A look at new in the NIS2 Directive

assets/files/images/06_07_23/bernard-thumb.jpg

By Bernard Montel, Cybersecurity Strategist and Technical Director, Tenable. 

The Directive on the security of Network and Information Systems, often shortened to NIS, was first established in July 2016. When introduced it encompassed two groups— the operators of essential services; and relevant digital service providers, with the aim to strengthen cybersecurity resilience.

While somewhat effective, NIS was seen to have limitations particularly the narrow scope of organisations covered.  This was addressed in January 2023, when the European Union adopted a new version of the Directive.

NIS2 expands the scope of entities covered, broken into two categories — essential and important. Included within the new ‘important’ category are manufacturing; manufacture production and distribution of chemicals; and food production, processing and distribution. Any large organisation with a headcount of over 250 or in excess of €50 million revenue; and medium organisations with a headcount over 50 or in excess of €10 million revenue from the sectors identified in NIS2.0 will be directly included in the scope.

That doesn’t mean small or micro-organisations are excluded. Each member state can extend the scope to include any organisation (in the identified sectors) deemed to fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.

All EU member states, and non members trading in the EU, will need to transpose NIS2 into national legislation by October 17, 2024. Although no longer bound by EU regulation, the UK government has confirmed it will also strengthen its NIS regulations.

Q. What does that mean for manufacturers?

While NIS required significant cyber incidents to be reported, the updated Directive includes a timeline for reporting incidents. Within 24 hours of identifying any incident with significant impact an early warning should be communicated to the competent authority or CSIRT. This should be followed after 72 hours with a full notification report including the assessment of the incident, severity and impact and indicators of compromise. A final report must be communicated within a month. While detecting incidents is obviously important, the onus for organisations should be on reducing the risks faced and preventing incidents in the first place.

NIS operates on a principle-based approach, allowing cybersecurity to become a part of an organisation’s ‘business as usual,’ rather than operating on a set of prescriptive rules. Organisations understand their business better than an outsider, therefore the principle-based approach allows organisations to make informed decisions on how best to tackle cybersecurity challenges. 

When it comes to manufacturing, factory floors usually run a wide variety of machines to support each step of the production process (conveyor belts, laser cutting machines, mixers, boilers, heaters, coolers, etc.), from a variety of OEMs (Siemens, Honeywell, Rockwell, Schneider, Emerson, Mitsubishi, Yokogawa, etc.), all at various stages of modernisation. Entwined within this are IT devices that can make up between 25% to 50% of the modern manufacturing environment. While IT and Operational Technology (OT) have traditionally been separate worlds, advancement in connectivity have not just blurred but eradicated this boundary, making it challenging to keep track of all OT devices alone let alone all OT and IT devices.

True cyber security requires complete and holistic understanding of the risks that exist within the entire infrastructure. A preventative approach in Industrial cybersecurity is paramount to eliminate many of the core risks associated with the new trends and challenges that are present. When threat actors evaluate a company's attack surface, they're probing for the right combination of vulnerabilities, misconfigurations and identity privileges. To mitigate the OT risks, it is essential to gain full visibility into all the operational assets that control the myriad of exploration, extraction, refinement and delivery processes collectively define the oil & gas industry and address or take remediative action.

This requires a holistic view of both IT and OT environments, the interdependencies that exist for critical functionality, and determine where weaknesses and vulnerabilities exist. 

Once a holistic viewpoint is established, the next step is to identify what would cause theoretical versus practical damage. From this stance steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations, to attacks.

Q. Will compliance with NIS2 equate to stronger security?

Compliance with NIS2 is mandatory, and failure to adhere can result in large fines. However, organisations should not be lulled into a false sense of security that, by ticking the relevant boxes, they are secure.  The reality is that adherence with NIS2 principles will strengthen defences, but that does not always equate to being secured.

Manufacturing organisations should use NIS2 as a guide to minimise their cyber risk and not the defacto standard. The onus has to be on every organisation to implement secure working practices that protect their infrastructure and the sensitive data and critical systems contained.

Preventing cyber incidents requires full visibility into all assets and exposures, extensive context into potential security threats, and clear metrics to objectively measure cyber risk. Organisations that can anticipate cyber attacks will be the ones best positioned to defend against today’s emerging threats.

Add a Comment

No messages on this article yet

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter