Critical infrastructure
Expert
NIS2
Risk & Compliance

Sprinting Toward NIS2 Compliance

April 14, 2024
Sprinting Toward NIS2 Compliance

OT networks are under increasing attack. Water distribution, oil extraction, maritime, transportation, manufacturing, pharmacy, health services, and other critical industries have all been hacked multiple times. SCADA, ICS, and safety systems have been corrupted, confidential information has been hijacked, and operators have had to pay heavy ransoms to regain the use of their assets and data.

The prevailing attitude among most OT managers has been that it costs less to do nothing and just deal with the fallout. With new legislation about to hit the European Union (EU), the cost of doing nothing but responding to incidents is about to skyrocket.

Forcing Operators to Get Cyber-Active Now

The updated Network and Information Systems Directive, commonly referred to as NIS2, is set to become law in October 2024 across all European Union (EU) Member States. Designed to secure critical infrastructure and services, NIS2 has its enforcement claws out. Expanding on the original NIS directive of 2014, it adds thousands of new organizations to its scope.

But that’s the easy part. Alarmingly, NIS2 is weaponized to drop a payload of severe financial and personal penalties on operators of essential services (OES) and important entities (IE) and their leaders who fail to comply. So severe, in fact, are the potential penalties, that operators of critical infrastructure will find it more cost-effective to cyber-secure their facilities than to face the consequences of a serious incident. 

The new version has expanded to include transportation companies, food manufacturers, pharmaceuticals, postal and courier services, data centers, and many more types of industries.

Failure to comply with NIS2 provisions can trigger the Directive’s heavy-handed enforcement system – and it isn’t pretty. Non-complying OESs and IEs stand to be fined as much as €10 million or 2% of global annual revenue, whichever is higher.

Fines are onerous enough, but then there is the peril of personal liability. Key company executives, including CEOs, can be prohibited from exercising managerial functions. Officers and employees considered directly responsible for breaches, like CISOs, can be forced out of their jobs and prohibited from taking an equivalent position anywhere in the EU. Did somebody say “career-ending”?

The New Risk Management Regime

In one respect, NIS2 is similar to the GDPR legislation that was enacted by the EU in 2018. Risk assessments and risk management, two of the fundamental pillars of GDPR, are also NIS2 targets. Companies falling under NIS2 jurisdiction are required to undertake formal risk management programs that continuously evaluate their operational risk and determine risk-minimizing measures that must be adopted to reduce risk scores to an acceptable level. 

NIS2 risk management begins with an initial risk assessment. Companies with OT networks must establish a baseline of the current risk to their operations. In this initial risk assessment, they must take reasonable steps to identify all of their assets, including industrial control systems, sensors, networks, and data systems, and identify threats that could target their operations. From there, they conduct a deeper risk analysis to evaluate their existing controls, identify gaps in their security posture, and implement remediation measures to address those gaps. While risk assessments, asset management, risk analyses, gap analyses and remediation are all standard operating procedures in IT environments, with NIS2, these activities become mandatory in the OT arena as well. 

The Positive Side to NIS2 Compliance

Compliance with new regulations often introduces high costs. NIS2 is no exception. In fact, to comply with the many requirements of NIS2, organizations are going to have to spend heavily on programs, tools, personnel, and training.  But, to offset these costs, the EU foresees significant benefits accruing to operators.  

Complying with  the NIS 2 Directive will allow OT companies to prioritize limited security resources effectively. Stressing a targeted approach that focuses on areas of highest risk and greatest impact ensures that cybersecurity investments align with the most critical aspects of OT infrastructure, thereby boosting security posture while optimizing resource utilization.

Furthermore, compliance with NIS2 will enhance resiliency, helping OT companies to better withstand and recover from inevitable cyber incidents, thus minimizing the likelihood and severity of disruptions to their operations. Increased resiliency will reduce the risk of financial losses and reputational damage, instilling confidence among stakeholders and customers in the company’s ability to maintain services.

Moreover, NIS2 compliance will encourage vulnerability management and continuous improvement efforts. OT companies can leverage the Directive’s framework to proactively identify, assess, and mitigate vulnerabilities in their systems. By establishing robust and consistent processes for vulnerability management and measurement of improvements, companies can stay ahead of evolving threats, strengthen their defenses, and adapt effectively to the changing threat landscape.

Compliance with NIS2 also necessitates a structured approach for justifying cybersecurity budgets, helping CISOs and security stakeholders articulate the need for investment in security measures with greater clarity and accountability. Hopefully, this will ensure that adequate resources are allocated to support ongoing, effective cybersecurity initiatives, further enhancing the company’s resilience and its ability to respond effectively to cyber incidents.

Sprinting to Compliance

With just months before NIS2 goes into effect, organizations with OT networks must accelerate toward compliance. The Directive demands comprehensive risk assessments, security measures, and prompt incident reporting, all of which require investments in tools, training, expertise, and changes to organizational structure. There isn’t much time, so getting out the starting blocks quickly is essential.

Fortunately, there are many automated solutions that can help. Advanced Risk Management solutions can deliver rapid-fire risk assessments that evaluate the current level of risk, security gaps, and even recommend the most effective mitigation measures.  Other advanced threat detection solutions automatically detect cyber threats to operations and collect the forensics about actual incidents suitable for rapid and accurate reporting in the formats required by CSIRTs.

For companies that are reluctant to take on the burden of staffing and the acquisition and operation of such solutions, outsourcing cybersecurity and risk management is a possibility. A new breed of OT Managed Security Service Providers and Risk Management Experts are coming into the market, ready and eager to take on these responsibilities.

There is no time like right now to take off in the race to NIS2 compliance. Resilient operations that can withstand cyberattacks await at the finish line.

Ilan Barda
Ilan Barda, founder of Radiflow is a Security and Telecom executive with 20 years of experience in the industry. Ilan has deep experience in developing secure communication equipment from his service in the Information Security division of the IDF.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology