Get ready for NIS2 now, with the right OT security tools and services

Operating Technology (OT) networks are not the same as standard IT networks. Yes, the basic infrastructure — devices attached to an IP-based network — is the same. But operational and security parameters are often completely different. 

This matters. To take an obvious example, if an inexperienced cybersecurity operative, for instance one who’s worked mainly on IT networks, queries an OT switch in the wrong way, they might execute the wrong command or overload it with data. The switch will go down, and possibly the network with it.

This kind of thing is a real-life risk, especially now in the run-up to the EU’s Revised Network and Information Systems Directive (NIS2) coming into force. As OT operators accelerate their compliance efforts, the risk of deploying the wrong tools, or the right tools with the wrong approach, rises. There is also a significant skills gap in qualified resources to support the compliance efforts. Resources that understand the nuances of the OT environment coupled with cybersecurity skill set are going to become increasingly busy over the next couple of years.

No one wants unplanned downtime during their NIS2 audit. But even that’s not the worst outcome. Organizations that fall under the scope of NIS2 must secure their OT networks to the standard set out in law, or face fines of up to €7,000,000 or at least 1.4% of their total worldwide annual turnover¹.

EU member states have until October 2024 to pass NIS2 into local law. So, OT operators have to start preparing their compliance plan, now.

NIS2 compliance requires more than good intentions. Manufacturers need to equip themselves with the right services, hardware, and software tools. 

How can OT operators make sure they choose the right tools and resources for NIS2 compliance, and then use them in the right way?

1. Policies and procedures: Governance, risk management, and compliance (GRC) specialists can help establish and manage policies and procedures. An OT cyber policy is key to meeting the increased challenges of managing and securing industrial control systems. Stereotypically driven by people and data, an OT cyber policy will define the senior-leadership vision, management’s acceptable level of risk, set the OT environment cyber objectives and define the principles for reducing risk. Asset inventory tools are often used to conduct asset mapping and identification. Choosing a tool that will not adversely impact or overload the network is key to success. Using a range of collection methods to provide more contextualised information is also critical. Expect the partner to leverage specific tools to implement asset identification and vulnerability mapping.
2. Incident handling: Incident response software platforms, both on-premises and cloud, offer structured approaches for detecting, responding to, and reporting incidents. An intrusion detection system will help provide log analysis. In the event of a cyber breach, it will also support Incident Response. Being able to quickly and accurately analyze event data will help reduce analyst time spent triaging and pinpointing causes. Ensure that a ticketing system is in place to manage and document incident detection and responses. Again, use for auditing purposes and providing data when reporting an incident to the defined authority.
3. Crisis management: Crisis management software can help with coordinating response efforts and communication during a crisis. A robust, tested and proven backup process (software and procedures) will aid in recovery and restoring environments post-event. Having a solution that backs up to a secondary location will provide an extra layer of data security. Completing a crown jewels assessment to define assets most critical to your business is an important step in crisis management; know what they are, their risk profile and define how you are going to protect them.
4. Supply-chain security: Supply chain risk management tools help you monitor and manage supply chain risks. Organizations should also use and implement secure-by-design hardware and software developed by organizations who follow globally recognized standards.
5. Security in Network: The right network design allows critical networks to run in isolation using next-generation firewalls, industrial demilitarized zones (IDMZs), and secured communication protocols such as CIP security. Organizations should also implement automated tools for inventorying OT assets, pinpointing vulnerabilities, and integrating them into a vulnerability management solution that can streamline remediation efforts and effectively mitigate risks within organizations. An intrusion detection system (IDS) can help with asset inventory and providing the associated vulnerabilities of the assets collected. 
6. Risk Management: Risk-assessment and management tools such as Verve provide comprehensive visibility into vulnerabilities and compliance, and determine the risk that devices pose to the network. Penetration testing can also be used to uncover vulnerabilities by simulating a cyberattack. Using tools such as tabletop exercises to simulate an attack and respond will aid in uncovering and mitigating procedural gaps.
7. Basic cybersecurity hygiene: Endpoint protection platforms can maintain basic cybersecurity hygiene by helping protect against malware and other threats. Again, the use of an IDS will improve hygiene by revealing vulnerabilities and threats within the OT environment, by acting on the information, and following remediation guidance will improve cybersecurity hygiene.
8. Cryptography, encryption (P&P): Encryption solutions embedded in communication protocols and managed-switch encryption provide cryptographic services and policy enforcement, protecting organizations from network-sniffing attacks.
9. Human resources security: Identity and Access Management systems enforce access control policies and asset management. With these tools, network administrators can actively monitor user behaviours and enforce best practices.
10. Multi-factor authentication: MFA solutions included in the products that have access to the network add an additional layer of security by requiring multiple forms of user verification.

These services, hardware, and software collectively provide an example of the tools needed to comply with the requirements of the NIS2 directive, addressing various aspects of cybersecurity, risk management, and compliance. 

Here are some steps organizations can take to make sure they choose the right tools for NIS2 compliance and use them effectively: 

• Verify you have access to specialists with relevant experience, and enabling technologies, in both IT and OT cybersecurity and compliance. The right specialists will provide more than just technical solutions. They can also help you assess existing cybersecurity practices, understand risks, identify gaps, and drive change.
• Choose an NIS2-compliance partner that can offer you a suite of tools — if investing in software and tooling, ensure that regulatory compliance is covered as well as your internal needs, verify that any solution is scalable and will grow with you as your maturity increases.
• Use tools and technologies that are secure by design, supported by a technology partner able to help you implement them in a way that maintains compliance. 

The ideal NIS2 compliance partner for OT operators will have the tools and expertise to help you with every stage of the compliance process, from initial risk assessment, through remediation and documentation, to network design and incident handling.

Rockwell Automation is a market-leader in cybersecurity for manufacturers and infrastructure providers. Our specialists will help you understand your current cybersecurity posture, NIS2 as it’s being implemented in legislation where you operate, and how to comply.

As well as developing and certifying industry-leading secure-by-design OT products, Rockwell Automation has worked with external partners including Cisco, Dragos, Fortinet, Claroty and others to create some of the industry’s leading secure OT technologies. 

Our specialists can help you choose exactly the right mix of consumer and open-source tools — along with our own, proprietary OT security suite. They will draw on their extensive experience to help you implement the right technologies, in the right way, to minimize risk and achieve compliance in the shortest possible time.

Contact Rockwell Automation specialists today!

¹https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs