| 19 August, 2016 |Over the past years, the European Commission has adopted a number of measures to ward off cyber incidents. The directive on security of network and information systems (NIS directive, adopted by the European Parliament in July, is the first piece of EU-wide legislation on cybersecurity. The NIS directive comes into effect in August 2016 with a transition period of two years. It establishes European standards that are intended to prevent cyber incidents and to improve the exchange of information about them.

 “The NIS directive is an important step,” says Bert Zoetbrood, responsible for the global Product Testing & Certification division of DEKRA, “but because of the rise of the Internet of Things and the enormous growth in data traffic, the authorities and businesses will have to take additional measures in order to continue operating securely. Cybersecurity is a particularly complex organizational problem, which requires technical and process-oriented testing and certification programmes.” 

Authorities increasingly require organisations to be cybersecure, especially in market segments where cyber incidents have drastic consequences for public order and safety. Testing cybersecurity requires clear guidelines and standards and the cybersecurity landscape is evolving fast. Next to the new directive, there are already a general management guideline for information security (ISO 27001) and technical standards for the integration of industrial systems with communication networks (IEC 62443).

However, developments are at a dizzy pace at the moment. Hackers are, by definition, always a step ahead of the authorities and the business world, while the amount of data and data traffic is expected to quadruple in the next ten years, not just through the Internet. We can expect a massive transition thanks to the growth of the Internet of Things, in which the control of equipment, vehicles, machines and installations happens directly via the cloud. Cybersecurity will then be of literally vital importance.

 “It’s not just a matter of protection against cyber criminality. The present discussion about cybersecurity is driven by incidents in which the deliberate violation of systems can lead to damage and serious accidents. The concept of cybersecurity covers much more, however”, explains Zoetbrood. “The vast numbers of networks and the quantity of data traffic mean that people can enter other systems unintentionally or interference between different systems and networks can occur, with problematic consequences. Furthermore, you also have to look at the functional safety of systems and equipment. Are sensors, components and software systems reliable and secure enough in themselves, and will they not react differently in networks and environments where there is a lot of different data traffic? Cybersecurity has to be examined on three levels: individual components, complete systems and processes. This is why it goes much further than the IT department’s traditional field of activity, which only ensures that hackers are kept out of systems and that data are stored securely.”

Finally, DEKRA points out the importance of traceability and forensics; certainly now that more and more equipment and machines are being controlled from the cloud. It’s not just about prevention; it also covers the further optimisation of security and reconstructing incidents in order to avoid repetition. “At the moment, only simple log files are being created, but later a sort of black box will be wanted for every important device or system, so that you will know who has penetrated the system and exactly what has happened. In an ideal situation, such a black box in a driverless car, for example, will issue a warning immediately if somebody tries to affect the control.”

DEKRA is positive about the 450 million euro's that the EU wants to invest in the context of the Horizon 2020 programme for developing cybersecurity technology. With its focus on safety, DEKRA regards it as one of its tasks to work together with the authorities and the business world on current norms, standards and testing programmes for cybersecurity. “Because cybersecurity is such a complex problem, independent testing and certification bodies have to have an understanding of risk assessment, processing technology, explosion prevention and many other concepts, so that a link can be established between cybersecurity and safety.”  

 More information can be found at http://www.dekra-certification.com/cybersecurity