NIS2 Directive in the Access Control Solutions and Security Monitoring and Visualisation Systems
The NIS2 (Network and Information Security) Directive, which is to be implemented on 17 October 2024, is an amendment to the 2016 NIS Directive. The document introduces a new approach to cybersecurity and expands the range of entities and sectors falling under its requirements. Additionally, according to annexes I and II, the Directive classifies them as essential entities, which include sectors such as energy, transport, banking, financial market infrastructures, health, drinking water and wastewater management, digital infrastructure, ICT service management, public administration, and space, and important entities, which include, among others, postal and courier services, waste management, production and distribution of chemicals and food, general manufacturing, digital services, and research.
Each European Union (EU) Member State is obliged to establish a proprietary list of essential and important businesses based on the Directive’s guidelines. The NIS2 Directive imposes on the above entities an obligation to implement solutions in the area of risk analysis and management, developing security policies, incident handling, safeguarding supply chains, and creating business continuity plans. The EU Member States are, in turn, obliged to establish bodies responsible for, e.g., verification and auditing of entities covered by the scope of this Directive, accepting incident notifications, and coordinating cybersecurity activities at the national and EU level. The Directive also imposes heavy fines for companies that will not comply with the requirements set out in the document.
The NIS2 Directive does not directly address either access control (AC) systems or security monitoring and visualisation systems of the SMS (Security Management System) type for facilities. Nevertheless, as per section 79 on security management, it is vital to consider threats such as theft, fire, and unauthorised physical access to the IT infrastructure. In such a situation a properly operating access control system ensuring an adequate security level is crucial for preventing unauthorised persons from moving freely around the facility, stealing material goods (e.g. a laptop) allowing access to the IT network, damaging key infrastructure components or tracking communication after connecting to the IT network. On the other hand, the implementation of threat monitoring and visualisation on maps facilitates detecting emergencies and efficient response to them.
It is best to use the standards in force to assess the quality and the level of security offered by the given solution. AC systems are subject to the PN-EN 60839-11 standard, which defines 4 security grades. The RACS 5 system allows for meeting the requirements for all grades, including the fourth grade. Moreover, the RACS 5 system has the following cybersecurity features:
- support of the MIFARE® DESFire® technology proximity cards, on which data is encrypted with a so far non-decryptable system;
- encryption of entire communication in the system (among others, AES128CBC and TLS 1.2);
- multilevel access to the management software by operators.
The RACS 5 access control system and the VISO SMS monitoring and visualisation system from Roger can be implemented both by critical and important entities. They enable fulfilment of the NIS2 Directive requirements in terms of increasing the security level of the IT systems, in particular with regard to the physical access to the critical infrastructure and threat monitoring.