Implementation of NIS2 is about targets and priorities
By Eric ten Bos, co-founder & technical lead of the Thales Cyber OT Convergence Center (OTCC) at Thales Netherlands
New and tighter security legislation is heading our way in the form of the new Directive on security of network and information systems (NIS). Since ever more economic sectors fall under the scope of this Directive, companies with a lot of operational technology have to comply. Use the instructions from NIS2 to set concrete targets and priorities. Not only to ensure that you are compliant, but also to strengthen your digital resilience.
At the end of December 2022, the European Parliament adopted the new NIS Directive. We are talking about the new Directive (NIS2), because the first version dates from 2016. The EU and the Member States now regard the NIS from 2016 as insufficient, and so the EU has drawn up a set of additional rules, called NIS2. An additional set of rules does not sound very alarming. It is a fact, however, that the impact of NIS2 has increased considerably. It is therefore necessary that you, as an organisation, identify how your situation will change in good time, before NIS2 is transposed into national legislation, which will be by October 2024 at the latest.
Essential or important?
What is immediately striking is that the number of sectors that will have to take the legislation into account has increased considerably. Companies that currently fall under the NIS are, for example, utilities, care providers, and (digital) service providers, such as cloud providers. NIS2 has expended the scope to sectors such as telecoms, social media platforms, the food industry and public administration. Organisations in these sectors can be divided into two groups, which eventually makes a great difference when it comes to the approach of NIS2. It concerns:
- Providers of essential services, who will be faced with a form of proactive supervision. Here, you can think of parties that are active in the vital sectors, such as energy and healthcare.
- Providers of important services, which fall under a reactive regime. Authorities only take action when a security incident happens. This concerns companies and institutions where an interruption of services does not lead to social disruption.
Regardless of the sector in which they operate, organisations with a turnover of more than 10 million euro and more than 50 employees will fall under this new legislation. Many organisations in the production industry will therefore fall into a new category of NIS2 and have to understand the consequences.
Supply chain monitoring
Another striking and far-reaching aspect of NIS2 is the fact that, as an organisation, you will have to monitor the security level of your partners, such as suppliers. You have to asses to what extent they meet the NIS2 as well. This is a logical development when you consider that partners in complete supply chains are digitally connected to each other. They exchange information seamlessly and link applications with processes. A vulnerability in partner X thus results in substantial risks to partner Y.
Of course, this also applies for technology partners, such as suppliers of access passes or cloud applications. A leak or a hack at such a supplier may lead to problems throughout the chain, as was seen in the past. With this paragraph in NIS2, incidents such as these should be a thing of the past.
Access passes are also frequently used in industrial environments, for digital access to a location but also for unlocking digital work stations. In addition, parties often work with knowledge partners as part of research and development, so you will want to know if these partners have also arranged their security properly.
The standard reaction is to cover the responsibilities formally through back-to-back contracts. This solves the compliance issue. As described in an earlier article, compliance should be a result of sound measures. Enter into talks with suppliers about measures that result in better cyber resilience. Ask suppliers, for example, to:
- pursue an active patching policy,
- build in a functionality for sending cyber log information,
- build in role-based working where possible,
- build in safe provisions for remote maintenance.
A recent example was a data breach at a software supplier of Blauw market research, which also negatively affected customers of Dutch rail company NS and CZ health insurer. This event shows how great the dependence on the supply chain is. It is important to discuss this kind of scenario in advance with the suppliers and specify measures.
How to start
It is important that organisations see NIS2 as an opportunity to improve digital resilience and not as ‘another new law’ imposed by ‘Brussels’. Be aware that the threat landscape has become more extensive and more complex: ransomware is still a threat and state actors are trying to get their hands on business intelligence. But where to start? To answer this question, you first identify where your biggest assets are and therefore the greatest risks. For production companies, this means conducting a risk analysis according to the IEC62443 standards framework and identify which security level target (SLT) is feasible. This enables you to determine the targets you want to follow on your way to improving cyber security and help you achieve NIS2 compliance. That could be, for example, optimum protection against cyber attacks. Then you can invest in identity & access management. When you have these measures in place, you can focus more on detection of security incidents. And then security discovery solutions are a priority. Set targets, determine priorities, and get to work.
This task is different for every enterprise, but you can rely on knowledge in the sector. A lot of knowledge is already available, especially where companies with a lot of operational technology are concerned. Use this knowledge and take action.
Are you interested in how Thales can help you anticipate your business to comply with NIS2? Contact us at cyberdefencesolutions@thalesgroup.com
