Professional Documents
Culture Documents
Technology Professionals:
A Guide to Cybersecurity
Compliance
Jesus Molina 1
Why another Guide?
27 EU 46 articles in the
NIS2 Directive
Member States
Amount of fines:
Deadline for
10 EUR million or up transposition
to 2% of the total worldwide turnover into national law
of an entity for non-compliance October 17, 2024
2
Introduction to NIS2 Directive
What is it?
The NIS2 Directive is an updated EU cybersecurity law that builds on the original NIS
Directive (NISD). The goals of NIS2 are to boost cybersecurity, simplify reporting, and
create consistent rules and penalties across the EU. By expanding its scope, NIS2
requires more businesses and sectors to take cybersecurity measures, with the ultimate
goal of enhancing Europe’s cybersecurity in the long run. With stricter rules to
overcome previous limitations, NIS2 will impact a wider range of industries. Entities
under NIS2 are classified as essential or important, and the directive outlines security
requirements as well as a process for incident reporting.
Timeline
Following a two-year legislative journey, consensus on NIS 2 was reached in May 2022.
Subsequently, it was published in the Official Journal of the European Union (OJ L
333/80) and came into effect on January 16, 2023. The deadline for transportation into
national law by member states is October 17, 2024. There are other important dates
that we need to be aware of as well:
3
Approach for OT Professionals we will look at related and referenced
works. These include the Network Codes
Affected OT sectors include energy, for Cybersecurity (NCCS) and the
transport, healthcare, drinking water, upcoming standard that the current
wastewater, ground installations serving technical specification TS-50701 for rail is
space-based services, and manufacturing transitioning into.
(for mid-sized companies and larger). OT
cybersecurity professionals need to read
behind the lines and look at far-reaching
practical implementations that will be
OT cybersecurity
enforced. professionals need to read
In this guide we avoid the obvious and behind the lines and look
discuss the practical implications of NIS2 at far-reaching practical
for OT professionals, we look at
legislation and standards that will be implementations that will
required by NIS2 in the near future, and be enforced.
4
Figure 3: Percentage of Cybersecurity investments by EU Organizations + UK and US
for Reference in 2020
5
> 10m revenue
> 49 employees
NISD NIS2 > 43m € balance
6
Manufacturing is now under the potential imposition of severe fines
for non-compliance, encouraging entities
NIS2 to take their cybersecurity obligations
The manufacturing sector was not seriously.
explicitly included in the sectors covered As a result, the manufacturing sector is
by the first NIS Directive. However, NIS2 advised to work urgently towards
has expanded its scope to incorporate achieving a similar level of compliance as
the manufacturing of certain critical other OT verticals already impacted by
products such as pharmaceuticals, the original NIS Directive. The expanded
medical devices, and chemicals. This scope of NIS2 signifies the European
means that a portion of the Union's commitment to achieving a high
manufacturing sector now needs to common level of cybersecurity across a
comply with the same obligations as broader range of sectors, reflecting the
other OT entities. evolving landscape of digital threats and
Presently, the manufacturing sector is the necessity of robust safeguards.
the second-largest target of ransomware
attacks with tangible consequences,
leading many companies to experience NIS2 has expanded its
production outages. Much of this
vulnerability stems from improper
scope to incorporate the
segmentation between Information manufacturing of certain
Technology (IT) and OT systems. The new critical products such as
legislation, NIS2, aims to enforce
improved cybersecurity risk pharmaceuticals, medical
management practices. It also introduces devices, and chemicals
Power Water
Process Manufacturing
Discrete Manufacturing
7
Best practices and controls for OT
professionals to comply with NIS2
Articles 21 and 23
Articles 21 and 23 are the two primary articles in the NIS2 Directive that OT
professionals need to act upon. Article 21 addresses the management of cyber risk,
while Article 23 pertains to reporting. The NIS2 Directive specifically outlines the
penalties for non-compliance with these two articles: The maximum fine is either
€10,000,000 or 2% of the entity's global annual turnover from the previous financial
year, whichever amount is greater.
Understanding how Article 21 will be To address Article 21
implemented in OT networks is crucial. Article 21
states that, taking into account the state-of-the- in the legislation,
art and relevant European and international asset owners should
standards, organizations must ensure a level of
security for network and information systems prioritize addressing
appropriate to the risks posed. This is further cybersecurity issues
specified in Article 25, which encourages the use
of European or international standards.
present in their OT
8
For mid-sized manufacturing or health NCSS: An example of
care sectors, Article 21 will have a Implementing Article 21 for
significant impact, as cybersecurity Operators In Energy Sector
standards in these sectors are relatively
weak and owners and operators in these For OT operators in critical infrastructure,
sectors know that they will be labeled as more focused standards and directives
essential and highly critical. As such, should be considered to guide
compliance with article 21, such as the
affected organizations will need to
upcoming Network Codes on sector-
develop cybersecurity policies to comply specific rules for cybersecurity aspects of
with the directive. cross border electricity flows (NCCS) or
Article 23 discusses reporting. sector-specific standards. NIS2 focuses
on reporting, creating agencies, and
Organizations must report any cyber
imposing fines for non-compliance. As
incidents quickly – an early warning must attacks and their consequences become
be issued within 24 hours, followed by more severe, we should expect local
an incident notification within 72 hours, rules to evolve quickly. Establishing
and a complete incident report within security programs that do more than the
one month. minimum currently required will be
essential to staying ahead of rapidly-
Additionally, operators must collaborate evolving regulations.
with established national and EU-wide
organizations. EU member states will The Network Code on Cybersecurity aims
to establish a unified European standard
create national organizations such as
for safeguarding cross-border electricity
Computer Security Incident Response flows' cybersecurity. This code includes
Teams (CSIRTs) to supervise the adoption regulations on assessing cyber risks,
of the directive. These organizations will implementing shared minimum
report to pan-European bodies such as requirements, certifying cybersecurity
the European Cyber Crisis Liaison for products and services, monitoring,
Organization Network (EU-CyCLONe). reporting, and managing crises.
Minimum
High Controls
Risk Determination
Assessment of High or Verification
Critical Impact
Critical Advanced
Controls
9
The NCCS approach to cybersecurity TS50701: An example of
involves establishing both high-impact
and critical-impact perimeters based on
Implementing article 21 for Rail
the Electricity Cybersecurity Impact Professionals
Index (ECII). This methodology is likely to A problem that operators will face in
categorize systems according to business Light of Article 21 is finding relevant EU
consequences and reliability/safety standards for the their vertical. Railway
consequences. and Public Transport Operators (PTOs), in
The minimum cybersecurity controls 2022 saw an unprecedented number of
should be applied to both perimeters, cyber-attacks with physical conse-
while the critical-impact perimeter quences around the globe. In addition to
should be protected with advanced the rise in the number of attacks, there
cybersecurity controls. This requires a was an increase in attack sophistication
strict separation between critical and enabled by tools and methods now
non-critical impact perimeters, freely available on the dark web – tools
potentially at the IT/OT interface or that were historically seen only in the
micro-segmentation within OT around hands of state-sponsored actors.
the critical assets such as gas turbines To address this threat, TS 50701 is as of
and its safety systems, and utilizing today the most comprehensive and
advanced perimeter solutions, including detailed guideline for cybersecurity in
hardware-enforced segmentation using rail systems, as it is derived from the IEC
unidirectional gateways. In addition, the 62443 family of standards, with added
minimum and advanced cybersecurity considerations for extended security
controls and the electricity controls to levels and safety. The European Union
standards mapping Matrix (ECSMM) will Commission instructed CENELEC to
map security controls to a selected set of incorporate EU directives into this
international standards, such as Technical Specification to address the
IEC_62443. NIS2 also requires that the rising number and complexity of cyber
consequences of cybersecurity attacks threats. TS 50701 is the security standard
be considered in risk assessments. These that resulted from this effort, specifically
consequences include loss of load, designed for rail networks to protect
reduction of power generation, loss of communications, signaling, processing,
capacity in the primary frequency rolling stock, and fixed installations
reserve, and loss of capacity for a black domains.
start.
10
As an example, the IEC 62443 standard is focused on automation and describes four
levels of network and system criticality, but in rail we also have systems that are
deemed as “safety systems,” such as the signaling system in the ground or the Train
Control Management System (TCMS) on board. TS 50701 adds an additional level of
criticality, over and above the four specified in 62443. The extra-high level in TS 50701
was added because, the specification argues, rail networks are more complex than
conventional automation networks and require an additional security level for safety
systems.
EN TS IEC
50701 62443
Railway IACS NIS2 Directive
Control zone or system
“OT” - operational IEC TC 65: IEC 62443
IEC TC 9 – AHG 20
technology
11
US Regulation for OT
One of the catalysts for the enactment of This was intended to assure that
NIS2 was the comparative lack of pipelines would continue functioning at
spending on cybersecurity in the EU as necessary capacity even if IT systems are
opposed to in the USA. Given this, it is compromised. The TSA detailed that OT
worth examining US regulations and and IT environments need to be
their potential impact on NIS2. The new independent and segregated to prevent
Biden-Harris cybersecurity agenda cascading effects on OT systems in the
promotes an approach to protecting event of an attack targeting data.
critical infrastructure that is similar to
It is reasonable to expect that future EU,
NIS2. This includes increased
US, and regulations in other geographies
accountability, improved reporting, and
will continue to evolve in similar ways,
the establishment of state-wide
because all of these jurisdictions require
organizations to ensure the correct
robust and adaptable cybersecurity
implementation of cybersecurity
measures in a global economy that is
measures.
increasingly interconnected data-wise
In general, the response time of US and supply-chain-wise.
agencies to a cyberattack is shorter than
that of the EU, which could indicate
future trends in standards. For instance,
when the IT network at Colonial Pipeline The US Transport Security
was compromised by ransomware, the Administration requires
pipeline was shut down out of an
"abundance of caution." As a result, the that OT and IT
Transportation Security Administration environments are
(TSA) updated its requirements to ensure independent and
that OT systems are isolated from IT
systems in the event of a cyberattack. segregated
12
Conclusion and Recommendations
The new Network and Information TS 50701 for rail, as well as evolving
Systems Directive (NIS2) focuses US regulations.
primarily on Information Technology (IT)
and emphasizes the protection of
• The strict separation of OT and IT
segments simplifies implementation of
Internet infrastructures such as DNS
NIS2 and is consistent with NCCS, TS
servers. It does not explicitly mention
50701, and new US regulations.
Operational Technologies (OT) and
classifies sectors as diverse as energy Fundamentally however, compliance
and banking as equally critical. However, with NIS2 regulations does not
the mandate for taking appropriate guarantee protection against external
measures and the imposition of strict cyberattacks, and the minimum
accountability should prompt OT sectors measures outlined in NIS2 may be
to raise their cybersecurity standards. inadequate for OT systems, where the
impact of a cyberattack could be
Key takeaways for critical OT
catastrophic. Non-compliance will still
environments such as energy, transport,
trigger fines and personal accountability,
and water management include:
but if there is a serious cyber attack on
• NIS2 establishes a set of rules and OT systems triggering loss of life or
minimum requirements to foster EU- threats to public safety, the question the
wide cooperation and reporting. courts will ask is not merely “Did you do
• NIS2 has evolved from the original NIS
the minimum the law required?” but also
“Did you implement those security and
Directive, including new OT verticals safety precautions that any reasonable
such as certain manufacturing sectors, person would have implemented had
and new requirements for increasing they been in your place?”
accountability and reporting.
• Article 21 encourages the use of
Due care is more than compliance. And
the most important and most sensitive
appropriate measures based on risk,
OT systems always demand a different
which in the case of critical
approach to security, because human
infrastructures is likely to translate
lives, environmental disasters and critical
into the application of stricter
infrastructure services cannot be
standards and regulations.
“restored from backups.”
• Article 23 requires the prompt
reporting of cyberattacks, which will
enhance transparency. OT systems always
• Accountability provisions may include demand a different
fines for businesses and direct approach to security –
responsibility for top company
officials. human lives and
• OT operators should use as guidance environmental disasters
enhanced EU vertical standards and cannot be “restored from
guidance such as NCCS for energy and backups”
13