces ensures users can continue their operations without disruption in their familiar environment.
Implementing redundant hardware systems can also be crucial in increasing a system’s security and resistance to attacks. This measure minimizes the risk of a single attack affecting multiple systems simultaneously. KVM systems only connect to the hardware interfaces, such as keyboard, video, and mouse interfaces, without direct data transfer between the systems. This significantly reduces the risk of software attacks, as no sensitive data must be transmitted via networks.
Advanced security features of KVM
The use of proven security practices such as redundant systems maximizes system resilience and effectively mitigates potential failure scenarios. In addition to implementing redundancies, a comprehensive cybersecurity strategy is essential to protect against potential threats that could compromise system integrity. The synergy between failover and cybersecurity measures creates a robust defense.
KVM solutions from G&D offer additional security features such as encryption and user authentication, which enhance the protection of sensitive data and help essential services and institutions comply with stringent data protection regulations. Both traditional and KVM-over-IP systems are equipped with numerous security functions against internal and external threats. Encrypted transmission ensures that confidential information is protected from unauthorized access.
Additionally, our systems can be equipped with further access control mechanisms to enhance security. Configurable access rights for various operational areas and optional two-factor authentication, for example, ensure secure and authorized system access.
Conclusion: The future of cybersecurity
The implementation of the NIS-2 Directive is a significant step towards improved cybersecurity in the European Union, especially for operators of critical infrastructures and providers of digital services. In an era of increasing digitalization and connectivity, protection against cyberattacks is crucial to ensure the stability and functionality of essential services.
The directive establishes minimum security requirements and obliges EU member states as well as providers and services to implement technical and organizational measures. This includes the implementation of cybersecurity measures, incident management, business continuity management, and the securing of the supply chain.
KVM systems can be an important tool in this implementation, enabling the relocation of computer technology to secure areas and offering modern security features. By setting up redundant systems, KVM solutions provide additional security, minimize downtime, and ensure the continuity of operations.
For companies and institutions covered by the NIS-2 Directive, it is crucial to prepare early for the new requirements and to implement the necessary measures to comply with the directive in a timely manner. This not only ensures compliance with legal requirements but also strengthens resilience against the growing challenges of the cyber landscape.
By combining technological innovations and proven security practices, companies can protect their systems against current and future cyber threats while safely advancing digital transformation.
>> Other articles you might be interested in:
Intelligent KVM solutions for secure and reliable energy control rooms
FreeSeating function: Personalized setup for each control room workplace
- Innovative KVM solutions for future-proof control rooms at ISE 2025 in Barcelona - 10. December 2024
- How our new matrix feature protects against brute-force attacks - 26. November 2024
- PSNI Global Alliance welcomes G&D as global preferred vendor partner - 4. November 2024