Skip to main content
  1. Home
  2. Magazine
  3. World Pipelines
  4. May 2024
  5. Editorial comment

May 2024

Quick links

Editorial comment

The NIS2 Directive is new, EU-wide, legislation that provides legal measures to boost the level of cybersecurity in the European Union. These EU cybersecurity rules modernise the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. Qualifying organisations must comply by 17 October 2024, or face penalties. Designed to bring about a high common level of cybersecurity, the Directive seeks to improve the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

Register for free »
Get started now for absolutely FREE, no credit card required.

The clock ticks for businesses identified by the member states as operators of essential services in energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

One of the aims of the Directive is to bring about a ‘culture of security’, but how do we define such a culture? A security culture typically refers to the values that determine how people are expected to think about and approach security in an organisation.

I have written about the need for strong password usage in the past (anyone still using ‘password123’?) and along with that we need “regular security training and awareness programmes, stringent access restrictions, risk assessments, incident response plans, and a focus on continuous improvement”.1

Do your senior staff members and directors set the tone for the company’s cyber policy? The NIS2 Directive requires energy companies to implement appropriate technical and organisational measures to prevent, detect and respond to incidents that could impact the security and continuity of energy supply. This includes measures to protect critical infrastructure, data protection and privacy, and the availability of energy services.2

There is much to say about how human behaviour needs to inform policy on this matter. When I spoke to Mark Breese at Yokogawa RAP for the Palladian Energy Podcast in 2022, we discussed contractor safety and digital control of work systems. We gave the podcast episode the description: ‘making it easier to do the right thing than it is to do the wrong thing’, and I think this is key in the realm of cyber safety too. In a world where we work so fast, where we type and fire off emails, we approve things on the hoof, we move from one task to the next: there must be processes in place to save us from ourselves!

The World Economic Forum reports that “some 82% of cybersecurity breaches in the last year were due to a human element. The disruptive Colonial Pipeline ransomware hack that took down the largest fuel pipeline in the US and led to shortages was the result of a compromised password and password reuse”.3

Building the kind of culture that can prevent (or at least limit) human error, takes concerted effort and repetition of values and standards. Living in a state of vigilance is hard to sustain, but our resilience to bad actors depends on us being able to assess threat on our best, and worst, days.

  1. https://cybeready.com/category/the-complete-guide-to-creating-a-security-culture
  2. https://nis2directive.eu/energy
  3. https://www.weforum.org/agenda/2022/11/how-user-experience-and-behavioural-science-can-guide-smart-cybersecurity

View profile