Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
Written by Laurent Dupont
In the fifth episode of The Wide Open, we welcome two experts, Jasper Hooft and Thomas Dejagere, who delve deeper into the NIS2 Directive within the industrial sector.
The term ‘industry’ used here encompasses a diverse range of manufacturing companies in industries such as food, waste processing, chemicals, energy, and more.
09/02/2024
Within these companies, Operational Technology systems (abbreviated to OT) are a critical part of operational processes. We invited Jasper to help us understand the complexity of the NIS2 Directive in connection with the security of OT systems. With years of experience as an automation engineer under his belt and his involvement in the creation of countless factories, he brings a wealth of practical knowledge. In addition, Jasper has thoroughly studied cybersecurity and currently holds the title of Head of Operations at Toreon.
Security within OT environments is often viewed bottom-up. At some point, however, this bottom-up approach needs to coincide with the top-down security strategy, which is usually driven by IT. That’s why we welcome Thomas Dejagere. As one of our Chief Information Security Officers (CISOs), Thomas has a strong focus on developing IT-level security strategies.
OT must run 24/7 and IT only during business hours.
OT follows different rules than IT. Let’s take a simple example that everyone can relate to: the patching of systems. In the IT world, patching is something that needs to happen when system updates are needed, often outside of business hours. There will always be bugs that need to be fixed. In an OT environment, on the other hand, things aren’t that simple.
Continuity is one of the most critical aspects in OT. It’s not just about updating systems; the production process must remain operational at all times. In OT, security is usually managed from the bottom up. At some point, this bottom-up approach needs to be aligned with the top-down security strategy that IT implements.
The need for 24/7 operational IT systems requires a different mindset when it comes to risk and mitigation, and this is where the bridge between OT and IT has to be built.
Availability is another crucial difference. While OT systems must remain operational at all times, IT often only runs during business hours for five days a week. With OT, availability takes precedence, while IT focuses on the integrity and confidentiality of data.
The bridge between OT and IT and a good collaboration between those teams are paramount.
To optimally secure their OT environment, organizations need to take 5 steps:
To determine which processes are critical, organizations must:
With an NIST framework, money is spent where it has the most impact.
The above 5 NIST functions are closely linked to the cybersecurity framework developed by the Center for Cybersecurity Belgium (CCB). The CCB monitors cybersecurity and is responsible for increasing the country’s security maturity, including drafting relevant legislation.
The CCB plays a crucial role in the implementation of the NIS2 legislation, with cybersecurity fundamentals serving as a guideline. These fundamentals are not just considered best practices and industry standards; they also serve as a framework for risk management and governance.
Governance
Within the context of NIS2, a sound governance structure is critical. Identifying risks at different levels, such as detection and protection levels, will become crucial to ensure the effective implementation of NIS2.
A structured approach, as suggested by the ISO 27001 framework, is recommended to meet the requirements of NIS2 and to gain international recognition. This framework provides a governance structure that integrates risk management and can be adapted to different contexts, such as IT environments with ISO 27002 and OT environments with IEC 62443.
The implementation process follows a holistic approach, starting with a governance standard such as Cyfun, ISO 27001, and a continuous improvement cycle. The link with various control frameworks, such as ISO 27002 for IT and IEC 62443 for OT, provides a detailed strategic and tactical architecture.
Threat modeling
Threat modeling, a methodology often described as ‘whiteboard hacking’, is a key element of this approach. It provides a theoretical approach to conduct risk analysis on both IT and OT environments, focusing on business risks. This methodology helps understand risks at management level, making it easier to budget.
Should every site be the same? No. Every site needs to be secure.
Although everything seems to fit together nicely in theory, implementing a framework in an OT environment is much more complex in practice. This is especially true in large manufacturing companies or organizations with multiple operational sites.
You can create a reference architecture and adapt it to specific locations, which creates a baseline. What is the takeaway? Standardize where possible, but also accept that uniformity is often not feasible across all sites.
Written by Laurent DupontThe CRA promotes innovation and cybersecurity in European digital products. Learn how your company can comply with applicable standards.
Written by Laurent DupontIn the fifth episode of The Wide Open, we welcome two experts, Jasper Hooft and Thomas Dejagere, who delve deeper into the…
Written by Süleyman YilmazA CISO is the last line of defence to protect your assets. What’s the CISO’s role? And what makes a good CISO?
Written by Süleyman YilmazTech companies go through 3 stages. Which cybersecurity issues do they face at each stage? We cover it all on this edition…
Written by Süleyman YilmazPlanning to develop your own application? You might want to consider the many possible pitfalls. We explain them in this article.
Written by Süleyman YilmazWant to integrate a cloud solution without a strategy? That’s risky. Check out what you need to do to grow your business…
Contact us, our security experts would be happy to assist you.
Contact us, our security experts would be happy to assist you.