The Act on the National Cybersecurity System

Dawid Piec:

Good morning everyone, welcome to our webinar on The Act on the National Cybersecurity System (NCS). My name is Dawid Piec and I am responsible for handling issues pertaining to the public sector clients at EXATEL. Today my two colleagues and I will try to refer to the most important comments in this regard.

Łukasz Bonczek:

Good morning, my name is Łukasz Bonczek and I am the Manager of the Public Procurement Service Team. In the past I had the opportunity to work in the Ministry of Digital Affairs and I participated in the process of drawing up the Act on the National Cybersecurity System.

Paweł Deyk:

Hello, my name is Paweł Deyk. I am a Sales Support Engineer. I have a history of working with clients from the Public Administration sector.

Dawid:

This is a very up-to-date topic, as the Act has recently passed. What does our Act actually cover – in a nutshell?

Łukasz:

The Act on the National Cybersecurity System implements the provisions of the EU NIS Directive. It establishes the legal framework for the functioning of the NCS in Poland, indicates the entities which are part of the NCS and specifies their obligations. The scope of responsibility is the largest in the case of the operators of essential services, however, obligations have also been imposed on public entities and digital service providers. The Act also introduces penalties for failure to comply with these obligations.

Dawid:

What does it really cover? What is the scope of this Act?

Łukasz:

The Act on NCS covers a very wide range of entities: operators of essential services, digital service providers, three CSIRT (Computer Security Incident Response Teams) institutions, cyber security teams for various sectors and competent authorities. To make it clear for you, I would like to present four main categories of entities specified in the Act. The first category is related to government agencies directly responsible for implementing the provisions of the Act: NASK (Research and Academic Computer Network) responsible for CSIRT NASK; ABW (Internal Security Agency) responsible for CSIRT GOV; MON (Ministry of National Defence) in which the CSIRT MON operates and competent authorities operating in six sectors. The second category comprises of operators of essential services, the third – public entities, and the last, fourth category pertains to digital service providers. Now on the slide we are going to show what exactly is the National Cybersecurity System. As you can see it is quite complicated; there are many entities and finding your way through is not quite easy.

Dawid:

What is CSIRT and what are its tasks?

Łukasz:

We have three main CSIRT institutions at the national level: CSIRT NASK, CSIRT MON and CSIRT GOV. Their obligations include monitoring cybersecurity threats and incidents at the national level, responding to reported incidents, assessing risks associated with detected threats and assisting with handling the reported incidents, when justified.

Dawid:

Obviously, this is only one element of the whole graph that has been presented. What is the competent authority for the sector? How does it work?

Łukasz:

There are six main sectors, one of which is divided into two subsectors. A competent authority shall be established for each of the sectors and subsectors. For the energy sector it is the competent minister responsible for handling matters relating to energy; for the transport sector – the competent minister of transportation; for the water transport (distinguished as a subsector) – the competent minister of marine economy and inland navigation; for the banking sector and the whole financial markets infrastructure – the Polish Financial Supervision Authority; for the health sector – the Minister of Health; for the drinking water supply sector – the competent responsible for handling matters relating to water management; for the digital affairs sector – the competent minister handling matters pertaining to digitalisation. There are still some exclusions within the sectors, for instance, if the Ministry of Defence supervises any of the units in the sector, it is the competent authority for this unit; however, this is a minor element that only makes it even more difficult to understand the matter at hand.

Dawid:

So the competent ministers are classified into relevant sectors. What are the tasks of these competent ministers?

Łukasz:

The main task of the competent authority is to identify an entity as an operator of essential services. For this purpose they shall obtain information from the entity and initiate administrative proceedings on that basis. If they consider it appropriate and if the requirements set forth in the Act are met, they shall issue a decision on identification of an entity as an operator of essential services. In addition, the competent authority may establish a sectoral cybersecurity team, the tasks of which also include supervision over operator of essential services. Its representatives can visit the operators and check if they comply with the requirements set forth in the Act.

Dawid:

How can an operator ascertain if they are operating in a given sector?

Łukasz:

As I mentioned earlier, the sectors are listed in Annex I to the Act and are as follows: energy, transport, banking, health sector, drinking water supply and distribution and digital infrastructure. In the Annex to the Act, next to each sector, types of operations considered as essential services are listed. This way, by referring to the Act, we can determine whether or not we are and operate in the sector that is considered to be essential service.

Dawid:

Who is the operator of essential services? What is this entity? What are its primary tasks?

Łukasz:

Pursuant to the Act, three main criteria must be met in order to identify an entity as the operator of essential services. The first prerequisite is the provision of an essential service, i.e. a service listed in Annex I to the Act. The second is that the provision of this service depends on information systems, i.e. some kind of ICT systems. The third prerequisite is that the incident that might occur could have a disruptive effect on the provision of the essential service by that operator.

Dawid:

In addition, the Act refers to a specific term, i.e. public entity. What exactly is a public entity?

Łukasz:

Public entities are specified in the Act; these are units of the public finance sector, research institutes, NBP (National Bank of Poland), BGK (National Economy Bank), Polskie Centrum Akredytacji (Polish Centre for Accreditation), Urząd Dozoru Technicznego (Office of Technical Inspection), Narodowy Fundusz Ochrony Środowiska (National Fund for Environmental Protection) as well as commercial law companies performing public utility tasks such as water supply or heat and power plants. Moreover, water and sewage companies or combined heat and power plants, if they are large enough and meet the statutory requirements, may also be considered operators of essential services.

Dawid:

So, in fact, a vast majority of entities referred to in this Act are public entities?

Łukasz:

Indeed, we can consider the entire public finance sector as public entities.

Dawid:

Does the Act mention any other entity?

Łukasz:

We also have digital service providers that must be a legal person or an organisational unit without legal personality, operating in the territory of the Republic of Poland and providing a digital service. The digital services are listed in the Annex to the Act. Search engines, cloud computing services and online marketplaces are indicated as types of digital services.

Dawid:

We have discussed the three basic types of entities that can be considered as belonging to the public sector. The following question arises: will my company be recognised as an operator of essential services and when can this happen?

Łukasz:

Under the Act, decisions on being recognised as an operator of essential services should have been issued by 9 November 2018. However, it is probable that due to the scale of the problem and the number of the entities that each competent authority covers, in November 2018 the competent authorities only initiated administrative proceedings aimed at considering an entity as an operator of essential services. We have signals from the market that as far as the operators of essential services are concerned, at the moment decisions with respect to 30 persons have been issued and 350 proceedings in which such decisions are likely to be issued are underway.

Dawid: So currently this process is still in progress and we will soon gain access to the decisions of competent authorities. What obligations will operators of essential services have if such a decision is rendered?

Łukasz:

Let’s stop here for a moment. How do we know that we are going to be considered such an operator? First of all, we need to assess whether we operate in any of the sectors that are covered by the Act. The military industry is not mentioned anywhere, so this is highly unlikely for companies from this sector to be recognised as an operator of essential services. However, if we operate in energy or water distribution sectors, it is possible that such a decision will be issued and therefore, if we have not received a letter yet, this may happen soon and the proceedings for issuing a decision may be initiated. Once a decision has been made, we need to realise that a number of obligations has been imposed on us. We need to implement a security management frameworks for the information systems, technical and organisational measures that are appropriate and proportional to the assessed risk, collect information about cybersecurity threats and vulnerabilities, establish a team of people responsible for managing incidents, be able to apply these measures to prevent and limit the impact of incidents on the information system security and thus on the provision of the essential service security, as well as make sure that we are able to communicate with the competent CSIRT.

Dawid:

What are the operator’s obligations? Do we have to appoint a specific person? How will this work in practice?

Łukasz:

We need to appoint a person responsible for maintaining contact with the competent authority and CSIRT. In addition, we are obliged to ensure that users of an essential service (e.g. clients of a power plant or water and sewage companies) are informed of the existence of cybersecurity threats and that effective measures of protecting against such threats are applied. Such information should be posted on our website. We need to develop documentation regarding the cybersecurity of the system, the security of providing an essential service and maintaining the continuity of the provision of such a service. This documentation must be kept up to date. All these points are listed in the regulations to the Act. The operator of essential services will be held accountable (by the competent authorities) for acting in accordance with the detailed guidelines provided in the Act.

Dawid:

What are the daily duties of an operator?

Łukasz:

If we are an operator of essential services, we need to remember that we must have a cybersecurity team. The alternative is outsourcing the services of such a team. We have to provide incident handling services, which is not easy, because we need to classify an incident according to the guidelines under the regulation. Moreover, if a substantial incident occurs we have to immediately inform a competent CSIRT and, after a consultation with them, take appropriate actions aimed at handling the incident, preventing dangers arising in connection with it and removing vulnerabilities created as a result.

Dawid:

There is a great deal of things that have to be done by an operator of essential services. However, the majority of entities will be public ones. What obligations do they have under this Act?

Łukasz:

Public entities have fewer obligations, but we must admit that they are quite complicated. They are obliged to appoint a person responsible for maintaining contact with the entities of the national cybersecurity system, i.e. CSIRT and a competent authority, and ensure appropriate incident management within the public entity. Therefore, they need to be able to identify the occurrence of an incident, recognize breach of security, detect vulnerability in the systems, filter it and report the incident immediately (if it is public entity incident, no later than within 24 hours) to the competent CSIRT and then, after a consultation, ensure incident handling. This is a challenge that employees of public entities have probably not faced yet.

Dawid:

Are there any periodic obligations that both entities should perform under the Act?

Łukasz:

Periodic obligations are mainly imposed on operators of essential services. For example once every two years a security audit has to be carried out. It may be performed either by competent authorities or by certified auditors.

Dawid:

So we have an operator of essential services, a public entity and there are certain duties that they must perform. If they fail to comply with the obligations, will penalties be imposed against them? Has it been specified in the Act?

Łukasz:

Yes, penalties may be imposed. The competent authorities carrying out audits of operators of essential services and digital service providers will be responsible for that. Penalties for lack of documentation, lack of technical measures, unpatched vulnerabilities, not reporting incidents to CSIRT or not carrying out audits will be imposed. The penalties range from PLN 1,000 to PLN 200,000. Nevertheless, if as a result of an inspection, the competent authority concludes that there have been a repeated breach of the provisions of the Act, the penalty may amount to as much as PLN 1 million.

Dawid:

How can we determine at this point what stage of preparation we are at in terms of implementing the provisions under the Act on NCS?

Paweł:

Making use of tools available to units handling security and safety of clients is the easiest way to determine which stage we are at. EXATEL is one of such organisations. This can be determined through reviewing compliance with the requirements under the Act on NCS. It is a good way to examine both procedures and IT infrastructure. Performing penetration tests is also a useful solution.

Dawid:

Are there any standards specifying how such a review should be performed? How does this work in practice?

Paweł:

Such a review, in accordance with the guidelines under the Act, is carried out on the basis of regulations, recommendations, best practices recognised all over the world, e.g. ISO 27000 standards, ISA or the widely known NIST standards.

Dawid:

How can we apply the guidelines provided in the standards in practice? How to perform such a review?

Paweł:

EXATEL has a suggestion regarding the manner in which a security review should be performed. It is divided into several stages. The first step is to organise an initiating meeting, during which the whole problem in the organisation is presented, and a plan, schedule of action and amount of support needed from the client are agreed on. The next step is to analyse the documentation collected by the client – security policies, risk analysis documents or business continuity plans. At a further stage, interviews with people selected as relevant for the operation of the services. We mean, among others, system administrators and managers in charge of IT teams. Such interviews are needed to fill in some information that may be missing from the documentation. Then, after a portion of work is carried out by the unit preparing the review, e.g. EXATEL, a full report is drawn up, in which all requirements are verified and some recommendations for implementation are presented. Such a report can also be submitted to the client’s decision-makers, e.g. to the management board or the manager of the unit.

Dawid:

What technologies can be implemented to secure our organisation? What are these technologies? What might these solutions be?

Paweł:

Depending on the specifics of the entity, the systems it owns, how it works, whether they have Internet access or not. We can distinguish a few key elements here. One of them is protecting the Point of Interconnection. We can offer here e.g. defence against DDoS attacks, advanced firewalls (e.g. next-generation firewall). Frequently we will also need systems protecting against data leakage or certain attacks on applications and databases. Apart from that, it is good to think about safeguarding the work stations of your employees. Here, solutions such as malware protection or network access control should be considered. An ideal supplement to the systems that would collect information from the entire environment would be a SIEM class system for logs and events correlation. Thanks to the system, some of the work (such as verifying whether a given incident is of an appropriate threat level, if it is actually significant or has a major impact on the operation of an essential service), will be performed automatically. Such a system can facilitate incidents classification, as well as provide a better recognition of any incidents in the organisation. In addition, it is good to monitor the entire environment, and from time to time conduct vulnerability scans or penetration tests, preferably by external providers of such services that may, for example, try to access the organisation’s essential resources without knowing their environment or specifics of operation.

Dawid:

Let us assume that we have bought a SIEM solution. What happens next? Not every organisation at this point may have the human resources, knowledge or competencies to operate such equipment.

Paweł:

Yes, absolutely. Some of the entities we have mentioned have never dealt with advanced systems before, and for that reason, it is worth considering services provided by third-party SOC teams. In EXATEL we have a whole range of security services that we can offer based on our internal resources – a SOC team that works on 24/7/365 basis. The SOC has three lines – the first handles monitoring, the second deals with incident response as well as coordination with the client’s team and the third is responsible for providing and handling advanced security services. One should consider the fact that there are competencies rendered by third parties, which you do not necessarily have to build from scratch in your own organisation.

Dawid:

We have certain obligations pursuant to the Act coming into force. How to pay for all this? At this point, plenty of organisations are surprised by these types of solutions and the fact that they need to implement them.

Paweł:

It seems that the most reasonable approach would be to conduct a security review, which will verify both the current organisational maturity level and allow to identify key areas that require a quick response and appropriate action. Thanks to it, a whole set of recommendations can be prepared to convince decision makers handling issues pertaining to budget matters to purchase specific systems or services provided by commercial entities.

Q&A

D: Will the purchase of outside services result in downsizing?

P: I know from practice that there is some degree of fear that arises in clients. It is obvious that we often need external support, but it is very important from the point of view of an organisation – such as ours, i.e. a company providing security services – that we need the most competent partners on the other side, people who know the environment and can react to our recommendations as well as identified incidents. Therefore, very often we present a SOC service provision model in which we take care of line 1 and line 3, monitor incidents around the clock and report them to the client’s coordinators. In this scenario the client’s IT or security team is responsible for handling line 2. In the event of critical incidents, major attacks, or need for higher level competency support, the line 3 support service is also provided. They can do both malware backtracking and perform, for example, detailed post-breach analysis when e.g. a data leak occurs.

D: Are only operators of essential services required to be audited under the Act?

Ł: Yes. Only operators of essential services are obliged to carry out audits but as my colleague mentioned earlier, it is good to conduct a security review at the company to show the manager of the unit what the situation in the organisation is. The manager can outsource the review to an external organisation like us, simply to make sure that they are able to perform the duties that are imposed on them as a public body. If an incident occurs, is the organisation capable of handling the incident, identifying it, describing it in the way required under the Act and relevant regulations, sending it to the relevant CSIRT? To conclude, the audit is only for operators of essential services; nevertheless, I would advise to carry out such a security review once in a while to know whether our organisation is able to comply with other obligations under the Act.

D: Mr. Krzysztof requests comment on executive regulation, §2 – “Cybersecurity service providers and internal organisational structures (…)”.

Ł: In this case the issuing authority seems to have focused more on the physical requirements of providing cyber security services, and I cannot deny the fact that in our organisation we also have had to introduce some changes in relation to these requirements. Because we, as an operator from whom SOC services and their provision can be outsourced, an entity that has been recognised as the operator of essential services, must also meet the requirements set forth in the Act. The focus here is on technical requirements, i.e. thickness of bricks, walls, proper doors, wardrobes. This decision was made by the issuing authority and the wording must be adhered to.

