Abstract

The Critical Infrastructures (CI) that provide essential services such as energy, water and transport have been undergoing a digital transformation to achieve more effective and efficient operations. These changes are increasing the potential attack surface and exposure to cybersecurity incidents. The EU Directive on Security of Network and Information Systems (NIS Directive) (National Cyber Security Centre, 2018) has brought a new emphasis on improving the cybersecurity of essential services. It has introduced mandatory incident reporting and a framework to raise the cybersecurity and resilience levels of CI. Rather than a dislocated approach to managing the system in parts, taking on responsibility for cybersecurity requires an integrated, whole-system governance approach, to discover the full end-toend picture and risk assess the potential gaps in security. The NIS Directive expects cybersecurity to be managed through the wider system of contractors and sub-contractors and vendors to the sector, all participating in a complex adaptive system. From whole organisations down to products, components and data flows, deciding the scope of critical systems that support essential services has integrated activity across different work areas such as operational technologies, enterprise IT and telecoms networks. Understanding the end-to-end system and whole enterprise interactions is necessary to achieve the outcome-based nature of the NIS Directive. This paper investigates the activities that have evolved to secure the broader and deeper supply chains as well as internal networks and systems of CI organisations. Enterprise Systems Engineering (ESE) is introduced as a tool to facilitate the shared cybersecurity requirements across organisations for securing essential services, streamlining whole system security behaviours of people, processes and technology towards a more resilient CI.