Addressing New ICS/OT Cybersecurity Regulations
How to achieve a successful and efficient programmatic response to the current and future regulatory environment for ICS/OT cyber security.Learn More
Subscribe to stay in the loop with the latest OT cyber security best practices.
While an increasingly digitized world and interconnectivity bring enormous opportunities for cyber-related threats, the tenth edition of ENISA’s Threat Landscape reports cybersecurity attacks continued to increase in the second half of 2021 and 2022, not only in terms of vectors and numbers but also in terms of their impact. The complexity and scale of cybersecurity incidents are growing, as is their economic and social impact, and we’ve seen a new paradigm brought by the Russia-Ukraine crisis that further impacts critical infrastructure. Due to these circumstances, the European Union recently adopted the revised version (“NIS2”) of the Network and Information Security Directive (“NISD”), which provides legal measures to improve the overall level of cybersecurity in the EU, and among others, the EU-wide cooperation on incidents and threats.
NISD became the first EU-wide legislation on cybersecurity and the policy was adopted in 2016 to implement risk management and incident reporting obligations for specific entities. Also because of NISD, there today is a better understanding of the state of cybersecurity across Europe. The graph below was published by the EU Cybersecurity Agency (ENISA) and shows the damage related to the last single security incident experienced by the surveyed organisations.
ENISA’s 2021 NIS Investment Report reveals the average budget for NIS Directive implementation projects was approximately €175k and almost half of the organisations allocated €100k-€250k. When implementing the NIS Directive, 64% of surveyed organisations procured security incident & event log collection solutions, as well as security awareness & training services. NIS2 is further adopting new measures and widening the scope of rules.
Currently, the directive is being prepared for official publishing by the EU parliament. It will then be adopted by national legislative bodies across the EU Member states and come into effect no later than 2024.
NIS2 is part of the EU’s cybersecurity strategy between 2020-2025 and coherently complemented by other policies. Especially relevant for operational environments is the Critical Entity Resilience (CER) directive which is closely interrelated with NIS2. Also, the EU Cyber Resilience Act (CRA) has significant consequences for vendors and service providers of operational equipment.
Transposited in parallel to the NIS2 Directive, together they address current and future online and offline risks, from cyberattacks (NIS) to physical attacks and natural disasters (CER). The CER directive is, like NIS2, currently in final publication state. CER focuses on physical rather than digital resilience measures for critical entities. National authorities perform reviews and assess the effectiveness and accountability of the risk management process, they can also provide significant support to entities.
EU Cyber Resilience Act (CRA):
Is a legislative proposal to regulate a broad range of digital devices, their hardware, and solutions with embedded software and applications. It imposes obligations on manufacturers, importers, and distributors of these products across their life cycles. It also defines essential requirements for the design, development, production and operation of digital products and adds requirements for vulnerability and incident handling for manufacturers and obligations for operators.
NIS2 is the successor of the NIS Directive (NISD), which was the first EU-wide legislation on cybersecurity. It was published in 2016 and local application came into effect in 2018 from the national interpretations of NISD, we know that operational technology was in scope at least for the energy sector. All entities in scope, including their significant connected subcontractors, software, and service providers, should act now to prepare for compliance.
The entities in scope, including their significant connected subcontractors, and software and services providers, should act now to prepare for compliance.
When NIS2 becomes effective, all entities are obligated to report severe security incidents, undergo increased supervision, and ensure far-reaching organizational and technical measures are in place.
NIS2 comes with increased security requirements over NISD:
Is OT security in scope of the NIS2 Directive?
With the extension of the sectors in scope to include manufacturing, it could be assumed the operational domain is covered by NIS2. However, OT Security has not been explicitly mentioned in any regulation. This changed in the 4th quarter of 2022. Several papers from EU regulators appeared, that explicitly include operational environments as part of the regulated cyberspace:
Even when not explicitly mentioned, it can be assumed that operational technology is going to be in scope for NIS2. The character of digital threats but physical impact make OT Security a hybrid between the NIS and CER Directive.
What does that mean for the entities in scope?
