BLOG | CYBERSECURITY

NIS2 and Supply Chain: Bridging End Users and OEMs

In today's fast-paced market, constantly changing consumer needs require End Users (EUs) to be exceptionally flexible and adaptable. To meet these expectations, original equipment manufacturers (OEMs) are required to create equipment that is highly resilient and adaptable, guaranteeing maximum operational uptime and throughput.

In addition to these market requirements, after October 2024, the EU’s Revised Network and Information Security Directive (NIS2) comes into force. OEMs of operational technologies (OT) — from production systems, through process-control technologies to automated control systems for water management — need to help End Users to be compliant with the new directive. Failure to do so will make their products and services unsuitable for the EU market.

NIS2 sets provisions for enhanced levels of cybersecurity requirements that any organization in the EU in the identified sectors must meet. In order to provide solutions that meet these enhanced security requirements and in preparation for the forthcoming Machinery Regulation's security requirements, OEMs should conduct risk assessments to identify vulnerabilities and implement appropriate mitigations, helping to ensure the network’s secure and resilient operations.

If they can’t do this, OEMs will quickly find themselves at a significant disadvantage when selling into the EU. Worse still, if their technology is wholly or partially implicated in a cybersecurity breach, End Users could face fines of up to €7,000,000 or at least 1.4% of the total worldwide annual turnover¹.

To meet NIS2 compliance standards, OEMs must take measures to fortify their products and services against a wide range of technological and non-technical risks, including risks related to hardware and software².

Challenges OEMs must overcome to achieve this include:

The need to secure devices and connected technologies to the point at which a cybersecurity incident cannot lead to a hazardous event.
A lack of standards to use as a guide for what “compliant” should look like, with the new EU Machinery Regulation (EU) 2023/1230 only coming into force in 2027.
The diversity of the End Users’ installed base with managed services contracts that must support legacy, new and future machinery.

Many OEMs haven’t comprehensively documented the potential cybersecurity vulnerabilities of their machines and platforms. This leaves them facing the task of auditing and securing not just systems currently on sale, or in development, but also systems still under active support. Having documented vulnerabilities, OEMs must then work with End Users to develop recommended mitigation.

How can an OEM do everything it will take to demonstrate NIS2 compliance — to regulators but also to customers — as fast as possible? The best way is to work with a 3rd party vendor that has the technology, the experience, and the specialized engineers and consultants you need to get up to code in the shortest time possible.

To help their clients achieve and demonstrate NIS2 compliance, OEMs can:

Use components and technologies that are secure by design, with the latest technologies secured to meet all relevant industry standards and certifications.
Work closely with each individual client to enhance security at every step and to help you meet NIS2 requirements and other relevant standards.
Provide instant access to market-leading security consultants who can help you identify, document, and mitigate vulnerabilities in the shortest time.

OEMs should work with clients to ensure that their specific implementation follows security best practices. To demonstrate compliance with regulators and other relevant parties, the OEM’s risk-management team should also be able to provide a letter of attestation to certify they, and the asset owner, have done everything possible to the highest-possible standards.

Rockwell Automation is ideally positioned to bridge the gap between OEMs and EUs, serving as the indispensable third player that fortifies this partnership against cyber threats. By working with Rockwell Automation, you get instant access to the technology, the expertise, and the experience you need to bring your supply chains into compliance with the NIS2 directive in time.

¹https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs

²https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333

Published September 17, 2024

Manju Venugopal

Sr. Engineering Manager, Product Security and Functional Excellence, Rockwell Automation

With a career spanning over two decades, she has honed her expertise in embedded systems and operational technology (OT) cybersecurity, establishing herself as a leader in the field. Manju's passion lies in advancing practical cybersecurity measures within OT systems, leveraging her extensive global experience to drive innovation and security in the industry. Her work is pivotal in shaping the future of secure product development and operational excellence.

Connect:

David Main-Reade

EU Regulatory Affairs Program Manager at Rockwell Automation

David participates in national and international standards committees relating to functional safety, product design and sustainability. With over 25 years’ experience in machinery safety applications and solutions, David is both a TÜV Rheinland functional safety expert, and a TÜV Rheinland Cyber Security Specialist for product development.

Connect: