NIS2 Directive: Cyber Insights - Ep 76

Show Notes

Welcome to another episode of "Reimagining Cyber," where Stan and Rob explore the transformative landscape of cybersecurity regulations. In this insightful episode, they delve into the intricacies of the upcoming NIS2 directive from the EU, set to take effect in October 2024. Joining them is Bjørn Watne, Senior Vice President and Chief Security Officer at Telenor Group and an advisor to Europol, offering over 20 years of expertise in information security and cyber risk management.

The discussion revolves around the key changes introduced by NIS2, emphasizing a baseline cybersecurity approach across essential entities in diverse sectors. Bjorn sheds light on the directive's requirements for systematic security risk management, crisis management, and heightened resilience. The episode also navigates through the complexities of supply chain control, collaboration, and reporting vulnerabilities.

Drawing from Telenor Group's experience as a telecom operator, the hosts and guest unravel the distinct threat landscape faced by telecom companies, especially in dealing with advanced persistent threats and the significance of call detail records. Beyond traditional sectors, the conversation touches upon the implications of NIS2 on organizations, highlighting Telenor Group's compliance efforts.

Exploring the penalties associated with NIS2 noncompliance, the episode draws parallels with GDPR, underscoring the importance of these regulations in fortifying a secure digital infrastructure. As organizations prepare for NIS2, Bjorn shares practical advice, urging a proactive approach with asset inventory, business impact analysis, and comprehensive risk assessments.

Don't miss this episode packed with valuable insights into the NIS2 directive and actionable steps for organizations to elevate their cybersecurity readiness. Stay tuned and reimagine cybersecurity with Stan, Rob, and Bjorn on this informative podcast.

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

[00:00:00] Stan Wisseman: Welcome to another episode of reimagining cyber. This is Stan, and I'm with my co host, Rob Arago and Rob, you know, I don't know about you, but I've been in this industry a long time. I've seen a lot of regulations and directives come and go. And, you know, it's, it's important to keep track of what's.

[00:00:18] What's up and coming, and I think that's where we're going to be focusing on today. 

[00:00:22] Rob Aragao: Right. We're going to delve into the NIS2 directive, which has come out of the EU. I shouldn't say come out of it. It's not new. It's evolved. But it's evolved with some serious teeth in it, and it goes actually into effect later in October of 2024.

[00:00:36] So I think, you know, we're going to have a great guest on to show, to share with us his perspectives and what he's seeing living it in his world out in the EU and get. Some guidance on what people should be 

[00:00:46] Stan Wisseman: thinking about. And, and again, it's anybody who's doing business in the EU. So even U. S.

[00:00:51] based organizations or those in Asia need to be aware of this. 

[00:00:56] Rob Aragao: So Stan, who do we have joining us for this 

[00:00:57] Stan Wisseman: episode? Rob, today we're [00:01:00] joined by Bjorn Watney. Bjorn is currently the Senior Vice President and Chief Security Officer at Telenor Group and is also an advisor to Europol. He has more than 20 years of experience with information security and cyber risk management in Europe and in Asia.

[00:01:15] Primarily with financial services, telecommunications and critical infrastructure. Bjorn, it's great to have you as a guest today. And before we dive into our conversation, anything else you'd like to add for our listeners to know about your background? 

[00:01:29] Bjorn Watne: Well, first of all, thank you, Stan and Rob for having me.

[00:01:33] Good to be here. As a curiosity, I guess it's interesting to know that I was never formerly trained in security because when I was in university back in the late 90s, even though I was in computer science security wasn't really a topic. And it's not that long ago, at least I don't feel it is. So so that's interesting because the world is, is really different now.

[00:01:58] And I also [00:02:00] think it's, it's worth mentioning that. Alongside my, my career my paid work, I've always kept myself busy with professional associations outside of the daytime job like IC2 and, and ISACA, for example. And I found that That was a great way for me to stay up to date on the latest development of threats, technologies, standards, regulations, pretty much everything that I didn't learn in university.

[00:02:25] So I've been at it for a while. I 

[00:02:29] Stan Wisseman: think, I think being active in those kind of working groups or associations is a great way of networking as well, right? I mean, getting to know those in your community. So that's great. 

