Red Hat Statement on NIS2 Compliance

Updated -

Overview

The Network and Information Systems Directive 2 (NIS2 Directive) is an updated piece of EU legislation that widens the scope of entities and establishes more stringent cybersecurity requirements for organizations operating critical infrastructure across various sectors. It is an update to the original NIS Directive, aiming to enhance cybersecurity across the European Union by expanding the scope and tightening the rules.

NIS2 is required to be transposed in all EU countries by 17 October 2024. Given the status of Member State implementations, it is possible that many markets will miss this deadline.

Which Red Hat customers are affected ?

NIS2 affects two main categories of organizations.

Essential entities

These are organizations that play a critical role in key sectors of the economy and society. They are typically required to adhere to more stringent security measures due to the impact a cyberattack could have.

Important entities

These organizations provide services that may not be considered "essential" but are still important for the functioning of the economy and society. They face somewhat lighter regulations but are still required to comply with significant security measures.

Some examples of industry verticals who are classed as critical sectors according to NIS2 are:

  • Energy (including electricity, Oil, Gas)
  • Transport (rail, air, water, road)
  • Banking & Financial market infrastructures
  • Health
  • Drinking and waste water
  • Digital infrastructure
  • ICT service management (business-to-business)
  • Public administration
  • Space
  • Postal and courier services
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing
  • Digital providers
  • Research

Both essential and important entities under NIS2 will be required to implement robust security measures, carry out risk management procedures, report incidents, and cooperate with national cybersecurity authorities. They are expected to implement supply chain security measures and face potential penalties if they fail to meet these obligations.

Technical controls for NIS2 compliance

Risk management

Organizations often operate across multiple regions, industries, and regulatory environments, making it difficult to identify, assess, and mitigate risks consistently. The vast range of potential risks, ranging from cyber threats and financial instability to operational disruptions and compliance failures, requires comprehensive frameworks and the integration of diverse data sources. Moreover, large organizations must balance short-term objectives with long-term risk strategies, which often creates conflicting priorities and resource allocation challenges. Coordinating risk management across various departments, each with its own risk appetite and responsibilities, adds further complexity. Red Hat provides a number of tools and processes to help organizations identify and remediate risk.

Red Hat’s Compliance Operator, Red Hat Insights, and Ansible are powerful tools that can collectively enhance risk mitigation strategies in IT environments, particularly those running Red Hat Enterprise Linux (RHEL) and OpenShift.

OpenSCAP is a framework that helps organizations automate the scanning of systems to provide an assessment of security compliance with various standards such as CIS, NIST, and PCI-DSS. By regularly scanning systems, OpenSCAP identifies potential security weaknesses before they can be exploited and can provide remediation scripts or integrate with tools like Ansible to automatically fix detected issues.
Over the years, Red Hat published most vulnerability data using the OVAL and CVRF data formats to provide security information about Red Hat offerings. As with everything else, however, the security data landscape is constantly changing, and making adjustments and improvements to meet new industry standards and customer requirements is necessary. In February 2023, Red Hat officially announced that the CSAF format for Red Hat security advisories is an official replacement to the old CVRF format

Red Hat is also starting to publish SBOM (software bill of materials) files for core Red Hat offerings. An SBOM is a machine-readable, comprehensive inventory of software components and dependencies (manifest), with license and provenance information. SBOM files help establish reviews for procurement and audits of what is in a set of software applications/libraries.

Risk management in Red Hat OpenShift involves identifying, assessing, and mitigating potential risks associated with deploying, managing, and scaling containerized applications on the platform. OpenShift provides various tools, practices, and configurations that can help with risk management. These include, but are not limited to:

  • Role-Based Access Control (RBAC)
  • Network policies
  • Pod security policies
  • Image security
  • Security Context Constraints (SCC)
  • DevSecOps integration
  • Red Hat Advanced Cluster Management
  • Red Hat Advanced Cluster Security

By leveraging OpenShift's built-in features along with DevSecOps best practices, you can minimize operational, security, and compliance risks while maintaining high availability and performance in your environment.

Security of network and information systems

Access controls

Implementing robust access control measures is crucial for safeguarding critical systems and protecting sensitive data. Red Hat Identity Management (IdM) and Active Directory integration provide centralized management of user identities, roles, and policies, ensuring that only authorized personnel can access critical systems. Red Hat Build of Keycloak (Single Sign On) further enhances security by allowing users to authenticate once and gain access to multiple systems without repeatedly entering credentials. Utilizing built-in RBAC/HBAC capabilities allows further customization and restriction of permissions on systems while providing sane default roles.

Encryption

Encryption is essential for protecting data, both in transit and at rest, against unauthorized access and breaches. System-wide, customizable, cryptographic policies in Red Hat environments help enforce consistent encryption practices across all systems, minimizing the risk of weak encryption practices that could be exploited by attackers. For example, RHEL 9 has disabled the use of the weak SHA-1 digest in signatures in the default cryptographic policy as the first in the industry.

