22 November 2023
Wim Van Langenhove
Director Audit & Business Consultancy, Orange Cyberdefense Belgium
In today's rapidly evolving digital landscape, cybersecurity has become a paramount concern for industries across the globe. The European Union's Network and Information Security Directive, known as NIS2, is a significant legislative framework designed to enhance the security of network and information systems within the EU.
As industries increasingly rely on industrial control systems and operational technology (OT) for critical national infrastructure, understanding the implications of NIS2 on OT is essential for ensuring robust cybersecurity measures.
The NIS2 Directive builds upon its predecessor, the original NIS Directive, which was established to improve the cybersecurity capabilities of member states, their critical infrastructure, and digital service providers. NIS2 aims to address the evolving threat landscape by broadening the scope of the original directive, enhancing security requirements, and increasing cooperation among EU member states. Key highlights of NIS2 include:
Wider Scope: NIS2 expands the range of sectors covered, including more essential and important entities such as water supply, and digital infrastructure.
Enhanced Security Requirements: Entities covered by NIS2 must implement more stringent security measures, surrounding risk management, incident response, and reporting obligations.
Improved Cooperation: The directive emphasizes better collaboration between member states and the establishment of a European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) for coordinated incident response.
Operational Technology refers to the hardware and software systems used to manage, monitor, and control industrial processes. OT is prevalent in critical infrastructure sectors such as energy, manufacturing, transportation, and utilities. Unlike Information Technology (IT), which focuses on data processing and communication, OT is concerned with the physical operations of machinery and processes. The convergence of IT and OT has brought significant benefits, including increased efficiency and connectivity, but it has also introduced new cybersecurity challenges.
NIS2 mandates stricter security measures for entities operating in critical sectors, including those using OT. This means that organizations must implement comprehensive risk management practices, conduct regular security assessments, and ensure robust incident response plans are in place.
NIS2 introduces more rigorous incident reporting requirements, compelling entities to report significant cybersecurity incidents within 24 hours. For OT environments, timely incident reporting is vital to mitigate the impact of cyberattacks on critical infrastructure. Organizations must:
NIS2 will shift how organizations approach and manage supply chain security, as part of a holistic approach to cybersecurity. Many organisations rely on a complex network of supplies to operate. This complex supply chain is an attractive target for attackers because this supply chain can possibly provide an entry point into the industrial network of the organisation. For securing their supply chain organisations can:
Define vendor cyber security requirements: These requirements must be defined during procurement, installation, and operation of equipment, systems, and software.
Implement supply-chain audits: Regular reviews of suppliers against the defined cyber security requirements help organisations in understanding the cybersecurity posture of the supply chain and the related risks.
The NIS2 Directive imposes direct obligations and liability on senior management for organisations that are in scope of the directive. This means that senior management individuals could face administrative fines and/or a potential discharge from managerial functions. NIS2 compliance requires an active involvement of senior management because they play a crucial role in creating the organisation's cybersecurity strategy, allocating the resources, and creating a culture of cybersecurity awareness.
To enhance the cybersecurity maturity in organisations NIS2 requires the active management of cyber risks not only in the IT world but also in the OT environment. For OT operators, this might mean a completely new risk domain as OT risk management has traditionally focused on site operations and safety. Mitigating cybersecurity risks in OT will require changes in operational procedures and practices.
Many organisations lack visibility into their OT environments. In order to detect and respond to incidents effectively, organisations must know which assets are present in their industrials environments and what dataflows are necessary to support their critical processes. In order to achieve this visibility organisations must implement technologies and develop the processes required to perform effective asset management and security monitoring in OT environments.
Demonstrating compliance with NIS2 will also bring extra costs to the organisation. Mitigating the cybersecurity risks that an organisation faces requires the implementation of new technologies or new processes. Regular audits or certifications against cybersecurity frameworks will also bring extra costs to the organisation.
Compliance with the NIS2 requirements is not only essential from a legal point of view. Compliance with these requirements will also help your organization to enhance its cybersecurity maturity to a level that is required to face the challenges that come with the growing number of cyber threats.
The following steps can help you comply with these requirements while enhancing the cybersecurity maturity of your OT environments:
You have to define clear roles and responsibilities. This involves identifying and documenting the roles and responsibilities of key stakeholders, including the board of directors, senior management, and IT and OT personnel. The senior management of your organisation can be held personally liable for failing to comply with the NIS2 regulation and in certain extreme cases, compliance failure may result in suspension and even disbarment from the board.
International security standards such as ISO27001 and IEC62443 can help you in building a robust governance structure.
NIS2 requires regular risk assessments with clear ownership of the risks and concrete actions to mitigate these risks. Continuous risk assessments will help you in implementing measurable and cost-effective improvements in your environment.
When creating a secure environment you need to implement both technical and organisational measures to ensure the right balance between people, processes and technology. You will have to create a defensible architecture within your OT environment and make sure that you can provide secure remote access to your industrial network. Monitoring your OT environment will be crucial to identify malicious intruders in your industrial network. You will also need to make sure that the right policies and procedures are in place for responding to cyber incidents in your OT environment.
Employees are often the weakest link in an organization’s cybersecurity defences. Creating a culture of security can transform them into your strongest asset in defending your crown jewels. You will have to make sure that both your employees and suppliers are aware of the risks and their responsibilities in regard to cyber security.
Orange Cyberdefense can assist you end-to-end towards NIS2 Compliance. Our services range from conducting risk assessments and gap analysis to implementing international cybersecurity standards like ISO/IEC 27001 or ISA/IEC 62443.
When it comes to industrial cybersecurity, we can help you build a secure and defensible architecture and provide you with monitoring and secure remote access solutions. Furthermore, we can also help in designing, building and testing a cyber incident response plan and awareness program.
The NIS2 Directive represents a significant step forward in bolstering the cybersecurity posture of the European Union, particularly for critical infrastructure sectors reliant on Operational Technology. By imposing stricter security requirements, enhancing incident reporting and response capabilities, and promoting greater collaboration, NIS2 aims to safeguard the resilience and security of OT environments.
As cyber threats continue to evolve, the regulatory landscape is also evolving with several new regulations coming our way. The time is now for organizations to proactively adapt to these new regulations and strengthen their cybersecurity frameworks to protect the essential services that underpin our modern society.