Securing Process Automation Systems in the European Union: An Overview of the NIS1 Directive and NIS2 Directive

Introduction

Cyberattacks against industrial control systems, such as the successful attacks on the Ukrainian power grid in 2016 and 2017, and the reported attack on a German steel factory in 2014, have emphasized the pressing need for enhanced cybersecurity measures in the European Union. The Stuxnet attack on a nuclear enrichment plant in Iran in 2010 demonstrated the devastating capabilities of cyber threats and the critical importance of protecting essential facilities.

These incidents highlight the growing threat to critical infrastructure and industrial control systems from cyberattacks, underscoring the need for effective security measures and incident response plans. As a response to these risks, the European Union has introduced the NIS2 directive, which aims to strengthen the cybersecurity of critical infrastructure across Member States. This blog post explores the impact of the NIS2 directive on process automation systems, providing insights into the changes and updates introduced by the directive and its implications for entities within its scope.

A more recent example is the recent (2022) penetration of a Canadian pipeline system by the Russian threat actor group (Zarya), as can be read in the leaked Pentagon papers. The intercepted email exchange between the threat actors and the Russian Federal Security Service (FSB) indicated that causing physical damage was considered a potential option by the FSB officer.

These incidents highlight the growing threat to critical infrastructure and industrial control systems from cyberattacks, underscoring the need for effective security measures and incident response plans. As a response to these risks, the European Union has introduced the NIS2 directive, which aims to strengthen the cybersecurity of critical infrastructure across Member States. This blog post explores the impact of the NIS2 directive on process automation systems, providing insights into the changes and updates introduced by the directive and its implications for entities within its scope.

NIS2 directive summary

The European industry has undergone a significant overhaul with a comprehensive set of digital regulations implemented by the European Commission. The primary objective of these directives is to enhance the industry’s resilience against cyber-attacks. Among these regulations, the Critical Entities Resilience Directive (2008), the NIS1 Directive (2018), the  NIS2 Directive (2022), and additionally a draft version of the Cyber Resilience Act was issued in September 2022, to further strengthen the industry’s defenses against cyber threats.

The NIS1 and NIS2 guidelines focus on asset owners, while the Cyber Resilience Act is aimed at equipment suppliers. These guidelines seek to improve the overall cyber resilience of the European industry by imposing strict rules on asset owners and equipment suppliers to ensure that their systems are adequately protected against cyberattacks.

NIS 1 aimed to safeguard critical infrastructure in the EU. The directive emphasizes preventive and reactive measures to improve cybersecurity. However, as only a small set of asset owners – companies specifically assigned by member states as critical infrastructure – were subject to the directive, its scope was limited.

After the implementation of NIS 1 in May 2018, the European Commission assessed and revised the directive due to implementation challenges faced by several member states. The Commission evaluation analyzed the NIS directive for its relevance, EU added value, coherence, effectiveness, and efficiency. Its main findings were that the scope of the NIS1 directive is too limited in terms of the sectors covered, mainly due to:

• Increased digitalization in recent years and a higher degree of interconnectedness;
• The scope of the NIS1 directive no longer reflects all digitalized sectors providing key services to the economy and society as a whole;
• Inconsistent resilience across the EU resulting from a lack of common understanding of the primary threats.

The limitations of NIS 1 led to the adoption of NIS 2, which aims to establish a higher common level of cybersecurity for a wider scope of asset owners. The NIS 2 directive was adopted on December 14 2022, which means that European member states have until  October 17 2024 (21 months of entry into force of NIS2) to implement the directive into national legislation. In several member states the directive is already entered into force since January 2023.

Compared to NIS 1, NIS 2 introduces significant changes that will impose stricter cybersecurity obligations on more organizations. Member states are required to adopt new provisions that include these stricter supervisory and enforcement measures to ensure compliance with the directive. The NIS 2 replaces the NIS 1 directive, which results in the following differences compared to the NIS1:

• NIS2 broadens the scope to include more entities, such as chemical and medical device manufacturers, food processors, and social network providers, which were previously not covered by NIS.
• NIS2 replaces the “operator of essential services” and “digital service provider” distinction with “essential entities” and “important entities” based on size and sector. While both face similar obligations, essential entities will be subject to more rigorous enforcement and oversight measures.
• NIS2 mandates new cybersecurity obligations for “essential” and “important” entities, including risk and supply chain management, cyber incident reporting, and information sharing. Complying with these requirements will require covered entities to establish and implement new policies and procedures.
• NIS2 requires EU member states to enhance their national cybersecurity strategies and respond to digital threats. It is important for organizations to stay informed about upcoming initiatives in this area by member states.
• NIS2 enhances security requirements for businesses by enforcing a risk management approach and a minimum list of basic security elements. The directive also introduces detailed provisions on incident reporting, including the content, timing (within 24 hours of discovering the incident), and process of reporting.
• NIS2 requires addressing security in the supply chain. That includes risks created by supplier relationships.
• NIS2 mandates personal liability for the management bodies, such as company boards and executives, to enforce cybersecurity requirements effectively. Organizations may face various enforcement orders and substantial fines for non-compliance.

NIS2 does not provide an exact list of basic security requirements. Instead, it mandates that each member state establish a list of essential services and apply appropriate security measures based on the sector and size of the entity. Additionally, the directive outlines 10 key elements that all companies have to address or implement as part of the measures they take, including incident handling, supply chain security,  vulnerability handling and disclosure, the use of cryptography, and where appropriate, encryption.

