The NIS 2 Directive outlines 4 risk scenarios for the telecoms sector, highlighting why a holistic approach to cybersecurity is essential. The We Are CORTEX automation platform can enable a cross-domain approach to significantly help you meet your NIS 2 compliance obligations – and derisk your business.
The NIS 2 Directive is a European Union (EU)-wide regulation was enacted into law on 17 October 2024. It aims to standardise and bolster the communications and digital infrastructure of Member States against cybersecurity threats and malicious actors. Likewise, the UK has introduced the Telecoms (Security) Act 2021. Both regulations are aimed at securing critical infrastructure throughout the region.
A holistic approach to meeting NIS 2 Directive security obligations
NIS 2 is a significantly expanded version of the original Network and Information Security Directive and embraces more organisations (deemed “Essential” or “Important”) and demands a holistic approach to cybersecurity. To meet this more universal approach, NIS 2 embraces technology, people, and culture and relies on four main strategies: Governance; Risk management; Incident detection and response; and Reporting of incidents to appropriate authorities.
Helpfully, guidance is available to assist companies with their compliance journeys. For example, one publication[1] identifies 10 risk scenarios, focusing on the telecoms and electricity sectors, to highlight why a holistic approach is required, as well as the different types of threats that need to be addressed for all organisations.
This blog will focus on the telecoms sector. So, 4 risk scenarios are suggested for NIS 2. These are:
- Supply chain attack to gain access to the infrastructure of operators.
- DDOS attack to cause a large-scale network outage (see our most recent paper here on this topic).
- AI-powered disinformation.
- Espionage
NIS 2 Directive Risk Scenarios
In Risk Scenario 1, the official NIS 2 Directive document outlines a setting whereby a hackers-for-hire group is employed by a state-sponsored actor from a hostile third country and executes a supply chain attack on a telecoms provider that has implemented a vulnerable piece of software from a third-party provider.
The scenario goes on to describe how the hackers force a malicious software update that enables backdoor access of all the operators using it. This leads to the hackers gaining a foothold that allows them to manipulate cloud services, perform espionage, and other unwanted behaviours. This attack could go unnoticed for months and effects the entire supply chain and therefore impacts national (and international) security.
The directive’s DDoS attack scenario – whereby a malicious state actor engages in large-scale DDoS attacks on the communication infrastructures of several EU countries – is elaborated upon in our latest paper, which can be downloaded here. It provides essential information about how Automation can help to prevent this kind of attack.
The third scenario – AI disinformation campaigns – outlines a potential situation whereby state-backed hacktivists spread disinformation narratives through the telecoms and digital infrastructure. At the same time, the threat actor may jam communications.
The final scenario illustrates the threat of espionage through the penetration of critical communications infrastructure. The initial foothold attack is performed by injecting malicious SQL code into APIs and therefore the underlying telecommunications infrastructure.
These scenarios highlight why it’s so important to take a top-down, holistic approach to cybersecurity and meet NIS 2 Directive obligations. Culture and education are vital aspects of meeting compliance requirements, but Automation can have a significant beneficial impact.
How the CORTEX automation platform can mitigate NIS 2 risk scenarios
The We Are CORTEX automation platform, CORTEX, can track events and actions that could lead to vulnerabilities or that are signs of emerging attacks, while eliminating human error. In fact, according to a Proofpoint survey of 1,600 CISOs (Chief Information Security Officers) from organisations of 1,000+ employees across different industries, human error is perceived as the largest threat to cybersecurity, with nearly three-quarters (74%) identifying it as the ‘Achilles heel’ in terms of insider threats, data loss, and negligence by employees[2].
The CORTEX automation platform can provide visibility to on-going threats, collect and correlate information from disparate systems on a cross-domain basis. Threat detection, unusual activity, admin access, updates, edge computing protection, reporting, and much more, can all be automated at scale to ensure NIS 2 Directive compliance.
Automation enables the holistic, cross-domain approach demanded by NIS 2, while removing human error. It can also enable automated updates against new cyber threats across operating systems, firmware, protocols and software applications.
CORTEX is a flexible, comprehensive platform that can help you to meet your NIS 2 Directive obligations – and extends to all assets and systems within the network and its boundaries. Automations can be implemented on a step-by-step bases and can be modified and/or reused across multiple scenarios and processes.
To find out more, download our paper by clicking below, or get in touch today.
[1] EU cybersecurity risk evaluation and scenarios for the telecommunications and electricity sectors (Follow up to the Council Conclusions on the EU’s Cyber Posture of 23 May 2022 and Council Conclusions on the EU Policy on Cyber Defence of 22 May 2023).
[2] https://www.proofpoint.com/us/newsroom/press-releases/proofpoints-2024-voice-ciso-report-reveals-three-quarters-cisos-identify