[00:02:39] Rob Aragao: Could you just expand so people understand? A little bit more about Telenor group, you know, there are very large tech Norway, but just maybe a quick kind of, you know, what is telling her all about that way?

[00:02:49] It puts a little bit more perspective on how it relates into the work that you've 

[00:02:53] Bjorn Watne: been doing. Yeah, certainly. So, so Telenor group is a spin off of the national [00:03:00] telecom authority. In Norway, so it's a hundred plus years old, and it was privatized during the 90s. We operate telecom companies out of all the four Nordic countries and we have also an expansion into South and Southeast Asia.

[00:03:15] So we effectively run telecom operations in Pakistan, in Bangladesh. We have some joint ventures the largest operator in Thailand and Malaysia. We have a regional head office in Singapore where we also have a procurement company. And we also have a business area focusing on adjacent businesses or services beyond connectivity.

[00:03:37] And in here you will find a Telenor satellite. You will find a Telenor connection, which is an IOT company. And a multitude of other investments and yeah, things that we are working on. So, first and foremost, a telecom company, but we are much more and we also produce or we provide content like television and security [00:04:00] services and many, many other things.

[00:04:03] Stan Wisseman: Our, our, our focus today, you know, Bjorn is, is on the network and information security too. Directive or NIST 2 within the European Union. And so, Bjorn, if you could offer to our audience a concise summary of the NIST 2 directive, emphasizing the key changes and enhancements as compared to what was in the original NIST directive.

[00:04:25] And also, I think would be beneficial to understand the implications of these changes and have, you know, what for organizations within the EU, and especially in light of NIST. The ongoing process of, of national implementation. 

[00:04:40] Bjorn Watne: Yeah, absolutely. And, and, and you're right. It is an evolution more than a revolution here.

[00:04:44] And that being said, it's still a comprehensive upgrade, so to say, from the first iteration. Obviously the threat landscape is changing. Geopolitical situation is changing. And also how we. Run businesses have changed a lot. [00:05:00] Everything is dependent on, on digital infrastructure these days. And we have also de layered a lot of the industry verticals.

[00:05:09] So we have a far more complex and global supply chains, for example, compared to what we did before. Just seven or eight years ago. So the major changes, I guess you can I think I can summarize it in in five bullet points Dennis two is it's definitely there to baseline cybersecurity and up to date baseline across essential entities in multiple in three verticals Being that everything is now digital to a larger degree than it was before.

[00:05:40] it Requires organizations to work systematically with with security risk management and governance. It also requires organizations to step up significantly around crisis management and especially how they look at resilience the in the operation. 

[00:05:58] Stan Wisseman: That's the main focus of our [00:06:00] podcast has been around cyber resilience.

[00:06:02] So it makes sense. That's good. 

[00:06:04] Bjorn Watne: Yeah, exactly. And I mean given the the, the dependency that we have on the digital infrastructure these days for businesses. Or, or industries to be resilient to, to a facts in that domain is becoming increasingly more important hence the, the update to the to the directive but also it require organizations to be, to have a better control of all the supply chains specifically.

[00:06:27] I think we will probably touch on that later, but but also incorporating all it's right. It's a long supply chains and and finally, I think it's worth mentioning that it puts much stronger requirements on, on reporting and not just of, of incidents, but also of vulnerabilities that one might discover in, in in products and services.

[00:06:47] Indeed. Indeed. 

[00:06:50] Rob Aragao: Now, one of the things that we've seen, obviously, with the with the directive is that most critical organizations, you know, verticals such as financial services, energy, health [00:07:00] care are obviously falling underneath. But maybe you can speak to, you know, maybe some other types of organizations being affected and maybe even specifically discuss some of those implications relative to the telecom world that you, that you obviously live in and it'd be interesting to kind of get your perspective on that.

[00:07:17] Bjorn Watne: Yeah, absolutely. Absolutely. And to be honest, I feel this is, this is a topic that's still being discussed. When looking at the directive, he was talking about. Both essential entities and important entities and there is sort of a debate where would you sort of be be defined, but given that as good as everything is online these days apart from those who just mentioned these entities would include organizations dealing with foodstuffs transportation water supply So it's not just those traditional verticals like energy, financial services, but, but you have these other commodities coming in as well.

