The NIS2 Directive

Europe is committed to cybersecurity.

How does it affect us?

The NIS2 Directive is an update of the original NIS Directive, adopted by the European Union to improve the cybersecurity of member states.

1. Who is affected?

NIS2 expands the scope, incorporating more sectors.

Highly automated sectors such as Energy (Gas, Electricity, Oil, Hydrogen), Chemicals, Transportation, Water, Waste Management, Parcels, Food, are particularly affected when managing OT networks.

2. When does it become effective?

NIS2 was approved in November 2022, and became effective on January 16, 2023.

Member States shall adopt and publish the measures necessary to comply with the NIS2 by October 17, 2024.

Effective October 18, 2024.

3. Stricter Security Requirements

Introduces more stringent security requirements. Companies will implement appropriate technical and organizational measures to manage IT/OT security risks. Includes:

• Periodic risk assessments.
• Technical security measures, encryption and multifactor authentication.
• Incident management policies.
• Cybersecurity training and awareness for staff.

4. Incident Reporting is mandatory

Incident reporting is mandatory. Companies must report any incident that has an impact on the provision of services (essential or important). Incidents will be reported to your CSIRT within 24 hours.

4. More Severe Sanctions

Fines for non-compliance are more severe than in the original directive. They can involve fines of up to 2% of annual turnover, based on the seriousness of the infringement and the economic capacity of the organization.

5. Collaboration and Information Sharing

Promotes greater collaboration and information exchange between member states, companies and national authorities. Companies should be prepared to cooperate with other entities to improve critical infrastructure protection.

6. Third Party and Supplier Evaluations

Companies must assess the cybersecurity of their suppliers and third parties. This is vital where vendor dependency is high. Ensuring that these suppliers comply with security requirements is essential for the protection of the entire network.

7. Executive Leadership Responsibility

Executives and boards of directors should be involved and held accountable for the implementation and oversight of cybersecurity strategies. Adequate resources and oversight of cybersecurity policies and procedures should be allocated.

What can we do?

Broadly speaking, a series of basic OT cybersecurity measures based on the IEC62443 standard should be implemented to achieve these objectives:

1. Network Segmentation: Divide the OT network into separate segments based on the criticality of the systems, and use NGFW firewalls to control and limit traffic between network segments.
2. Access Control: Implement strict access policies, only authorized personnel can access. And Use multi-factor authentication (MFA) for access to critical systems.
3. Intrusion Monitoring and Detection: Implement specific monitoring and intrusion detection systems for OT environments that identify anomalous activities and possible intrusions in real time. And in large companies create a Security Operations Center (SOC) to monitor the OT network.
4. Patch and Upgrade Management: Keep OT systems updated with the latest security patches, both at OS level and OT applications (Scada, PLCs, etc.). Perform exhaustive testing before applying patches in production environments to avoid outages.
5. Malware Protection: Use anti-virus and anti-malware software on all OT systems and implement device controls to prevent unauthorized USBs.
6. Data Backup and Recovery: Implement backup and recovery solutions to ensure operational recovery in case of incidents.
7. Encryption: Encrypt data in transit and at rest to protect the confidentiality and integrity of information. Use secure OT protocols such as OPC UA.
8. Incident Management: Develop and test an OT-specific incident response plan with incident identification, containment, eradication and recovery procedures, conducting regular cyber-attack drills.
9. Education and Awareness: Train personnel in secure practices and computer threat identification and foster a culture of cybersecurity within the organization.
10. Risk Assessments and Audits: Conduct regular risk assessments to identify vulnerabilities and potential threats, conducting security audits to verify compliance with policies and the effectiveness of implemented security measures.
11. Physical Security: Ensure facilities are physically protected against unauthorized access and implement physical access controls, such as access cards and camera surveillance.

Conclusion

The NIS2 Directive is a significant change in cybersecurity for Spanish companies operating OT networks. With stricter requirements, an expanded scope and tougher penalties, organizations must prioritize compliance and take a proactive stance on cybersecurity management.

Deploying all the above measures is not a task that can be accomplished in a short period of time. The recommendation is to start with those that provide the best ratio between effort and benefit obtained, and they would be:

• Patch and Upgrade Management.
• Protection against Malware, antivirus and avoid unauthorized USB.
• Data Copy and Backup: make backup copies.
• Physical security to the system.

We must remember that a system patched at the operating system and industrial application level is very little vulnerable, or the probability of incidents is very low.

Each of these 11 measures is a layer of security that we add is a layer of security that we add to our protection, obviously the more layers of protection you have the better protected you are.

Effective implementation of NIS2 measures is not just about avoiding sanctions.

It is to strengthen the ability of your business to survive a cyber-attack, protecting critical infrastructures vital to society.

Leopoldo Ferrer

ICS/SCADA Blue Dragon