What NIS2 means for Operational Technology (OT)

Understanding NIS2

The NIS2 Directive builds upon its predecessor, the original NIS Directive, which was established to improve the cybersecurity capabilities of member states, their critical infrastructure, and digital service providers. NIS2 aims to address the evolving threat landscape by broadening the scope of the original directive, enhancing security requirements, and increasing cooperation among EU member states. Key highlights of NIS2 include:

Wider Scope: NIS2 expands the range of sectors covered, including more essential and important entities such as water supply, and digital infrastructure.

Enhanced Security Requirements: Entities covered by NIS2 must implement more stringent security measures, surrounding risk management, incident response, and reporting obligations.

Improved Cooperation: The directive emphasizes better collaboration between member states and the establishment of a European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) for coordinated incident response.

Introducing Operational Technology (OT)

Operational Technology refers to the hardware and software systems used to manage, monitor, and control industrial processes. OT is prevalent in critical infrastructure sectors such as energy, manufacturing, transportation, and utilities. Unlike Information Technology (IT), which focuses on data processing and communication, OT is concerned with the physical operations of machinery and processes. The convergence of IT and OT has brought significant benefits, including increased efficiency and connectivity, but it has also introduced new cybersecurity challenges.

Key Provisions of NIS2 Relevant to OT Environments

1. Increased Security Requirements

NIS2 mandates stricter security measures for entities operating in critical sectors, including those using OT. This means that organizations must implement comprehensive risk management practices, conduct regular security assessments, and ensure robust incident response plans are in place.

2. Improved Incident Reporting and Response

NIS2 introduces more rigorous incident reporting requirements, compelling entities to report significant cybersecurity incidents within 24 hours. For OT environments, timely incident reporting is vital to mitigate the impact of cyberattacks on critical infrastructure. Organizations must:

• Develop Incident Response Plans: Establish and regularly update incident response plans tailored to OT environments. These plans should include clear procedures for identifying, containing, and recovering from incidents.
• Conduct Regular Drills: Regularly simulate cyberattack scenarios to test the effectiveness of incident response plans and improve readiness.

3. Supply Chain Security

NIS2 will shift how organizations approach and manage supply chain security, as part of a holistic approach to cybersecurity. Many organisations rely on a complex network of supplies to operate. This complex supply chain is an attractive target for attackers because this supply chain can possibly provide an entry point into the industrial network of the organisation. For securing their supply chain organisations can:

Define vendor cyber security requirements: These requirements must be defined during procurement, installation, and operation of equipment, systems, and software.

Implement supply-chain audits: Regular reviews of suppliers against the defined cyber security requirements help organisations in understanding the cybersecurity posture of the supply chain and the related risks.

 4. Governance

The NIS2 Directive imposes direct obligations and liability on senior management for organisations that are in scope of the directive. This means that senior management individuals could face administrative fines and/or a potential discharge from managerial functions. NIS2 compliance requires an active involvement of senior management because they play a crucial role in creating the organisation's cybersecurity strategy, allocating the resources, and creating a culture of cybersecurity awareness.

The road to NIS2 compliance

Compliance with the NIS2 requirements is not only essential from a legal point of view. Compliance with these requirements will also help your organization to enhance its cybersecurity maturity to a level that is required to face the challenges that come with the growing number of cyber threats.

The following steps can help you comply with these requirements while enhancing the cybersecurity maturity of your OT environments:

1. Establish a Cybersecurity Governance Framework

You have to define clear roles and responsibilities. This involves identifying and documenting the roles and responsibilities of key stakeholders, including the board of directors, senior management, and IT and OT personnel. The senior management of your organisation can be held personally liable for failing to comply with the NIS2 regulation and in certain extreme cases, compliance failure may result in suspension and even disbarment from the board.

International security standards such as ISO27001 and IEC62443 can help you in building a robust governance structure.

2. Continuous Risk Assessments

NIS2 requires regular risk assessments with clear ownership of the risks and concrete actions to mitigate these risks. Continuous risk assessments will help you in implementing measurable and cost-effective improvements in your environment.

3. Implement Security Measures

When creating a secure environment you need to implement both technical and organisational measures to ensure the right balance between people, processes and technology. You will have to create a defensible architecture within your OT environment and make sure that you can provide secure remote access to your industrial network. Monitoring your OT environment will be crucial to identify malicious intruders in your industrial network. You will also need to make sure that the right policies and procedures are in place for responding to cyber incidents in your OT environment.

 4. Training and awareness

Employees are often the weakest link in an organization’s cybersecurity defences. Creating a culture of security can transform them into your strongest asset in defending your crown jewels. You will have to make sure that both your employees and suppliers are aware of the risks and their responsibilities in regard to cyber security.

How Orange Cyberdefense can help

Orange Cyberdefense can assist you end-to-end towards NIS2 Compliance. Our services range from conducting risk assessments and gap analysis to implementing international cybersecurity standards like ISO/IEC 27001 or ISA/IEC 62443.

When it comes to industrial cybersecurity, we can help you build a secure and defensible architecture and provide you with monitoring and secure remote access solutions. Furthermore, we can also help in designing, building and testing a cyber incident response plan and awareness program.