The essential entities defined in NIS2 are:

• Energy (e.g. electrical power, oil, gas)
• Drinking water
• Wastewater
• Transportation
• Banking
• Financial Markets
• Digital infrastructure (internet exchange points; DNS service providers; TLD name registries; cloud computing service providers; data center service providers; content delivery networks; trust service providers; providers of  public electronic communications networks and publicly available electronic communications services)
• ICT service management (managed service providers and managed security service providers)
• Public Administrations
• Health care, including the manufacture of pharmaceutical products including vaccines
• Space

The NIS2 additionally defines important entities, these sectors are:

• Postal and courier services
• Processing and distribution
• Waste processing
• Digital providers
• Accounting firms
• Manufacturing companies
• Chemical industry
• Food industry
• Manufacturing of medical devices
• Computers and electronics
• Machinery and equipment
• Motor vehicles
• Trailers and semi-trailers and other transport equipment
• Digital providers (online marketplaces, online search engines, and social networking service platforms)
• research organizations

I have highlighted the sectors relevant to the topic of this blog, those sectors which employ operational technology (OT).

With regard to incident reporting the NIS2 seeks to strike the right balance between swift incident reporting and valuable lessons learned, the new directive proposes a multiple-stage approach to incident reporting. Affected companies must submit an early warning to the CSIRT or competent national authority within 24 hours of becoming aware of an incident, which also allows them to seek assistance for implementing possible mitigation measures. Within 72 hours of becoming aware of the incident, they should provide an incident notification, followed by a final report no later than one month later.

This approach allows for swift reporting to prevent the spread of incidents while also allowing for more in-depth reporting to draw important insights from individual incidents. Companies have the opportunity to request assistance and guidance during the early stages of reporting, enabling them to take effective action quickly. By requiring incident notification and final reports within set timeframes, the directive promotes accountability and transparency, which can lead to better incident management in the long run.

The new NIS2 directive places a high priority on the crucial tasks of supervision and enforcement by competent authorities, establishing a comprehensive framework that encompasses all Member States.

To ensure effective compliance of both the member states and asset owners, the NIS2 established a minimum list of supervisory means that authorities can use to oversee essential and important entities. These include regular and targeted audits, on-site and off-site checks, requests for information, and access to relevant documents and evidence. The directive distinguishes the supervisory regime for essential and important entities, ensuring that obligations are balanced for both parties.

Member States have always been hesitant to enforce penalties on entities that fail to implement adequate security measures or report incidents, which has adverse effects on the cyber resilience of these systems. To address this issue, the NIS2 directive established a framework for sanctions across the European Union.

This framework outlines a minimum list of administrative sanctions for breaching cybersecurity risk management and reporting obligations, including binding instructions, orders to implement security audit recommendations, orders to align security measures with NIS2 requirements, and administrative fines. The NIS2 differentiates between essential and important entities and requires Member States to provide for certain levels of administrative fines.

The essential entities face a maximum fine of at least €10,000,000 or 2% of their total worldwide annual turnover of the preceding financial year, whichever is higher. Important entities face a maximum fine of at least €7,000,000 or at least 1.4% of their total worldwide annual turnover of the preceding financial year, whichever is higher.

The NIS2 also introduces provisions to ensure accountability for cybersecurity measures at the organizational level by establishing liability for senior management positions in entities falling under its scope. By establishing such specific sanctions for cybersecurity breaches, the NIS2 fosters accountability and with that incentivizes entities to implement effective security measures and report incidents promptly, ultimately enhancing overall cyber resilience.

The NIS2 Directive is closely linked to two other initiatives: the Critical Entities Resilience (CER) directive and the Digital Operational Resilience Act (DORA) regulation. The DORA regulation is specific for the financial industry so I will not further discuss DORA. However, the older CER (July, 2021) directive is of importance for the industry.

The CER directive and the NIS2 directive partially overlap, as both aim to strengthen the resilience of critical entities and services.  The CER directive requires the critical (NIS2 – essential) entities to take measures to ensure their physical and operational resilience, while the NIS2 focuses exclusively on cybersecurity risks and threats. Therefore the scope of the two directives needed to be aligned to ensure that the physical and cyber resilience of critical entities is addressed in a comprehensive manner.

Implications process automation installations

The scope of the NIS2 directive has been broadened to include previously uncovered industries such as for example chemicals and food. As a result, companies operating in these sectors that use process automation systems are now obligated to manage cybersecurity risks and report any incidents under the NIS2 directive. Additionally, asset owners who were only included under NIS1 if designated by their government as part of national critical infrastructure are now subject to the expanded scope of NIS2, regardless of any specific assignment.

With the wider scope of the NIS2 directive, companies falling under its jurisdiction must undertake a comprehensive review of their risk assessments to ensure their installations are resilient against cyberattacks. This review also involves assessing the sufficiency of existing cybersecurity measures, evaluating incident response processes, reviewing the cybersecurity measures of service providers, and enhancing risk management processes.

Additionally, companies and service providers must prepare for audits to ensure compliance with NIS2 directive requirements, and potentially train personnel to understand the directive and implement any necessary security governance processes in accordance with industry standards such as IEC 62443 or NIST CSF.

Considering these requirements, it is expected that 2023 and 2024 will be busy years for many companies new to the NIS2 directive.

Sinclair Koelemij

With 45 years of experience in process automation, Sinclair brings a wealth of expertise, with 25 years dedicated to process control and an additional 20 years specializing in networking, security, and risk management for process automation systems. During his extensive 43-year tenure at Honeywell, he played key roles in servicing, engineering, and securing diverse control and process safety solutions, spanning basic and advanced control systems. Sinclair also possesses hands-on experience in software development and the implementation of control and safety solutions for over 100 installations owned by various asset owners, varying in scale from smaller setups with fewer than 1,000 I/O points to large installations exceeding 100,000 I/O points. Furthermore, Sinclair holds several patents in the field of cyber-physical risk evaluation and mitigation..