Critical sectors are an important target for cybercriminals. Whether an organization deals with water management, digital infrastructure, transport or vital infrastructure such as ports and railways, adversaries are always looking for a way in.
The new NIS2 legislation will provide critical and highly critical sectors more tools to improve their security, improve their defenses, and improve their response strategy – all with the goal of keeping those attackers out.
NIS2: What you need to know
In the ever-evolving era of cybersecurity, the European Union has taken significant steps to bolster the digital resilience of its member states with the introduction of the NIS2 Directive. Building on its predecessor, the second version of the Network and Information Systems Directive is a regulatory directive designed to improve the cybersecurity posture across the European Union.
NIS2 follows the EU Cybersecurity Act introduced in 2016, but expands on the rules by increasing its scope to include a wider range of sectors and entities, increasing its requirements, implementing supervision, focusing on supply chain security, and mandating incident reporting.
The NIS2 Directive introduces obligations for organizations across eighteen critical industries, which are divided into two groups:
- the important or critical sectors, which include IT providers, food and beverage, waste management, manufacturing, research, chemical processing, and postal services.
- the essential or very critical sectors, which include transport, banking, financial market infrastructure, drinking water, digital infrastructure, public administration, space, energy and healthcare.
According to Article 21 on Cybersecurity risk-management measures, organizations must take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.
Examples of such measures include encryption, access controls, continuous monitoring, and network segmentation. The latter is described in Article 21, section 2G of the NIS2 Directive, called ‘basic cyber hygiene practices and cyber security training’.
Cyber hygiene refers to the best practice and the proactive and preventive measures that companies take to keep their digital infrastructure secure. This includes regular software updates, the use of strong passwords, anti-virus programs, backups, and employee awareness training – but also the practice of network segmentation.
The importance of network segmentation in NIS2
Network segmentation is a cybersecurity practice that involves dividing a computer network into smaller, distinct segments, each isolated from the others. This strategy is important for several reasons:
- Limiting the attack surface
By segmenting the network, organizations can limit the exposure of sensitive data and critical systems to potential attackers. Each segment acts as a barrier, reducing the risk of a widespread breach.
- Containing breaches and improving incident response
In the event of a cyber attack, segmentation helps contain the threat within a specific segment, preventing lateral movement across the network. This containment is crucial for minimizing damage and facilitating quicker recovery.
- Improving access control and protecting data
Segmentation allows for more granular access controls, ensuring that users and devices only have access to the network segments necessary for their roles. This principle of least privilege significantly enhances security.
- Enhancing monitoring and detection
Segmented networks provide clearer visibility into network traffic, making it easier to detect anomalies and potential threats.
What steps should your organization take?
Although the Dutch legislation on the NIS2 implementation will not meet the October 17th deadline, organizations are still expected to become compliant as soon as possible. With just a couple of months to go, that means that many organizations will need to start concretizing their new cybersecurity strategies. What can organizations do to ensure effective network segmentation?
1. Conduct a comprehensive assessment
Identify your critical assets, by cataloging all networked devices, applications, and data flows and identifying which assets are critical to operations and which contain sensitive information. Evaluate your current network architecture by mapping out the existing network infrastructure and identifying any existing segmentation and potential vulnerabilities.
2. Develop a segmentation strategy
Define your objectives by determining the goals of segmentation, such as reducing attack surfaces, improving access control, and enhancing regulatory compliance. Classify network segments by grouping network assets into segments based on factors like sensitivity, function, and role within the organization. Common segments might include user devices, servers, databases, and guest networks.
3. Design network segments
One way to do so is by logical segmentation: use VLANs (Virtual Local Area Networks) to separate network traffic logically, and ensure clear boundaries between segments to prevent unauthorized access.
However, where feasible, use physical separation of critical infrastructure from less sensitive parts of the network. This might involve dedicated hardware or isolated network paths. To learn more about network segmentation with our DataDiode, read our article here.
4. Implement access controls
Create and enforce ACLs (Access Control Lists) to manage traffic between segments, and ensure only necessary communication between segments is allowed based on the principle of least privilege.
Additionally, deploy firewalls at key points between network segments and use firewall rules to control and monitor traffic. Lastly, adopt a zero trust approach, verifying all access requests regardless of their origin within the network and continuously authenticate and authorize devices and users.
5. Deploy network security solutions
Implement Intrusion Detection and Prevention Systems (IDPS) to monitor network traffic and detect potential threats, and ensure these systems are configured to cover all network segments. Use segmentation gateways to manage and secure the flow of data between segments.
6. Implement continuous monitoring and logging
Deploy network monitoring tools to continuously track traffic and detect anomalies, and use tools that provide visibility across all segments. Implement centralized logging to collect and analyze logs from various segments, and regularly review logs to identify and respond to potential security incidents.
Effective network segmentation is a multi-faceted approach that requires careful planning, implementation, and ongoing management. By following these steps, organizations can significantly enhance their cybersecurity posture, protect sensitive data, and ensure compliance with regulatory frameworks like NIS2. Ultimately, network segmentation not only mitigates risks but also fosters a more resilient and secure digital environment.
Join our webinar on NIS2 & network segmentation
Want to learn more? Join us for an insightful webinar on the new NIS2 Directive and the crucial role of network segmentation on November 7th at 15:00. Together with member of the European Parliament Bart Groothuis, we will discuss:
- What does the NIS2 Directive mean for your organization, and why is it important?
- How does network segmentation enhance your security in line with NIS2 requirements?
- What are the risks if your organization fails to comply with the NIS2 Directive?
- What benefits does implementing the NIS2 Directive bring to your organization?
- What initial steps should your organization take to comply with NIS2 and effectively implement segmentation?
To register, click here.