Multi-Factor Authentication (MFA)

Requiring Multi-Factor Authentication (MFA) adds a critical layer of security to system access. Google Authenticator and others can be used to generate one-time passcodes (OTP) for SSH login, ensuring that even if a password is compromised, unauthorized access is prevented without the second authentication factor. Integrating IdM or Red Hat Build of Keycloak with Passkey technologies further strengthens this by offering trustworthy and user-friendly MFA solutions.

Patch management

Regular patch management is vital for protecting systems against known vulnerabilities. Red Hat Satellite, Insights, and Ansible automate the process of identifying, downloading, and applying patches, making sure that systems are up-to-date. Implementing a vigilant patch management policy takes planning, but patch management solutions can be paired with automation software to improve configuration and patch accuracy, reduce human error, and limit downtime.

Automation can drastically reduce the time IT teams spend on repetitive tasks, such as identifying security risks, testing systems, and deploying patches across thousands of endpoints. Managing these time-consuming processes with reduced manual input frees up resources and enables teams to prioritize more proactive projects. For example, a handful of Ansible Automation Platform modules can automate portions of patching processes, including invoking HTTP patch methods, applying patches using the GNU patch tool, and applying or reverting all available system patches.

This proactive approach minimizes the window of opportunity for attackers to exploit vulnerabilities, reducing the overall risk to the organization.

Network segmentation

Network segmentation is a critical strategy for limiting the spread of threats within an organization. By dividing the network into isolated segments, potential breaches are contained, preventing attackers from moving laterally across the network. Ansible Automation Platform is a popular tool to ensure that this segmentation is correctly configured across all networks. This is central to verifying that only allowed devices are allowed on certain network segments. Tools like udev can further verify this, from a client side, further enhancing security. Furthermore, with OpenShift Network Policies you can micro-segment your networks.

Monitoring and logging

Continuous monitoring and logging are essential for detecting and responding to potential security incidents. Integrated logging tools, combined with logging system roles in Red Hat environments, provide a comprehensive logging framework that captures detailed records of system activities. This information is invaluable for forensic analysis and real-time threat detection, allowing security teams to respond swiftly to any suspicious activity.

Incident handling

Incident detection

Incident detection in large organizations presents a unique set of challenges and benefits. The sheer scale and complexity of enterprise environments make it difficult to monitor vast networks, multiple endpoints, and diverse IT infrastructures in real-time. With a growing number of potential vulnerabilities, large organizations face the challenge of distinguishing between false positives and real threats, ensuring timely detection without overwhelming security teams. Furthermore, the integration of legacy systems with modern technologies often complicates incident detection processes, leading to gaps in visibility and inconsistent response protocols.

Red Hat Insights helps you proactively identify and remediate threats to security, performance, availability, and stability in your Red Hat environment. It continuously analyzes platforms and applications to predict risk, recommend actions, and track costs. Enterprises can proactively identify issues, increasing day-to-day efficiency so they can dedicate more time to supporting new business priorities and applications.

The Red Hat Insights for Red Hat Enterprise Linux malware detection service is a monitoring and assessment tool that scans RHEL systems for the presence of malware. The malware detection service incorporates YARA pattern-matching software and malware detection signatures. Signatures are provided in partnership with the IBM X-Force threat intelligence team working closely with the Red Hat threat intelligence team.

In the malware detection service UI, User Access-authorized administrators and viewers can:

  • See the list of signatures against which their RHEL systems are scanned.
  • See aggregate results for all RHEL systems with malware detection enabled in the Insights client.
  • See results for individual systems.
  • Know when a system shows evidence of the presence of malware.

These features give security threat assessors and IT incident-response teams valuable information to prepare a response.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) equips you to build, deploy, and run cloud-native applications with more security. It protects containerized Kubernetes workloads in all major clouds, on premises and across hybrid platforms, including Red Hat OpenShift, Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE). The RHACS policy engine includes hundreds of built-in controls to enforce DevOps and security-focused practices based on industry standards such as Center for Internet Security (CIS), Benchmarks and National Institute of Standards Technology (NIST) guidelines, configuration management of both containers and Kubernetes, and runtime security.

Supply chain security

Software supply chain security for cloud-native applications requires months of effort for code to stay compliant to the organization's security practices. Red Hat Trusted Software Supply Chain accelerates this effort for platform engineering teams by bringing Red Hat’s own mature, open source software supply chain practice to mitigate and reduce risks in software delivery, for development and security teams to instantly adopt with low effort and cost.

Standardize on security-focused solution templates with integrated checks in Red Hat Developer Hub for a self-service independent developer portal to catch vulnerabilities early without the cognitive overload. Over two-thirds of application code has inherited open source dependencies. Harden open source libraries that are verified and attested with provenance checks using Red Hat Trusted Profile Analyzer to curate your own trusted content. Identify malicious code with proactive vulnerability analysis and understand the impact radius of security threats for remediation directly from your IDE. Crypto-sign and certify your code before pushing into commit using an open, immutable ledger that logs all your submissions to increase transparency at code-time. Red Hat Trusted Artifact Signer improves the trustworthiness of your software artifacts across the software supply chain.

