NIS2: what does it mean and how do you become compliant?

NIS2: what does it mean and how do you become compliant?

In the fifth episode of The Wide Open, we welcome two experts, Jasper Hooft and Thomas Dejagere, who delve deeper into the NIS2 Directive within the industrial sector.

The term ‘industry’ used here encompasses a diverse range of manufacturing companies in industries such as food, waste processing, chemicals, energy, and more.

09/02/2024

Full video: 41 min

Within these companies, Operational Technology systems (abbreviated to OT) are a critical part of operational processes. We invited Jasper to help us understand the complexity of the NIS2 Directive in connection with the security of OT systems. With years of experience as an automation engineer under his belt and his involvement in the creation of countless factories, he brings a wealth of practical knowledge. In addition, Jasper has thoroughly studied cybersecurity and currently holds the title of Head of Operations at Toreon.

Security within OT environments is often viewed bottom-up. At some point, however, this bottom-up approach needs to coincide with the top-down security strategy, which is usually driven by IT. That’s why we welcome Thomas Dejagere. As one of our Chief Information Security Officers (CISOs), Thomas has a strong focus on developing IT-level security strategies.

Why is OT security so different from IT security?

Excerpt #1

quote 1 white
OT must run 24/7 and IT only during business hours.
quote 2 white

quote 1 white

OT must run 24/7 and IT only during business hours.

quote 2 white

OT follows different rules than IT. Let’s take a simple example that everyone can relate to: the patching of systems. In the IT world, patching is something that needs to happen when system updates are needed, often outside of business hours. There will always be bugs that need to be fixed. In an OT environment, on the other hand, things aren’t that simple.

Continuity is one of the most critical aspects in OT. It’s not just about updating systems; the production process must remain operational at all times. In OT, security is usually managed from the bottom up. At some point, this bottom-up approach needs to be aligned with the top-down security strategy that IT implements.

The need for 24/7 operational IT systems requires a different mindset when it comes to risk and mitigation, and this is where the bridge between OT and IT has to be built.

Availability is another crucial difference. While OT systems must remain operational at all times, IT often only runs during business hours for five days a week. With OT, availability takes precedence, while IT focuses on the integrity and confidentiality of data.

The NIST Cybersecurity Framework

Excerpt #2

quote 1 white
The bridge between OT and IT and a good collaboration between those teams are paramount.
quote 2 white

quote 1 white

The bridge between OT and IT and a good collaboration between those teams are paramount.

quote 2 white

To optimally secure their OT environment, organizations need to take 5 steps:

  1. Identify
    The very first step is about identifying the assets within the OT environment. This includes the various equipment and systems that are part of the operational processes. An accurate inventory is the basis for effective security.
  2. Protect
    The second step centers on the implementation of protective measures. Think of preventive measures such as firewalls, antivirus software and regularly updating systems. In the context of OT, specific reference is made to the ISO 27001 standard and the IEC 62443 standard to assess risks and put in place appropriate security levels.
  3. Detect
    The third function in the cybersecurity process is detection. In this case, the focus here is on monitoring both external and internal perimeters. A zero-trust approach that does not consider the internal network as secure by default is recommended. Detection tools such as Nozomie, Clarity, Darktrace and Defender for IoT are essential tools in this step.
  4. Respond
    What if an incident occurs? Then, a quick and well-thought-out response is vital. In the ‘respond’ step, actions are taken to stop the spread of the incident and mitigate damage. The Security Operations Center (SOC), an essential entity that specifically focuses on OT, comes into the picture at this stage.A sidetrack in this phase involves the rapid recovery from operational disruptions, with specific attention to business continuity in factory environments.

     

    To determine which processes are critical, organizations must:
    • map out their assets
    • identify the associated business processes;
    • and perform a business impact analysis.

       

  5. Recover
    The recovery stage takes effect after the Respond step. Based on the previously performed business impact analysis, a decision is made as to which aspects or OT systems should be restored first. Restoring your organization quickly and in a targeted manner minimizes downtime and resumes normal business operations.

NIST functions in the cybersecurity fundamentals

Excerpt #3

quote 1 white
With an NIST framework, money is spent where it has the most impact.
quote 2 white

quote 1 white

With a NIST framework, money is spent where it has the most impact.
quote 2 white

The above 5 NIST functions are closely linked to the cybersecurity framework developed by the Center for Cybersecurity Belgium (CCB). The CCB monitors cybersecurity and is responsible for increasing the country’s security maturity, including drafting relevant legislation.

The CCB plays a crucial role in the implementation of the NIS2 legislation, with cybersecurity fundamentals serving as a guideline. These fundamentals are not just considered best practices and industry standards; they also serve as a framework for risk management and governance. 

Governance

Within the context of NIS2, a sound governance structure is critical. Identifying risks at different levels, such as detection and protection levels, will become crucial to ensure the effective implementation of NIS2.

A structured approach, as suggested by the ISO 27001 framework, is recommended to meet the requirements of NIS2 and to gain international recognition. This framework provides a governance structure that integrates risk management and can be adapted to different contexts, such as IT environments with ISO 27002 and OT environments with IEC 62443.

The implementation process follows a holistic approach, starting with a governance standard such as Cyfun, ISO 27001, and a continuous improvement cycle. The link with various control frameworks, such as ISO 27002 for IT and IEC 62443 for OT, provides a detailed strategic and tactical architecture. 

Threat modeling

Threat modeling, a methodology often described as ‘whiteboard hacking’, is a key element of this approach. It provides a theoretical approach to conduct risk analysis on both IT and OT environments, focusing on business risks. This methodology helps understand risks at management level, making it easier to budget.

Building bridges between IT and OT

Excerpt #4

quote 1 white
Should every site be the same? No. Every site needs to be secure.
quote 2 white

quote 1 white

Should every site be the same? No. Every site needs to be secure.
quote 2 white

Although everything seems to fit together nicely in theory, implementing a framework in an OT environment is much more complex in practice. This is especially true in large manufacturing companies or organizations with multiple operational sites. 

You can create a reference architecture and adapt it to specific locations, which creates a baseline. What is the takeaway? Standardize where possible, but also accept that uniformity is often not feasible across all sites.

More from The Wide Open

Written by Laurent DupontThe CRA promotes innovation and cybersecurity in European digital products. Learn how your company can comply with applicable standards.

Written by Laurent DupontIn the fifth episode of The Wide Open, we welcome two experts, Jasper Hooft and Thomas Dejagere, who delve deeper into the…

Written by Süleyman YilmazA CISO is the last line of defence to protect your assets. What’s the CISO’s role? And what makes a good CISO?

Written by Süleyman YilmazTech companies go through 3 stages. Which cybersecurity issues do they face at each stage? We cover it all on this edition…

Written by Süleyman YilmazPlanning to develop your own application? You might want to consider the many possible pitfalls. We explain them in this article.

Written by Süleyman YilmazWant to integrate a cloud solution without a strategy? That’s risky. Check out what you need to do to grow your business…

Do you have a specific question about NIS2?

Contact us, our security experts would be happy to assist you.

Do you have a specific question about NIS2?

Contact us, our security experts would be happy to assist you.

Start typing and press Enter to search

Shopping Cart