[00:07:59] And in [00:08:00] regards to the telecom industry, I mean, we could both be defined as digital infrastructure, obviously. But we can also be a digital provider, and we could be even more depending on how many services are we producing beyond just connectivity. aNd in many of the markets we're where we operate as a telco, we, we are already defined as national critical infrastructure in that that market.

[00:08:28] So the implication of of, of having to follow this. iN most of the markets it won't mean we have to pull too much of an extra effort because we already fall under the national critical infrastructure and we have a lot of regulatory requirements in place already. I think. Looking at it as we are right now the step up that we need to do in crisis management and in disaster recovery and also maybe supply chain risk management, [00:09:00] those are the ones where I see that there is a stretched target for us, but but other than that we are already quite regulated as a critical infrastructure operator.

[00:09:09] Stan Wisseman: So, Bjorn, when you, when you look at the attack landscape and what sectors are, are typically targeted, let's face it, financial and healthcare sector organizations have the information that attackers many times want, right? And, and so drawing from your experience from the financial sector and your current role in telecom.

[00:09:30] caN you shed light on, on some of the specific types of information that attackers are now targeting in these sectors? And, and how does this differ from the, the kind of data vulnerabilities and information that you'd find typically in the financial 

[00:09:43] Bjorn Watne: sector? A lot of the opportunistic criminals They would be circling the financial services sector and everywhere where you have money Or valuables in play you will you will find these criminal elements trying to to gain possession Some hundred [00:10:00] years ago.

[00:10:00] They were robbing trains and post wagons. But the principle today is still the same the difference is that nowadays they use a pc instead of a pistol to to to rob you, right? but In telecoms, the threat picture is quite different. There are some issues always around fraud, but most of the threat actors that we're concerned about would be the advanced persistent ones, or APTs, that they are often called.

[00:10:35] We don't have that much money floating around as you would find in financial services, but what we do have is something called CDRs or call detail records and also possibilities of determining the physical location of devices like, like a cell phone. So what it means in practice is that we.

[00:10:54] have information on where people are, who they meet with uh, [00:11:00] who they talk to, and, and what they talk about. And, and this type of information is typically of interest to nation states and and other actors with access to vast amount of resources and who also are very interested on Buying on rivals, dissidents they could want to manipulate the outcome of political processes amongst other things.

[00:11:23] So it's it's quite a different threat landscape that 

[00:11:25] Rob Aragao: we're facing. It definitely is. But I think that's, that's, what's interesting. You've got that background of financial services, you know, in that space. What the attackers are targeting, right? They want to get into the data. They want to get some information.

[00:11:37] They can come back and monetize, right? And there's a business typically associated to that kind of in the way they treat it in your world. It really is nation state. It's, it's, it's espionage. In essence, it's going in and understanding intelligence as to kind of, you know, what are these individuals doing that we're tracking or additional information that we need to be aware of that may be coming.

[00:11:54] So it's, it's, it's a pretty interesting world that you live in Bjorn. I wanted to [00:12:00] Come back to the NIST 2 directive and talk about it from there's we know that there's 10 minimum measures tied to the NIST 2 directive. Pick several of them if you don't mind and kind of, you know, share with the audience some things that need to be taken into consideration.

[00:12:14] Bjorn Watne: Yeah, yeah, yeah. No, I will, I will take it down to four then maybe. The if we start from the beginning, the requirements that will now be more stringent around security risk management and governance. Those I think are really interesting. So you need to be able to prove that you have a process in place for identifying your assets doing a business impact analysis, how much.

[00:12:41] Do these assets mean to your business and then you have to look at the potential risks That will circulate these assets. That is a requirement. It's of course always a good practice, but But now there is no Going around it. You have you have to do it. So so that I think is [00:13:00] very good The second one I would like to highlight is when you understand what your crown jewels are, because that's what you do during the business impact analysis, right?