We know there is already a skills shortage in cybersecurity and especially for OT, but there is a notorious lack of experts with a combined industrial operational risk understanding and security expertise. Entities and regulators will have to find ways to identify and evaluate the most efficient, automated, and integrated approaches for continuous and active management of risks, including OT. NIS2 will require organizations to understand their risks and actively manage their security measures. A one-time, project-based security investment into a single-dimensional technology without proper management integration will not be sufficient to cover the increasing requirements of multiple directives. A checklist for OT security technology evaluations can be found at the end of the document.
The checklist below serves as a guide to understanding if you’re in scope and what topics are regulated:
NIS2 introduces a new classification of entities in scope. If you’re considered essential, regulatory requirements will be slightly tighter than for important entities. Check the two lists below to see if you are considered in scope, and in which classification category. Subsectors with potential OT security-related regulation are marked with a cross, sectors without industrial environments are not covered in detail, and they are mentioned in brackets.
If your sector is considered essential, you might even be considered a critical entity by the CER directive. In this case, you will be also contacted by local authorities.
Industries classified as Essential Sectors in scope of NIS2
|Energy||Electricity||Energy supply, selected Distribution System Operators, selected Transmission System Operators, selected Electricity Producers, nominated Electricity Market Operators and selected participants||X|
|Heating/Cooling||District heating or district cooling||X|
|Oil||Operators of transmission pipelines, Operators of oil production, refining and treatment facilities, storage, and|
transmission, selected Central oil stockholding entities
|Gas||Selected Suppliers, selected Distribution system operators, selected Transmission system operators, selected Storage system operators, selected LNG system operators, selected Natural gas undertakings||X|
|Hydrogen||Operators of hydrogen production, storage, and transmission||X|
|Transport||Air||Selected Air carriers, selected Airport managing bodies, Air Traffic Control Services Providers||X|
|Rail||Selected infrastructure managers, selected Railway undertakings||X|
|Water||Selected inland, sea and coastal passenger and freight water transport companies, selected Managing bodies of|
ports, selected Operators of vessel traffic services
|Road||Selected Road authorities, selected Delegated traffic management control regulations, selected Operators of|
Intelligent Transport Systems
|Health||Pharma, Manufacturing, Laboratories, Services||Selected Entities manufacturing medical devices considered as critical during a public health emergency, selected Healthcare Providers, EU reference laboratories, selected Entities carrying out research and development activities of medicinal products, selected Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.||X|
|Water||Drink||Selected suppliers and distributors of water intended for human consumption, excluding those with majority of other general activity||X|
|Waste||Selected undertakings collecting, disposing, or treating urban, domestic, and industrial wastewater when essential part of the business.||X|
|Space||Infrastructure, Services||Selected Operators of ground-based infrastructure, owned, managed, and operated by Member States or by private parties, that support the provision of space-based services.||X|
|(Digital Infrastructure)||(eg. selected providers of public electronic communications networks and services, Data Center Service|
Providers), selected medicinal products, selected cosmetics, tobacco, narcotics,
|(Banking and Financial Markets)|
Subsectors classified as Important Entities in scope of NIS2
|Postal and courier services||Selected postal service providers||X|
|Waste management||Selected entities, carrying out waste management but excluding undertakings for whom waste management is not their principal economic activity||X|
|Food production, processing, distribution||Any food and drink business. Not a foot business ise. feed, live animals unless for human consumption, plants|
|Manufacturing||Chemicals||Selected undertakings carrying out the manufacture, production and distribution of substances and articles.||X|
|Manufacturing||Medical Devices||Entities manufacturing medical devices||X|
|Manufacturing||Computer, electronic and optical products...||Entities that manufacture computers, electronic and optical products, electronic components and boards, loaded electronic boards, computers and peripheral equipment, communication equipment, consumer electronics, instruments and appliances for measuring, testing and navigation; watches and clocks, irradiation, electromedical and electrotherapeutic equipment, optical instruments and photographic equipment, magnetic and optical media||X|
|Manufacturing||Electrical equipment...||Entities that manufacture electrical equipment, electric motors, generators, transformers and electricity distribution and control apparatus, batteries and accumulators, wiring and wiring devices, fiber optic cables, other electronic and electric wires and cables, wiring devices, electric lighting equipment, domestic appliances, non-electric domestic appliances, other electrical equipment||X|
