Main Players in NIS
National Cyber Security Centre
The National Cyber Security Centre (NCSC) performs two roles under NIS as well a third role for UL Plc. The roles under the NIS regulations are:
Single Point of Contact (SPOC).
Cyber Security Incident Response Team (CSIRT).
The NCSC is also recognised as the Technical Authority on cyber for the UK. It is advisory and non-regulatory providing cohesion and authorative competence in guiding both public and private sectors as well as government in the appliance of cyber security. It also provides a central role on sharing information through the Cyber Information Sharing Partnership (CiSP).
The regulatory role under NIS is given to what it defines as Competent Authorities (CA). These are the regulatory bodies, the agencies or government departments, that act as guardians of standards for particular industries. So, for water it is Ofwat and for gas and electricity it is Ofgem. Not surprisingly, or transport it is the Department for Transport (DfT). The CA is responsible for interpreting NIS in the context of the industry it is regulating. It will challenge the OES to identify and protect its essential services. It will produce an audit plan and audit each OES as it determines fit. It will liaise with NCSC in its interpretation of appropriate and proportionate control and expected outcomes. The CA will interpret the regulations to define reportable incidents and expect compliance. They are also responsible for fines which could be up to £19 Million1
Operators of Essential Services - Train Operating Companies
A Train Operating Company (TOC) is an OES and must conform to the NIS Regulations. Conformance provides a mainstay of TOC assurance to DfT as the Competent Authority, that the management of risk is appropriate and proportionate. This conformance should be regarded as a key project for any TOC. The TOC needs to demonstrate that:
“The organisation understands, documents and manages access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.”