D: What happens to the data collected during pen tests?

P: The data from the systems partially obtained this way is primarily used to identify vulnerabilities, verify if the appropriate information from the system is being collected. Such data is used mainly (once these vulnerabilities are discovered) for finding solutions and presenting them as recommendations. These often are organisational problems, related to permissions granting, but sometimes these are simply vulnerabilities of outdated systems or solutions. The data is fundamentally needed for preparing a report together with all recommendations based on real data from the environment. A contractor confidentiality agreement is always signed beforehand, also on our side. We have certifications and security clearances if the clients requires them, so we know how to handle sensitive and classified data.

D: Is it possible to test aforementioned security solutions?

P: Yes, of course. We can verify most systems or services in practice. EXATEL’s engineering team is also ready to conduct, prepare and plan test scenarios and develop an environment for verifying the quality of the offered systems. Proof of Concept tests are usually prepared at this stage, i.e. after some scenario planning, preparation of technologies or services that the client is interested in, we determine a certain area of the organisation to be tested. It may be a small part of the network, set of workstations or servers that the organisation wants to test and once such an environment is prepared, e.g. tests of all categories are conducted. After such tests, a report in which the client is able to assess whether all requirements they set for the system or service are met is prepared. Based on that, it is also verified whether the system sufficiently meets all needs. Once the decision to purchase has been made, an offer is prepared and, depending on whether or not we are dealing with Public Procurement Law, a purchase procedure is conducted. On most of the systems we offer, you can run such POC tests to verify if it is the right solution for your organisation.

D: Can you provide any examples of offers concerning takeover of SOC function in an organisation or a survey after which you are able to provide such an offer?

P: Yes, absolutely. We rely mostly on the information obtained from the client. When pricing outsourcing services, security services of our SOC team, it is very important to identify what systems are in the client’s environment, how we can collect logs and prepare SIEM correlation rules. If the client does not have such a system, we often have the option to purchase it as part of our offer. This is quite a lengthy process, allowing not only to appropriately implement these services and significantly increase the security level, but very often to greatly improve the awareness and maturity of the organisation, through the process of preparation to obtain such an offer. We conduct a fairly detailed survey related to the systems, users, processes, certain regulations that apply to the organisation, including the Act on NCS. On this basis we try to offer a comprehensive service tailored to client needs.

D: Does EXATEL provide a secure network service for public administration?

P: Yes. This is one of the core services of our company. Connectivity has been our domain for many years. We have been an operator for over 25 years and have provided these services to clients in the commercial, banking, finance, energy and public administration sectors. We rely here on the competence of our team. We also have a Network Operations Center team verifying that network is working properly around the clock. In addition, we suggest for Internet links protection against DDoS attacks, which can paralyse whole organisation.

D: Do the technical requirements only apply to the premises where the cyber security team is located, or to any premises where we have information systems?

Ł: The regulation does not answer that question directly, but it seems to me that when we look at the provision of the Act, specifically Article 14, section 2 indicates that the technical requirements apply to internal structures set up by the operator of essential services and by cyber service providers. It makes more sense to me that this does not apply to the whole building or premises where the essential service is provided, but only to the premises where the internal structures set up by the operator of essential services are located. When you consider it carefully, it would not be economical to implement special class windows everywhere; it is enough to have them in rooms where SOC operators sit.

D: Are there any specific cities that manage their own telecommunications networks for the needs of local government units? Are they operators of essential services?

Ł: In principle, this is pretty much impossible. The operator of essential services must act in one of the sectors indicated in the Act. As we look at the various sectors, the telecoms business is the provider of digital services. However in that case the biggest providers of DNS services or providers having the most interconnection points can be considered as operators of essential services. Therefore, a local government unit cannot be the operator of essential services. However, if the city is large, it can be considered an operator of essential services as it manages the transport system, i.e. the traffic lights in the city, which is in fact an essential service in the transport sector. In the case of intelligent traffic management in large cities, it is likely that the city will be an operator of essential services, whereas a city that has built a telecommunications network is unlikely to be one.