ICS within the NIS Directive should be ATT&CK®ed

In August 2016, the European Parliament and the Council of the European Union implemented the first piece of legislation specifically addressing the cybersecurity of its Network and Information Systems (also known as the NIS Directive, or NISD). The NIS Directive (European Commission, 2016) required that member states transpose the Directive into local law by May 2018 and self-select the in-scope Operators of Essential Services (OES) by November 2018. To assist with the short time frames, the European Union Agency for Cybersecurity published a guideline (ENISA, 2018) that maps the security requirements set out in the NIS Directive to existing industry standards for specific sectors. Some of these included the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP), National Institute of Standards and Technology (NIST), and International Organization for Standardization (ISO). Given the increased focus of malicious actors targeting Industrial Control Systems (ICS) and Operational Technology (OT) assets, does the NIS Directive provide meaningful impact to protect industrial assets and public safety? Rather than recommending industry-specific standards, what is the effect when complemented with common Tactics, Techniques, and Procedures (TTP) determined by the Mitre ATT&CK® for ICS (Mitre, 2020) framework?