Business continuity and disaster recovery

Cyber attacks, natural disasters, human error, server failure, and any number of potential events can bring on the need for disaster recovery. While the risk of experiencing a disaster event won’t go away, the negative impact of such an event can be drastically minimized with the right planning.

RHEL High Availability Add-On provides the ability to create managed, highly available clusters with groups of RHEL servers. This Add-On can be configured to manage most applications, both off-the-shelf and custom, and provides a wide range of configuration options to fit most requirements.

Red Hat OpenShift Data Foundation deployment can be stretched between two different geographical locations to provide the storage infrastructure with disaster recovery capabilities.

An automated disaster recovery plan is a safer disaster recovery plan. Red Hat Ansible Automation Platform can automate disaster recovery plans by using a feature capability called workflows. Workflows can tie individual SME created artifacts of automation together into a cohesive orchestration process.

No matter how complex the DR process is, when it comes to the implementation of the process, IT operators have to interact with the tech stack on premises or in a cloud. If these operations are manual it has a direct impact on the time to recover:

  • Having an automated DR plan allows teams to schedule DR testing often, rather than once a year, and are able to build confidence in the DR process.
  • Automated steps reduce the time it takes to effect the changes at the endpoints. This allows for faster return to operations

Automation directly impacts how efficiently and accurately teams can deliver a disaster response, allowing for organizations to save money and maintain trust.

Information sharing and cooperation

The Red Hat Product Security Incident Response team manages all security vulnerabilities reported or discovered within Red Hat software. They establish the baseline on which Red Hat classifies the level of severity for vulnerabilities, which drives the risk to Red Hat software, its customers, the overall ecosystem, and therefore, determines the orchestration of efforts necessary to respond to incidents.

Red Hat security engineers analyze and track all known vulnerabilities. Our security classifications are used to prioritize all risks, and we work with engineering teams to resolve those risks. We then disclose these risks in an open manner using industry formats and standards such as OVAL, CSAF, CVRF, our CVE pages, and security API.

Vulnerability management

Red Hat Satellite provides a comprehensive approach to managing and mitigating security risks through its regular vulnerability assessments, automated patch management, and integration with other Red Hat security tools. By systematically identifying and addressing security weaknesses, organizations can significantly reduce their exposure to security risks, ensuring a trustworthy and compliant IT environment. This proactive approach is fundamental to effective risk management.

Security stands as a paramount concern for both customers and users of computer systems, especially in light of recent attacks targeting software on critical systems. In response, Red Hat Product Security plays a crucial role in ensuring that Red Hat produces trustworthy, quality software tailored to meet customers’ business needs. Red Hat’s Secure Development Lifecycle (SDLC) aligns with the security framework, NIST Secure Software Development Framework (NIST SSDF SP-800-218 v1.1).

Red Hat’s Secure Development Lifecycle is crafted with a suite of security controls that synchronize with the lifecycle of the Red Hat software portfolio. Various security processes are executed at different stages of software development. Controls, such as threat modeling, are implemented during the design phase, while others operate during and after the development process. Controls associated with testing, whether of the source code or the final binary product, are collectively referred to as security testing.

This structured testing encompasses automated testing, manual testing, evaluation of vulnerabilities from both internal sources and through penetration testing conducted by labs, and regression testing. Issues identified during scanning and testing are recorded in the appropriate defect-tracking systems. The product management team prioritizes these issues with guidance received from Red Hat Product Security.

The Red Hat Product Security Resilient Development team performs penetration testing against Red Hat Software, engaging in a series of core activities as part of the testing process.

Penetration Testing is a method by which a trusted team of testers behaves as an attacker and attempts to compromise a predetermined target. The primary objective is to identify weaknesses and vulnerabilities proactively to address them before malicious attackers exploit these issues.

The Red Hat Product Security Resilient Development team performs penetration testing against Red Hat Software, engaging in a series of core activities as part of the testing process:

  • Pre-engagement interactions: Initial interactions and planning sessions to define the scope and objectives of the penetration testing.
  • Intelligence gathering: Comprehensive gathering of information related to the target system or application to better understand its architecture and potential vulnerabilities.
  • Vulnerability analysis: In-depth analysis to identify and assess potential vulnerabilities within the target system or application.
  • Exploitation: Controlled attempts to exploit identified vulnerabilities, mimicking real-world attack scenarios to understand the system's resilience.
  • Post exploitation: Evaluation of the consequences and impacts of successful exploits, including potential access to sensitive information or system compromise.
  • Reporting: Documentation of findings, including identified vulnerabilities, the severity of each issue, and recommendations for remediation.
  • Post-testing: Follow-up actions, discussions, and collaboration with stakeholders to address vulnerabilities and improve the overall security posture.

Conclusion

NIS2 compliance requires a comprehensive approach to cybersecurity, encompassing technical controls, governance, risk management, and continuous improvement. Red Hat customers should start to proactively implement these controls to not only meet regulatory requirements but also to protect their critical infrastructure and operations from the increasing threat landscape.

Comments