Cyber code for ports offers best practice guidance to others ahead of new EU cyber laws, says expert

The code of practice on cybersecurity for ports and port systems (62-page / 1.38MB PDF), published by the Institution of Engineering and Technology (IET) and endorsed by the UK government, can help organisations prepare for the Network and Information Security (NIS) Directive, due to take effect in 2018.

The code advises that port authorities conduct a cybersecurity assessment and use the findings to shape the creation of a cybersecurity plan. It stresses the importance of good governance of cyber risks, with important individual roles for senior figures, such as dedicated cybersecurity officers.

The code also highlights the importance of outlining measures for handling security breaches and incidents, including the development of suitable cyber incident response plans.

The recommendations taken together are not just relevant for port authorities. They offer a sound basis for all organisations that are likely to fall subject to the NIS Directive when it is implemented into national legislation over the next couple of years. These organisations include banks, suppliers of electricity and gas, airlines and health care providers, among others.

The Directive sets out measures designed to ensure critical IT systems in central sectors of the economy are secure. It will apply to operators of such "essential services" and to "digital service providers".

The Directive will require those organisations to take appropriate and proportionate technical and organisational measures to manage cybersecurity risks to their operations and report some cyber incidents that affect the continuity of the services they provide without undue delay to designated authorities.

As the code of practice on cybersecurity for ports and port systems suggests, a cybersecurity assessment can help organisations "identify vulnerabilities in physical structures, personnel protection systems and business processes that may lead to a security incident".

Organisations should use those assessments to firstly pinpoint "important assets and infrastructure" and identify the processes in which those assets and infrastructure are used, and then identify what risks arise as a result of the potential threats posed to those assets and infrastructure and the likelihood of those threats materialising. An assessment of available countermeasures and their cost should also be undertaken and an overall decision should be taken as to what risk is acceptable should be made, according to the code.

As the code states, the outcomes from a cybersecurity assessment can help organisations put together a cybersecurity plan, complete with security-related policies and related organisational processes and detailed working procedures relevant to those processes. Cybersecurity plans should be reviewed periodically and subject to monitoring and auditing.

It is good practice for organisations to designate individuals within an organisation as having operational responsibility for cybersecurity. The code advises that this could be a cybersecurity officer in the organisation and that a dedicated security group could also be set up to consider relevant cybersecurity issues.

The code also supports the adoption of measures that can help organisations respond effectively to cyber incidents when breaches occur, including incident response plans, communication plans and risk assessment and mitigation and disaster recovery plans.

Cyber incident response plans will be vital tools for organisations that fall subject to the NIS Directive. They will help those organisations meet their new reporting obligations and to minimise the impact of any cyber incident that arises.

Those plans should entail the creation of an internal network of specialists from multiple disciplines, from senior executives, CIOs, IT staff, general counsel and communication specialists, who should each have roles and responsibilities outlined in advance in the event an incident hits. An external network of legal advisers and forensic IT experts, amongst others, can also help shape effective responses to incidents in line with regulatory duties.

It will be up to individual EU countries to determine which organisations qualify as operators of 'essential services' and therefore fall subject to the NIS Directive requirements. That process might not be concluded until late 2018, but organisations should not wait until then to prepare to comply.

Organisations should review the likelihood of being placed subject to the new cybersecurity framework and take account of useful guidance such as that produced by the IET as a useful starting point for compliance.

Luke Scanlon is a technology law expert at Pinsent Masons, the law firm behind Out-Law.com.