Resilience As Regulation: Preparing For The Impact Of CER

While NIS2  has dominated headlines in recent times, the Critical Entities Resilience Directive  (CER) appears to have slipped under the radar despite, arguably, commanding a much larger response. The two go hand-in-hand: NIS2 and CER will change the way the public and private sectors think about security and alter the course of the strategies they use to keep their businesses running.

Both directives cover the same, expanded list of sectors and industries defined as ‘critical entities’, and place the same people in a position of responsibility should they be breached.

But while NIS2 defines vital boundaries surrounding cybersecurity, CER’s core principles state, to put it simply, that every affected business must be able to continue operating their business whatever happens. That could mean a natural disaster, a physical attack, human error or even a cyber attack. 

NIS2, therefore, could be thought of as the mandatory infrastructural foundation of CER’s far broader scope: it is, basically, ‘everything else’. One props up the other. Without the kind of secure IT infrastructure that NIS2 leads, there is no foundation for resilience; without the resilience of critical infrastructure - defined very broadly by CER as ‘an asset, a facility, equipment, a network or a system ’ -  the aims of NIS2 cannot be met.  

Working Against A Tight Time Limit
Any business which now falls under the EU’s critical infrastructure umbrella without appropriate measures must now seriously rethink its risk assessment process and redesign the way it approaches its business to match. It must do so immediately. While the European Commission has offered member states a deadline of July 2026 to identify their own list of critical entities, which may seem to imply that there is a lot of time to work with, measures must be in place before that date. 

Just as every new device introduced into a ‘critical entities’ business has to be aligned with NIS2, any project which is now ongoing, any small refresh, any infrastructure change must be reevaluated with business continuity at the top of the spec sheet. Even existing infrastructure will not escape CER’s broad net; new risk assessments will be required for every critical process.

Most importantly, businesses will need to employ new thinking to discover risks they may not have monitored before - and new ways to monitor those which they are all too aware of.

CER: A New Level Of Diligence
Many new sectors have entered the scope of such regulations with the introduction of CER and NIS2 such as water treatment, transportation, healthcare, food and waste management. There is no suggestion that businesses in these sectors were not prioritising business continuity previously, but these new regulations force a level of proof. 

EU member states will have the right to conduct on-site audits and inspections and issue penalties for critical entities failing to implement the appropriate level of technical, security and organisational resilience.

Events which have the potential to cause business disruption must be reported to the relevant governing body, whether they actually impact business continuity or not. Monitoring, training and diligence have therefore never been more critical. 

Improving one’s monitoring function does not need to involve a complete redesign of one’s equipment. We return to the idea of new thinking: in many cases, the equipment required to detect novel incidents, observe critical machinery or systems, and even prevent dangerous human activity is already installed. It simply needs to be thought of in a different way.

Rethinking The Camera As A Sensor
Today’s surveillance cameras are far more than physical security tools. They are, in many cases, the most powerful sensor operating on an entity’s premises. What’s more, digitalisation offers an opportunity to use them for more than their primary, original security-related purpose. The best modern cameras are backed by powerful analytics and AI technology which can be harnessed for whatever use case matters.

To allow a camera to do just one job feels like a waste when it is potentially the most capable IoT device on one’s network.

Point a thermal camera at an array of machinery, for example, and it can offer an operator visual feedback on that equipment’s temperature. Simple enough. Harness its data collection abilities, though, and you could define 100 points within its image, collect precise numbers from each, output them via an industrial protocol like Modbus or MQTT, and fully integrate that data into an operational interface.  

Doing More With Sensor Data
Critical entities will be forced to improve the continuity of remote locations. A camera at, for example, an electricity substation could perform its traditional role of monitoring the perimeter for intrusion, but also do a lot more besides. It could detect the status of equipment, watch for weather conditions, generate an alert if a human gets too close to dangerous devices, or even anonymously inspect on-site workers to ensure they are wearing appropriate protective equipment (PPE). 

None of this demands that a camera operator be watching constantly. With the right camera, software running directly on its hardware may be able to use algorithmic techniques or an AI engine to monitor its entire field of vision. A camera could predict a landslide or a flood. Its microphones could listen to the sound of a turbine and detect tiny pitch changes which indicate a potential failure. Its speaker could sound an alarm as part of an access control system. It is a truly flexible platform.

A United Path Forward
However, every use case is unique. A lot can be done with AI, but AI models must be trained extensively before they can be effective. While in many cases drop-in solutions exist, the camera’s role in monitoring is still being explored and thought through. And such decisions must come from the top down, meaning executives must be made aware of not only the importance of CER but also the potential for the camera hardware to help to accelerate the process of alignment with CER’s aims.

The key is that it must be the right hardware - equipment which backs up its internal processing capabilities with an open platform ready for the kind of development which allows for creative coding and innovative detection procedures, allowing critical industries to cross-collaborate to improve stability, security, and resilience for everyone.

These must be devices which help meet the demands of NIS2 and CER in equal measure, supported by vendors and suppliers that know that equipment inside out. That knowledge and unity is the path to a smarter, safer world.

Andrea Monteleone is Segment Development Manager, EMEA, Critical Infrastructure at Axis Communications   

Image: Ideogram

You Might Also Read: 

From AI to ESG: Key Security Technology Trends Of 2023:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Business Identity Theft: Saving The Digital World From Fake Businesses
Cyber Insurance: The Cost Of Doing Business »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Bryan Cave LLP

Bryan Cave LLP

Bryan Cave LLP is a global business and litigation law firm. Practice areas include Data Privacy and Security.

NopSec

NopSec

NopSec provides automated IT security control measurement and risk remediation solutions to help businesses protect their IT environments from security breaches.

CyberTech Network

CyberTech Network

CyberTECH is a global cybersecurity, Internet of Things (IoT) and Smart City network ecosystem and incubator operator.

Plurilock Security Solutions

Plurilock Security Solutions

Plurilock is a real-time cybersecurity solution that uses artificial intelligence to identify, prevent, and eliminate insider threats.

Sky Republic

Sky Republic

Sky Republic offers a Smart Contract Platform to integrate and synchronize business networks beyond EDI and API.

Field Effect Software

Field Effect Software

Field Effect Software build sophisticated and integrated IT security, threat surface reduction, training and simulation capabilities for enterprises and small businesses.

Lewis Brisbois

Lewis Brisbois

Lewis Brisbois offers legal practice in more than 40 specialties, and a multitude of sub-specialties including Data Privacy & Cybersecurity.

Raonsecure

Raonsecure

Raonsecure is one of Korea’s leading ICT security software companies – providing a variety of PC and mobile security solutions to financial institutions, government, and enterprise.

Infinite Ranges

Infinite Ranges

Infinite Ranges delivers secure, comprehensive digital solutions by connecting experts with the best products and services for the digital age.

Pelta Cyber Security

Pelta Cyber Security

Pelta Cyber Security is the cyber security consulting and solutions division of Softworld Inc. We provide staffing and recruitment services as well as consulting and solutions for outsourced projects.

AB Handshake

AB Handshake

AB Handshake offers a game-changing solution for telecom service providers that eliminates fraud on inbound and outbound voice traffic.

Prime Technology Services

Prime Technology Services

Prime Tech are a group of Red Hat, Microsoft & Cisco Certified IT Professionals with an impressive track record of consistently delivering value to our corporate clients.

Galvanick

Galvanick

Galvanick enables your operations and IT teams to protect your industrial systems and networks against digital threats.

Getvisibility

Getvisibility

Getvisibility enables customers to detect, classify and protect sensitive information increasing data security, governance, compliance and lowering the risk of losing valuable data.

Vantyr

Vantyr

Vantyr's core mission is to safeguard the business-led adoption of SaaS applications by automating the lifecycle management and security of non-human identities.

Repello AI

Repello AI

Repello - making AI safe to trust. We help you continuously red-team your GenAI applications against ever-evolving AI threat landscape.