Cisco enhances industrial security capabilities to drive NIS2 compliance for industries

The European NIS2 (Network and Information Security) directive focuses on enhancing cybersecurity requirements for critical infrastructures in the EU, expanding on the initial NIS directive with stricter rules, broader scope, and increased penalties. Over 350,000 European organizations are impacted as the directive now applies to sectors like manufacturing, pharmaceutical, food production and distribution, waste management, wastewater, and more. Unlike the first version of the NIS directive, in which member states selected companies in scope, NIS2 makes compliance mandatory for all organizations with revenues over €10 million. This means that many organizations operating in sectors covered by NIS1 such as energy and transportation, are now impacted as well.

Given the rise in cyberattacks targeting European organizations and the global geopolitical landscape, the European Union considers NIS2 will play a vital role in safeguarding Europe’s critical infrastructures and ensuring resilience across the region. By establishing a common framework for cybersecurity across the EU, NIS2 aims to enhance cooperation and information sharing among member states to better protect against cyber threats. By imposing a deterrent sanctions regime, NIS2 is designed to put cybersecurity on top of any organization’s priority list and drive change.

Cisco is enhancing its industrial cybersecurity capabilities to help industries drive compliance with NIS2. Their efforts aim to enable industrial organizations to identify risks, build an up-to-date OT security practice, implement solutions to comply with NIS2 measures, and maintain operational continuity in the face of cyber threats. By offering solutions and services that align with NIS2 requirements, Cisco empowers businesses to adapt to changing regulatory landscapes while ensuring the safety and reliability of their critical infrastructure.

Deadline for EU Member States to implement NIS2 compliance

When assessing the anticipated timelines for organizations to attain NIS2 compliance and evaluating the feasibility of these schedules, Ruben Lobo, director of product management for industrial IoT at Cisco, emphasized that EU member states have to transpose the NIS2 Directive into local laws by Oct. 17, this year. These laws will define the details of what organizations should implement and the exact processes for reporting incidents, or for the regulators to audit organizations.

As these local laws have not been voted upon yet, many organizations feel they should wait before engaging into changing their practices or deploying additional tools and technologies.

“But as they are expected to comply on D-Day, i.e. Oct. 18th, they should already be implementing measures that are quite straightforward and considered as mandatory best practices regardless of any regulation,” Lobo told Industrial Cyber. “Think about identifying and profiling all connected OT assets and their vulnerabilities, training the workforce, changing default passwords, adopting multifactor authentication, and more.”

“NIS2 also requires defining access control policies. This means adopting a zones and conduits architecture as per ISA/IEC-62443-3-3,” he further identified. “This also means identifying rogue remote access solutions to replace them with tools capable of controlling who can remotely access OT assets, which assets, and when. Both objectives require a good understanding of the existing industrial network and a strong collaboration between IT and OT teams. This should be worked on without delay.”

NIS2’s Global Impact: Variances affecting EU and U.S. organizations

Lobo examines the broader impact of NIS2 on organizations outside of Europe and identifies the stakeholders who should be engaged in this dialogue and the reasons behind their involvement. Additionally, he delves into the potential implications that Cisco foresees for EU organizations compared to those in the U.S. as a result of these regulatory variances.

“Any organization having industrial operations in the EU must comply with NIS2 if they operate in one of the sectors in scope,” Lobo said. “Global companies might have to adapt or upgrade their cybersecurity practices to include NIS2 requirements. Ultimately, the NIS2 regulation might have a positive impact on non-European companies too.”

He mentioned that NIS2 requires organizations to control the cybersecurity posture of their supply chain. “Suppliers located outside of the EU will have to adopt more stringent cybersecurity practices as their European customers and prospects will start making it mandatory. Suppliers will have to demonstrate they have a secure development lifecycle so their products do not introduce risks once deployed at their customers’ European facilities.”

“For OT/ICS environments, ISA/IEC-62443-4-1 certifies secure development lifecycles and 4-2 certifies that ICS components have the minimum set of required cybersecurity features,” Lobo identified. “The Cisco product development process is certified for 4-1 compliance and all Cisco industrial switches are 4-2 certified.”

Addressing specific capabilities that Cisco is offering to help comply with NIS2 measures, Lobo states that “One key NIS2 requirement is supply chain security. The road to compliance requires standardizing on highly trusted vendors, so the supply chain is simpler to assess and control. Industrial organizations can trust the Cisco industrial switching, routing and wireless portfolio for all their use cases.”

Roping in a risk-based approach

Looking into the primary concerns for organizations across the industrial sector in achieving NIS2 compliance, and Cisco’s approach to mitigate these concerns, Lobo outlined that NIS2 requires organizations to adopt a risk-based approach. “This demands comprehensive visibility into the OT environment to understand risks. Many industrial organizations do not have a detailed or up-to-date inventory of all connected OT assets. Most are blind to which asset is communicating to which.”

Cisco Cyber Vision helps industrial organizations assess their OT/ICS cybersecurity posture. It profiles all connected assets and monitors communications activities to detect vulnerabilities, malicious traffic, and anomalous behaviors. It scores risks to help teams prioritize what changes and mitigations will be most impactful for improving their OT security posture. It’s built into switches and routers so it’s easy to deploy at scale without additional appliances or network resources.

Importance of industrial security capabilities for NIS2 compliance

NIS2 also requires defining and enforcing network access policies. This means restricting free communications within the industrial network and from remote users such as suppliers or contractors doing maintenance or troubleshooting of OT assets.

Cisco Secure Equipment Access (SEA) enforces zero-trust remote access in industrial networks by defining policies that restrict access to specific assets, users, times, and communication protocols. Integrated into Cisco industrial switches and routers, SEA is easily scalable and offers comprehensive audit logs, including session recordings and live remote access session monitoring.

Also, restricting communications within the industrial network is key to avoid attacks spreading or malicious users moving laterally unnoticed. Cisco Identity Services Engine (ISE) or Cisco Secure Firewalls can segment networks based on asset identities and process details provided by the OT team. Policies are established using asset groups created with the operations team in Cisco Cyber Vision, simplifying policy management compared to relying solely on IP/MAC addresses. This approach facilitates policy updates when the industrial process changes: modifying asset groups in Cyber Vision automatically updates segmentation policies.

Overcoming integration challenges for NIS2 compliance

Lobo highlights how Cisco assists companies in overcoming integration challenges when implementing industrial security solutions for NIS2 compliance. “Ultimately, NIS2 will force cybersecurity teams to adopt a platform approach to prevent attacks and detect, report, and remediate threats in a unified manner across IT and OT domains. It is not uncommon for a breach to start in the IT domain before making its way into the OT domain, or vice versa. A platform approach is needed to gain visibility across the organization and augment events with additional sources of intelligence.”

The Cisco OT security solution extends IT security to industrial settings. It comes with out-of-the-box integration with Cisco Firewalls, Cisco ISE, and Cisco XDR, making it simple to bring OT context to the SOC without having to spend time making everything work together. It also has certified over 230 integrations, offering a unique ecosystem where Cisco and third parties work together seamlessly.

“With our recent acquisition of Splunk, Cisco brings the best of SIEM+XDR+SOAR augmented with user and device behavior analytics for IT, IoT, and OT assets into a single AI-powered cross-domain security platform,” Lobo added.

Cisco’s response to challenges in achieving NIS2 compliance

Lobo highlights the challenges as industries strive for NIS2 compliance and discusses how Cisco is adapting its solutions to address these issues. He emphasizes the complexity of protecting industrial networks and critical infrastructures, traditionally done through deploying multiple point security products from various vendors. “Integrating many point products increases a network’s cost and complexity to a level that may lead to gaps in defenses. It also makes it more complex to assess whether these point products are not introducing risks to the infrastructure,” he added.

“As Cisco defines the networking standards of the future, we are bringing the latest advances in IT to industrial networking equipment today,” Lobo mentioned. “Our market-leading industrial switches and routers embed advanced cybersecurity capabilities that let you gain visibility at scale, implement micro-segmentation to build secure industrial zones, and make zero-trust network access work with the specific constraints of industrial operations. Only Cisco offers such advanced security capabilities in industrial switches and routers today.”

He also recommends avoiding sourcing, installing, and managing additional appliances for every cybersecurity feature needed. “Not only will this have a positive impact on your sustainability objectives, it will also let you easily scale your industrial security project with the limited number of skilled IT/OT networking professionals you have,” he added.

When it comes to providing support to companies in meeting regulatory deadlines while ensuring robust security measures are in place, Lobo highlighted that for many industrial organizations, it would be difficult to achieve comprehensive NIS2 compliance by Oct. 18. “Many of them are just starting to work on it or waiting for local regulations to be adopted. The key is to start assessing the existing security posture and define a roadmap. Many Cisco partners all over Europe use Cyber Vision to offer such a service and can help build plans for improvement. The Cisco professional services team also has IT/OT security experts capable of conducting such assessments,” he added.

The Cisco professional services team can also help implement specific key capabilities to meet NIS2 requirements, such as OT vulnerability management, or building unified SOC to be able to manage and report OT security events.

Leveraging ISA/IEC 62443 standards for NIS2 compliance

Elaborating on how industries can benefit from NIS2 compliance by leveraging ISA/IEC 62443 standards, Lobo highlighted that NIS2 stresses using international standards to ensure that entities within its scope implement effective cyber risk-management measures. Organizations that have experience with ISA/IEC 62443 are in a good position to achieve compliance with NIS2.

“Deploying ISA/IEC 62443-4 certified components helps drive compliance by ensuring a secured supply chain,” Lobo mentioned. “Implementing the ISA/IEC 62443 cybersecurity framework—especially parts 2-1, 3-2, and 3-3—goes a long way toward NIS2 compliance, as it includes most of its key requirements such as risk analysis, access control, strong authentication, use of cryptography, continuous monitoring, business continuity and disaster recovery, and more.”

Lobo further identified that the NIS2 directive envisions a European certification scheme that is currently under development. “The industrial infrastructure certification scheme will likely be based on or derived from ISA/IEC 62443. Any experience with or certification for these standards will help entities within the NIS2 scope to achieve certification.”

To learn more, join our exclusive live webinar, “A Sense of Urgency: Industrial Cybersecurity and Compliance Under the NIS2 Directive.”

Hear from industry experts as they unpack the complexities of the NIS2 Directive and reveal critical strategies to enhance your cybersecurity measures. Whether you’re aiming to understand the latest regulations or seeking to safeguard your operations, this webinar is your gateway to staying ahead in the fast-evolving world of industrial cybersecurity.

Register today and empower your organization to navigate the challenges of NIS2 compliance with confidence!

[Register Now]

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.