NIS2 requires industrial companies to make major efforts to secure their OT environments: Where to start?

The aim of the NIS2 (Network and Information Security) Directive is to raise the level of physical and digital security for a large number of businesses and to establish a uniform level of maturity across EU countries. In Europe, thousands of businesses will be affected by the implementation of NIS2, scheduled for October 2024, with issues varying widely from one entity to another.

While we talk a lot about IT and attacks targeting office environments, we all too often forget about cyber-attacks targeting operational environments (OT) and the significant vulnerability of these networks. Industrial companies will need to redouble their efforts to meet the requirements of NIS2. However, let's remember that even though the directive will initially impose many constraints, its purpose is to help companies protect their production tools.

OT is as insecure as SMEs

While we talk a lot about IT cybersecurity, we too often forget to raise awareness about the cybersecurity of operational environments (OT), even though cyberattacks against factories and industrial companies can have disastrous consequences. Why are these OT networks so vulnerable?

• OT environments are 10 to 15 years behind in terms of cybersecurity compared to IT environments and have not been secured "by design".
• Many industrial company networks are still based on "flat" architectures, meaning servers, workstations, and other industrial terminals operate on the same network without any segmentation. In other words, leaving one door open allows access to the entire network.
• The issue of governance of OT network security is still unresolved. Who is responsible for OT security? If there is an OT security team, how can they collaborate with IT security managers?
• Remote access to programmable logic controllers and other robots in OT systems has multiplied, especially during COVID-19, creating often poorly or completely unsecured bridges to the outside world.

Get started in three phases and twelve steps

Industrial companies with more than 50 employees and €10 million in turnover are numerous, and their OT networks will be significantly impacted by NIS2. Instead of succumbing to panic, let's summarise the key steps to achieve compliance, in 3 phases and 12 steps, with this new version of the NIS Directive, focusing specifically on the industrial sector.

Phase 1: Assess, discover, and define

1. Security audits

Assess the security of the company by conducting audits, focusing on OT networks, but also - as a new requirement of NIS2 - on physical access to the company and its equipment.

2. Policies

Define a policy and governance specific to OT cybersecurity, starting with determining who is responsible for OT security, to whom they report, who has decision-making power regarding investments, etc.

Phase 2: Implementation and deployment

3. Segmentation

Design and implement an architecture integrating segmentation of OT cybersecurity and Industrial Control Systems (ICS). In other words, move away from flat networks and segment IT and OT networks.

4. Asset discovery and threat detection

Select and implement asset discovery and threat detection tools for OT/ICS, such as Intrusion Detection Systems (IDS).

5. OT configuration hygiene

Maintain OT configuration hygiene by ensuring the presence of classic security components such as backup systems (adopting the 3+2+1 backup model) and machine password managers. Since NIS2 also concerns suppliers with access to networks, the company must ensure cybersecurity hygiene guarantees from its suppliers.

6. Secure remote access to OT systems

Manufacturers of machines/programmable controllers, etc., often access their machines primarily for maintenance purposes, so the company must demand security guarantees from them.

7. Control OT access

Implement measures to regulate and monitor access to OT systems, ensuring that only authorised personnel can interact with critical industrial assets. This includes enforcing strict authentication and authorization protocols to prevent unauthorised access or malicious activities.

8. Protect OT endpoints

Deploy security measures to safeguard endpoints within OT environments, such as industrial machines, controllers, and sensors, against cyber threats. This involves deploying antivirus software, Endpoint Protection and Response (EDR), Intrusion Detection Systems (IDS), implementing controls for USB devices, and regularly updating endpoint security measures to mitigate emerging threats and vulnerabilities.

9. Secure OT supply chain

Implement measures to safeguard the OT supply chain against cybersecurity risks posed by software, OEMs, and third-party service providers. This involves conducting thorough risk assessments, establishing clear contractual agreements with suppliers to define cybersecurity responsibilities, and regularly monitoring supplier compliance to mitigate vulnerabilities and enhance overall OT security.

Phase 3: Monitor, react, and measure

10. Security Operations Centre (SOC)

Implement ongoing monitoring of OT cybersecurity through integrated SOC or managed SOC solutions.

11. Incident response plan

Develop and maintain an incident response plan specifically tailored for addressing cyberattacks or other incidents targeting OT systems.

12. Continuous audits

Finally, conduct regular audits and security testing for OT environments to ensure ongoing compliance with cybersecurity requirements and identify any vulnerabilities or weaknesses promptly.