|Manufacturing||Manufacture of machinery and equipment n.e.c.||Entities that manufacture general-purpose machinery, engines and turbines (except aircraft), vehicle and cycle engines, fluid power equipment, other pumps and compressors, taps and valves, bearings, gears, gearing and driving elements, other general-purpose machinery, ovens, furnaces and furnace burners, lifting and handling equipment, office machinery and equipment (except computers and peripheral equipment), power-driven hand tools, non-domestic cooling and ventilation equipment, other general-purpose machinery n.e.c, agricultural and forestry machinery, metal forming machinery and machine tools, other special-purpose machinery, machinery for metallurgy, machinery for mining, quarrying and construction, machinery for food, beverage and tobacco processing, machinery for textile, apparel and leather production, machinery for paper and paperboard production, plastic and rubber machinery, other special-purpose machinery n.e.c.||X|
|Manufacturing||Motor vehicles, trailers, and semi-trailers||Entities that manufacture motor vehicles, trailers and semi-trailers, bodies (coachwork) for motor vehicles, parts and accessories for motor vehicles, electrical and electronic equipment for motor vehicles, other parts and accessories for motor vehicles||X|
|Manufacturing||Transport equipment||Entities that manufacture transport equipment, ships and boats, ships and floating structures, pleasure and sporting boats, railway locomotives and rolling stock, air and spacecraft and related machinery, military fighting vehicles, transport equipment n.e.c., motorcycles, bicycles and invalid carriages, other transport equipment n.e.c.||X|
You may still be impacted if:
If you’re unsure, entities can reach out to ENISA for clarification. The EU agency will create and maintain a registry for essential and important entities for NIS2.
Member states can exclude areas of defense, national security, public security or law enforcement from the directive.
For the two main types of entities and with a focus on industrial environments, only medium and large enterprises are in scope.
If at this point, you are in scope, you must provide contact details:
If you are not in scope, you can still participate and report significant incidents, cyber threats or near misses on a voluntary basis.
Like NISD, NIS2 only provides a minimum mandatory set of measures to cover. These are not necessarily interconnected or even directly related. In many cases, additional steps, processes, or security functions lay in between. Security measures are not specified in detail. This is normal for EU directives; they only describe a broad outcome and allow national legislations to choose the desired level of detail they regulate. Later, there will also come an implementing regulation for NIS2 with more detailed requirements, which are binding to the Member states. The following list contains minimum mandatory areas of coverage for all entities, exceptions are mentioned. As a general rule, essential entities are subject to a stronger supervisory regime, while important entities are subject to lighter supervisory: They have no initial obligation to systematically document compliance with cybersecurity risk management requirements, up to the point of a major incident or threat happens. At that point, they will be supervised.
The image below gives an overview of the minimum required and reviewed cybersecurity measures (orange), and additional requirements (blue boxes) to be NIS2 compliant.
All entities must take appropriate and proportionate technical and organizational measures to manage the cybersecurity risks posed to the security of networks and information systems. These measures shall ensure the level of security is related to the risk presented. Especially systems that are used in the provisioning of services shall be considered. All measures and respective non-compliance is accounted for by management.
The following measures represent the minimum requirements to be covered:
Supply chain security risks are defined as the relationship between entities and their suppliers and where both, supplier and customer are targeted. Relationships can be in the digital and physical worlds.
Supply chain includes:
Quick checklist for the first steps:
Incident reporting, government support, and information sharing across entities are among the main areas of regulation. The importance of the topic is reflected in tight deadlines and can become subject to sanctions. A notification does not make the notifying entity subject to increased liability.
The process consists of these steps:
What incident to notify?
The NIS2 specification for a significant incident is expected to be related to the number of users affected by the disruption of an essential service, the duration of the incident and the geographical area affected by the incident.
Who and when to notify?
A final incident report must be sent no later than one month after the submission of the notification. It must at least include:
Quick checklist for reporting readiness:
Supervision is a national task and NIS2 substantially increases the coverage and requirements for entities. At this checkpoint, essential entities face tighter requirements than important entities. For important entities, regulatory interference and subversion are only triggered, when a severe impact or threat (or indication of one) occurs.