[00:13:08] You find out what would hurt you the most to lose. thEn there's also a requirement to to actually identify What are the resources that are required for these crown jewels to, to operate, uh, including people, and then you are required to, to provide adequate training for these people and you are required to, to have processes in place on how you can restore them to to have an operating state, if risk A, B, or C, materializes.

[00:13:41] So that's what you would call a disaster recovery. Again, it's good practice and something that you should have been doing, but but you will now be required to do it. Then, and if you can't prove that you are, then there is a potential fine at the other end that that would hurt quite a lot. Obviously we [00:14:00] touched it a couple of times already, but, uh, the requirement on your level of control on supply chain is very interesting.

[00:14:08] And also the fact that you do. In your contract would have to make sure that you have audit rights also through the supply chain. I remember five years ago, we were trying to to make a contract on on changing our intranet with this. Big social media company to use their their business version as an intranet.

[00:14:32] Very difficult to get any form of audit rights into that contract. But but that's of course also changing now when it turns into regulation. So, so that is, that is the thing. And, and of course the. The last point around requirements on incidents and vulnerabilities. If you look at all the regulations again, it comes with, with the requirements.

[00:14:55] You had the GDPR, if you had a breach of personal [00:15:00] identifiable information, you have a certain time window where you're obliged to report on the breach. But there are many of those with, with a lot of requirements on reporting. And, and what they're trying to do now is make that. Less cumbersome for the companies and only focus on the major or, or the critical incidents but still they are putting these requirements on more like these essential and important entities and not just incidents, but also vulnerabilities.

[00:15:29] So if you discover for any reason what they call a zero day or a new, an unproven vulnerability, there is no requirement that you report it to to your peers and so they can, yeah, remediation quickly. So, and also there is there is requirements there around more collaboration. So, yeah, basically those are the big things that I see worth mentioning in this tool.

[00:15:55] Stan Wisseman: You know, Bjorn, you mentioned the impact of noncompliance could be painful.[00:16:00] The authors of these kind of directives or regulations are always looking for ways to motivate either through carrots or sticks to get organizations to actually implement their You know, requirements in, in the, in the context of the NIST 2 directive, you know, what are those specific penalties that could be associated with noncompliance?

[00:16:24] And, you know, are these penalties uniform across all sectors? And again, we go back to the fact that the member states are implementing these requirements into national law. So does that have an impact as far as how they're penalties will be doled out. So, you know, and, and, and, and does NIST 2 have any carrots as well?

[00:16:44] I mean, again, is it, is it strictly you know, the, the stick approach or are there any carrots associated with NIST 

[00:16:51] Bjorn Watne: 2? Well, asking me as a security professional, I think the carrot is that we will have a healthy digital infrastructure also across borders [00:17:00] in the region and that should be in anyone's interest.

[00:17:03] But the fact of the matter is that when, when you look at security measures, like these advanced security measures, they, they cost a lot of money. aNd. Unfortunately if you look at top management of most companies and most industries cybersecurity is still a bit of a black box. You know, it's there and you've heard all these things, but you can't really fathom exactly what it is, but you see it comes connected with a huge cost and and to take that cost is, is, is hard.

[00:17:41] When you have a budget and you have financial targets to, to meet so unfortunately we see that many times investments are not enough and bring on the GDPR that happened a few years back what he was seeing was A cool down effect citizens were [00:18:00] reluctant to use digital services because they didn't like the possibility of their information being spread online and then they would be the victim of identity theft down the line.

[00:18:11] So the EU saw the need to, okay, now we need to force these companies to do certain measures to reinstall this trust with the citizens and using the digital services. And at the time they, they placed, well, if a company processing data on, on European citizens fail to comply with the GDPR requirements, they can be fined up to 2 percent of the worldwide turnover of that company or, or 10 million euros, which is this hefty fine.

[00:18:40] That sparked some initiatives in the financial services company that I was working in at the time. And. Yeah, and this is exactly what they're doing again, because like I said, it's hard to the technology is advancing so fast so to get the competence of every threat and every possible [00:19:00] risk and outcome.

