< Back
cyberthreat news

Tags:

NIS2

Quick links:

10 February 2025

OT deserves its own CISO – NIS2 calls for specific security knowledge in operational technology

By Eric ten Bos, Co-Founder & Technical Lead of the Thales Cyber OT Convergence Center (OTCC).

NIS2 is crystal clear about what needs to be done, defining ‘how’ is something your organization must determine - focus your efforts on increasing cyber resilience, and compliance will follow naturally. This approach will embed security deeply within your organization, especially for those with extensive operational technological infrastructure. It is advisable for such organizations to appoint a CISO (chief information security officer) specifically for OT to steer this process effectively.

It has been over a year since the European Union established the Network and Information Security Directive (NIS2 directive). The directive focuses on strengthening the digital and economic resilience of European member states. Member states are now required to translate this directive into national legislation. 

Non-compliance is a business risk 

Start by identifying the biggest business risks, bearing in mind that non-compliance itself is already a business risk. It seems so obvious to identify these risks, but they sometimes lurk in unexpected corners. Consider:

  • Which assets are essential for the production process? 
  • Which R&D information do you absolutely want to keep hidden from competitors? 
  • And which business applications are necessary for employees to do their daily work? 

Need to report 

Using the NIST Cybersecurity Framework (National Institute of Standards and Technology) as a guide can be helpful. This framework consists of the following steps:

  • Identify: Expose the cybersecurity risks that affect systems, assets, and data. Develop a risk management strategy based on this that aligns with the organization's business objectives. 
  • Protect: Develop and implement appropriate safeguards to ensure business continuity. From Identity & Access Management to secure connectivity and endpoint protection. 
  • Detect: Timely detection of a cybersecurity incident, for example with a Security Operations Center. 
  • Respond: After detecting an incident, do everything you can to isolate the threat and mitigate its impact. In the event of a serious breach, you will need to inform authorities and partners. Also, conduct analyses to determine impact and cause. 
  • Recover: Focus on restoring affected services and systems. You have a backup and recovery plan in place, right?

These five steps give your organization a solid foundation and a clear framework to demonstrate progress toward NIS2 compliance. Since the NIS2 directive explicitly requires reporting on the security measures you are taking and how you implement them, this framework becomes an invaluable tool. Authorities will also expect this information in the event of incidents.

CISO in the OT environment 

Organizations heavily involved in operational technology, such as in industry or utilities, have an additional challenge. In IT, you can monitor and manage all data, assets, and systems remotely. In OT, this is much more difficult. Machines and installations often feature various types of hardware. While you can monitor performance with sensors remotely, you need 'boots on the ground' to check the machines, for example, to see if the firmware is still up to date. This stands in contrast to the goal of production environments to automate processes and handle as many procedures as possible without operators. To keep an overview of all security measures and maintain control, it is advisable to appoint a functionary for the OT environment, similar to a CISO in the IT environment. Currently, a site or plant manager performs this task in OT; however, a cybersecurity expert is truly needed to achieve cybersecurity in the context of NIS2.

The conclusion? Do not wait to work towards NIS2 compliance. Do not look at NIS2 solely from a compliance perspective. Rather, see it as the opportunity to become more digitally resilient. Compliance will follow naturally. There is no blueprint for any organization to get there. Start now and know that you can learn more as you go. By appointing a Corporate OT Security Officer (COSO), your organization can achieve the much-needed acceleration in cyber resilience.