Member States, with their national competent authorities, are exercising their supervisory tasks in relation to the entities, and have the power to subject all entity types to:
Additional supervision to subject essential entities to:
At the EU level, ENISA develops and maintains a European vulnerability registry and a peer-review system to assess (and harmonize) member states requirements, obligations and methodology.
So far, we have looked at the regulation from the entity’s viewpoint. NIS2 regulates many aspects of the national and joint cybersecurity governance between member states, but we will focus on regulated topics that directly impact entities. The list below gives an idea of the level of detail the directive seeks to cover.
National authorities define and establish bodies for the governance of entities in scope. They oversee NIS2 regulatory compliance and will establish a single point of contact for cybersecurity and supervision. They also assure all entities share cybersecurity information that aims to prevent, detect, respond to or mitigate incidents.
Sorted by impact, competent authorities from member states exercise supervisory tasks and have the power to:
Entities should use the directive to develop and establish an OT security organization, a collaborative IT-OT approach is most effective when harmonized. The following steps can be performed if no security management is in place yet:
No matter where you are in the cybersecurity journey from a basic understanding to more mature adoption, it’s critical to significantly increase your level of defense and reliability with an end-to-end solution to assist with the cybersecurity risk and incident reporting measures.
NIS2 comes with a substantial expansion of cybersecurity risk management and governance requirements, the existing gap of security labor especially in operational cybersecurity will require effective, integrated and automated solutions to be adopted in operational environments. These solutions must be flexible enough to be adapted to different risk scenarios and organizational capabilities.
Verve’s approach delivers distinct benefits in operational environments:
Deep asset visibility – Capture visibility of all OT assets in depth (OS-based, embedded, network-based,etc.). Capture a centralized view across sites and vendors.
NIS2-relevant for granular asset visibility across countries, plants, vendor equipment, security aspects, rapid identification of all relevant assets governance-, risk or compliance management has to be applied for, provides always up-to-date base library for assets, and capability to link assets to critical processes.
Better risk management – 360-degree risk score of assets (patch, vulnerabilities, users/accounts, passwords, encryption used, AV status, etc.) in single, central console. Enables trade-offs of best risk remediation.
NIS2-relevant for defining risks and developing measures, threat-, vulnerability- and risk detection, monitoring and maintaining system and network security, incident detection, critical change detection, helps identify corrective measures for auditing and compensating controls (especially important for often limited OT environments), integration of 3rd party information like OEM vendor patch recommendations.
Rapid response and remediation with integrated actions – Integrated change, patch, configuration, software, user, and other remediation actions. Faster mean-time-to-remediation, lower patch downtime.
NIS2-relevant for active measures like threat and incident prevention and response, response orchestration capability, patch prioritization capability, increased cyber resilience, provides flexibility in developing most effective measures at OS, application or network level.
Lower labor costs – Centralize analysis of all endpoints (and integrate with enterprise IT) but enable local control over actions. Expert resources to deploy and manage.
NIS2-relevant as it allows highly effective operation models with central governance and local execution, helps with IT-OT collaboration, harmonizes security with fewer efforts, and accounts for operational and security risks.
Operationally safe & efficient – Built-in OT safeguards and operational benefits such as improved network and system reliability. Tested across all OEM vendor systems.
NIS2-relevant for providing security without introducing new operational risks.
Several regulatory requirements can be covered with technology in a semi or fully automated way. However, technology is only as good as the underlying organizational process, and the revised directive will require both entity types in scope to prepare a risk and security management that is backed by organizational processes. Simply acquiring technology as a security project is not going to be good enough with NIS2. In industrial environments, the workload is high today already, so the overall security coverage, reliability and capability to automate will mostly likely impact its success.
Verve Industrial Protection has a successful track record in assisting industrial companies to increase their maturity relative to different security standards through our professional design, and support services as well as by deploying the Verve Security Center.
How to achieve a successful and efficient programmatic response to the current and future regulatory environment for ICS/OT cyber security.Learn More
Here's how to demonstrate progress and improvement on key security metrics over time in OT cyber security environments.Learn More
Align IT and OT security initiatives to make progress against a chosen standard for an efficient and effective cyber security program.Learn More