[00:19:01] correctly presented to top management and boards is difficult. So the regulatory bodies are helping us professionals here by putting this stick, which is first and foremost a stick, because within this too, if you have an essential entity like digital infrastructure then the finances would be the same as, as a GDPR non compliance.

[00:19:24] So it's a 2 percent turnover for the company or, or 10 million euros. And if you belong to the important entity category. It's it's still a hefty one. It's a 1. 4 percent of the worldwide turnover or, or 7 million euros. So, yes, it is it is a stick. But I think the the fact that we will all be better for it going down on the line, that's, that's the carrot.

[00:19:50] So, 

[00:19:50] Stan Wisseman: so, so it does, the penalty does vary based on whether or not you're placed in the essential. Sector category or important, but it will be consistent across [00:20:00] all member states. 

[00:20:02] Bjorn Watne: Yes, it's, it's supposed to be or it shall be consistent and we will see how it eventually turns out, but with, gDPR, for example, if you're a European company with with locations in multiple, multiple countries in the EU it will be the regulatory body in the country where your headquarter is located that will be dealing with with with the EU if something happens in any of the countries where you are represented.

[00:20:30] So, something similar I would suggest is happening 

[00:20:33] Rob Aragao: here. So I can tell you, Bjorn, that I'm glad to hear that there's really a stick behind this, as it was with GDPR, and I will also share with you in the audience that I've already had many a conversation with organizations in the U. S. That are really paying attention to what's happening in this too because they're impacted, right?

[00:20:54] If they're doing business in the EU, they're impacted by this. So now they're having to figure out, okay, well, [00:21:00] what is it that we have to review? As you said, you got to go through the assessment and if it's a business impact analysis, most likely they had already done that. But then what are the gaps? What are the gaps that are out there that they're having to fill in?

[00:21:11] So, so kind of in wrapping things up, what I would like to get from your perspective is where do you start? Like, what are some kind of quick wins, right. You know, as you're, as you're going through this process, like what are the couple of things that maybe you would share with the audience and kind of, Hey, it's probably a good place to start here.

[00:21:27] Maybe just kind of, you know, walk us through that. That'd be, that'd be helpful. 

[00:21:31] Bjorn Watne: I can make it sound easy, but it really never is. But I would say that you, you always start with taking inventory. Because you can't protect the things that you don't know you have. anD depending on the size and complexity of your business.

[00:21:46] You will find that taking inventory is is often not an easy job, but you need to do that because you need to understand what it is you have and what it is that you need to protect. And when you got that, when you have a good asset registered and [00:22:00] do the business impact analysis, find out what your most important assets are, then do a risk assessment.

[00:22:07] And then you apply controls according to the level of risk that you face. That's it. I mean, it can sound easy. And the process is quite similar to established best practices like ISO and NIST. But again, with NIST 2, you just make sure that you also include the specifics like the reporting requirements and the vendor audit rights that are a little bit extra, but 

[00:22:33] Stan Wisseman: So, so just, just following up, Bjorn, on that comment, I mean, is it, is it fair to say that if, if your organization got certified to ISO 27, 001, that They're probably a long way there as far as the NIST 2 directive compliance, though there may be some specific NIST 2 requirements that are outside of the 27, 001 that they need to look at.

[00:22:56] But in general, is that going to get them the majority of the way there? [00:23:00] 

[00:23:01] Bjorn Watne: Absolutely. Yeah. 

[00:23:03] Rob Aragao: Well, Bjorn, I think it's been very insightful having you on to, to, to share what, obviously, you know, over in Europe, you guys are seeing and paying more attention to this, but as I just mentioned, I'm seeing it here domestically in the U.

[00:23:15] S. as well, so it's becoming global view, obviously, because if you're doing business in the U, it's going to impact you. As you stated, it sounds simple and doing some of these things that, you know, you should be already doing, taking inventory, being able to go through the assessment. But I guess I just look at it as like, if you haven't done it, get started, right?

[00:23:33] So get, get, get out in front of this thing because it will impact you. And you're just about 10 months out from it actually becoming reality. So thank you for joining us today. Really appreciate the 

[00:23:43] Bjorn Watne: time. Yeah. Thank you so much for having me. It was a great discussion. Thanks everyone