Goals of the NIS Directive and current outlook The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring member states’ preparedness. It requires them to be appropriately equipped in several ways, including Computer Security Incident Response Teams (CSIRT) and a competent national NIS authority. Businesses in these sectors that are identified by the member states as Operators of Essential Services (OES) will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Key digital service providers including search engines, cloud computing services and online marketplaces must also comply with the security and notification requirements under the new directive. OES’s are public or private sector organizations that are dependent upon network and information systems to provide an essential service to society, which could be significantly disrupted by a cyber incident. Although NIS is a relatively new regulatory requirement, many of its concepts have already been codified in existing compliance and best practice for industries including financial services and telecoms. In these industries, PKI has already been successfully deployed and widely supported, which has led to a high degree of interoperability. In telecoms for example, PKI is used to build chains of custody from the supplier of a network element where a device is ‘born’ to adoption into a network where the unit is used. For other sectors like cloud services, NIS has put cybersecurity and accountability in the limelight. Investing in a competent PKI and code signing solution such as PrimeKey’s EJBCA and SignServer reduces the information security risks involved around NIS and related compliance regimes such as GDPR. This enterprise-wide capability reduces operation and maintenance costs compared to other point solutions, secures valuable business models and future-proofs organizations in all industries.
How PKI & code signing help meet NIS compliance To meet the fundamental requirement under NIS for “appropriately authenticated and authorized” access, organizations need a method of defining and enacting controls that is both secure and can be deployed across disparate infrastructure and processes. Public Key Infrastructure (PKI) is the most widely adopted form of technology for establishing the identity of people, devices, and services – enabling controlled access to systems and resources, protection of data, and accountability in transactions. PKI includes a set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public keys. Certificates are issued to entities such as users, devices, web servers, passports, smartcards and IoT devices. The provisioning of certificates to either devices or tokens enables two benefits. Firstly, it gives a device or a token an identity, and secondly, it provides the means to setup a secure encrypted communication channel. PKI and certificates deliver a method as required by the NIS directive to identify, trust and securely communicate with any entity throughout an entire organization, partners, and customers. PKI also underpins technologies, such as digital signatures and encryption for use cases as diverse as e-commerce and the growing Internet of Things (IoT). Digital signatures can secure additional activities, such as signing PDFs, code or other information assets, to ensure the origin of the document/code or to ensure that a transaction was in place at a certain time. Digital Signatures can allow an organization to track who exactly performed the signature and at what time.
Certificate Authority, Time Stamping DigiSign – Growing business more safely and quickly Internal CA system, Integrated Turn-Key PKI platform Malaysian bank opts for PrimeKey PKI Appliance Document Signing, Inspection, Verification, Testing, Certification SGS – When you need to be sure IoT Siemens – Ingenuity for life and safe communications
Key considerations for successful PKI deployment Public Key Infrastructure and signing is a technology that has been around for more than 30 years. PKI is driven by industry-wide standards. Deployments have been proven at scale and it is widely used by large organizations today. Traditionally, PKI has been used for so-called corporate access use cases with the primary goal of controlling humans’ access to information resources. Increasingly, the use case has expanded to machines, servers, sensors, applications, controllers and network devices. PKI is most effective when an organization adheres to a structured methodology of implementing and managing cyber security best practice. The Swedish Civil Contingencies Agency, for example, recommends that organizations structure and develop methods and processes around existing standards on information security management systems. The ISO 27000 series, mainly ISO 27001 and ISO IEC 27002 are relevant examples of best-in-class information security management systems. Although PKI has a mature technology community, organizations considering deploying or expanding use of PKI should look for the following vendor criteria: Companies offering cyber security products and services should be certified according to ISO 27001 and ISO 27002 for information security management and quality systems. In addition, ISO 9001 certification suggests a supplier that supports ensuring long term quality and efficiency. Product certifications such as Common Criteria adds additional reassurance of product security and quality to ensure that critical infrastructure and IT services are maintained in all modes, even during an IT attack. Finally, knowing that the product is already installed in several customers installations with audited systems assures that the product can operate in a controlled way within a real-world customer environment.
For more information on how PrimeKey can help your organization successfully deliver PKI and signing in support of NIS compliance, fill in your contact information below and we will get in touch with you. First name*Last name*Company*Email* Country*CountryYour locationAfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAntigua and BarbudaArgentinaArmeniaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman IslandsCentral African RepublicChadChileChinaColombiaComorosCongo, Republic of theCosta RicaCôte d'IvoireCroatiaCubaCuraçaoCyprusCzech RepublicDemocratic Republic of the CongoDenmarkDjiboutiDominicaDominican RepublicEast TimorEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFaroe IslandsFijiFinlandFranceFrench PolynesiaGabonGambiaGeorgiaGermanyGhanaGreeceGreenlandGrenadaGuamGuatemalaGuineaGuinea-BissauGuyanaHaitiHondurasHong KongHungaryIcelandIndiaIndonesiaIranIraqIrelandIsraelItalyJamaicaJapanJordanKazakhstanKenyaKiribatiKosovoKuwaitKyrgyzstanLaosLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacedoniaMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMauritaniaMauritiusMexicoMicronesiaMoldovaMonacoMongoliaMontenegroMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew ZealandNicaraguaNigerNigeriaNorth KoreaNorwayOmanPakistanPalauPalestine, State ofPanamaPapua New GuineaParaguayPeruPhilippinesPolandPortugalPuerto RicoQatarRomaniaRussiaRwandaSaint Kitts and NevisSaint LuciaSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint MaartenSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth KoreaSpainSri LankaSudanSudan, SouthSurinameSwazilandSwedenSwitzerlandSyriaTaiwanTajikistanTanzaniaThailandTimor-LesteTogoTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited StatesUruguayUzbekistanVanuatuVatican CityVenezuelaVietnamVirgin Islands, BritishVirgin Islands, U.S.YemenZambiaZimbabweRegionMessageInformation storage and cookies* I Accept I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.CAPTCHA This iframe contains the logic required to handle Ajax powered Gravity Forms.
Critical controls To meet these core criteria, every NIS compliant organization understands, documents, and controls access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services should be appropriately verified, authenticated, and authorized. In addition, users, devices, and systems should be appropriately authenticated and authorized before access to data or services is granted. For highly privileged access, NIS indicates that it might be appropriate to include approaches such as two-factor or hardware authentication. Unauthorized individuals should be prevented from accessing data or services at all points within the system. This includes system users without the appropriate permissions, unauthorized individuals attempting to interact with any online service presentation, or individuals with unauthorized access to user devices.
Administrative and technical solutions For organizations to meet the obligations of NIS, the task can be separated into administrative and technical measures. Administrative measures are implemented through the accordance of security standards like ISO/IEC 27001 Information Security Management System (ISMS). These are supported by administrative actions and risk management measures including ongoing user training, security audits and ethical hacking to ensure security competency and to improve organization’s level of cyber readiness from both business and regulatory perspectives. Technical solutions include the implementation and continuous development of cyber situational awareness solutions such as SIEM (Security Incident and Event Management), secure identity confirmation tools, and data communications security solutions. Only a combination of administrative and technical measures is enough to comply with the NIS authoritative requirements.
EJBCA EnterpriseEJBCA® Enterprise is a powerful and flexible Certificate Authority and a complete PKI (Public Key Infrastructure) Management System.
EJBCA AppliancePrimeKey EJBCA Appliance offers the most cost-efficient, easy and secure way to deploy an enterprise PKI system.
SignServer EnterpriseServer-side digital signatures give maximum control and security, allowing your staff and applications to conveniently sign code and documents.