Is your OT software a risk? Here's how to tell

Does your OT cybersecurity strategy include routine software and hardware updates? If not you could be risking a fine of €10 million or 2% of global annual turnover¹.

Why? Simple. By October 2024, all EU member states must have passed the EU’s Revised Network and Information Security Directive (NIS2) into law. And the new directive specifies fines of either €10 million or 2% of global annual turnover for organizations in breach of its rules. One of those rules clearly states that organizations that fall under the directive must have cybersecurity policies that include: 

“…cyber hygiene policies comprising of a common baseline set of practices, including software and hardware updates…”

More organizations than ever before are covered by the updated directive. This includes entirely new sectors such as telecoms, chemicals, wastewater, and food — all deemed either “essential” or “important” to the security and economic life of the EU. Article 7 of NIS2 further reinforces the fact that more organizations than ever will be impacted by the new directive: 

“The national cybersecurity strategy shall include strengthening the cyber resilience and the cyber hygiene baseline of small and medium-sized enterprises, in particular those excluded from the scope of this Directive…”

Bottom line? Almost every organization that runs operational technology in the EU needs to start thinking now about getting NIS2 ready or risk the consequences of a breach.  

Why are software updates a risk under NIS2? 

Operational technology (OT) organizations, whether manufacturers or infrastructure providers, often have hundreds or even thousands of devices on site. A recent report by McKinsey estimated that some energy installations have as many as 30,000 connected devices².

Many of those devices may also contain smart, connected components including variable frequency drives, industrial switches, programmable controllers, industrial PCs, and so on. All these components may also have their own software and hardware.

Even smaller installations, including ones with relatively small production environments, may have hundreds of OT devices, unmapped and unmanaged. And if even one of these devices is running out-of-date software and that leads to a data breach, operational outage, or other significant problem, that’s a potential breach of NIS2, and subsequential fine.

How to mitigate risk and stay on the right side of NIS2

The easiest way to mitigate the risk posed by out-of-date software, is to work with an IT cybersecurity specialist. The best way to do that is with a subscription that covers maintenance and updates.

With the right maintenance subscription, you get:

• Instant access and push-installation of the latest software and firmware updates, which helps keep a pulse on the dynamic OT cybersecurity threat landscape. Instant access to the latest software and firmware updates is crucial because it helps ensure that security patches and enhancements are applied as soon as they become available. This immediacy can significantly reduce the window of opportunity for cyber attackers to exploit known vulnerabilities. Push-installation further streamlines this process by automating the update deployment, confirming that all devices within the OT environment remain at their highest security posture without requiring manual intervention. 
• Support from industry-leading security engineers and consultants: the complexity and specificity of OT systems demands a high level of expertise to navigate their unique security challenges. Access to industry-leading OT security engineers and consultants provides organizations with a wealth of knowledge and experience to draw upon. These experts can offer tailored advice, from strategic planning to incident response, helping ensure that security measures are not only compliant with the NIS2 directive but also aligned with best practices and the latest research in the field. Their support can be instrumental in identifying potential vulnerabilities, recommending mitigation strategies, and enhancing the overall resilience of OT environments against cyber threats.
• Tools that make finding and securing all your devices easy and fast: these tools enable organizations to maintain an up-to-date inventory of their OT assets, monitor their status in real-time, and swiftly identify any irregularities that could indicate a security breach. By simplifying the process of securing OT devices, these tools not only enhance operational efficiency but also confirm that all components and equipment, regardless of their role or location within the network, are adequately protected. 

To get you ready for NIS2, the right OT/IT consultant will help you audit your network to find any hardware, firmware, or software risks. They’ll then work with you to plug these gaps, document your security and compliance work, and bring you up to code for NIS2. 

Rockwell Automation is one of the market’s leading providers of OT security, compliance, and risk management services. Our specialists, consultants and engineers have the tools, experience, and technology to help you get ready for NIS2. That includes everything from formulating compliant policies and procedures, through rapidly discovering and updating obsolete software and firmware, network wide, right up to the task of hardening and documenting your security posture for NIS2 compliance. 

To find out how Rockwell Automation can help with your cybersecurity hygiene including having your software and firmware up to date and address the many other aspects of hardening your OT cybersecurity posture in preparation for NIS2, get in touch with us now.

¹https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs

²https://www.mckinsey.com/mgi/overview/in-the-news/by-2025-internet-of-things-applications-could-have-11-trillion-impact