Get Your OT Supply Chain Ready for NIS2, Now

On 17 October 2024, EU member states will have translated the Revised Network and Information Systems Directive (NIS2) into local law. Any organization that falls under NIS2 — a lot more than were covered by the previous directive — needs to ensure it complies.

As organizations hurry to audit their operations and bring them up to code for NIS2, there’s one area that’s often in danger of being missed. Supply chains. The new directive obliges entities to risk-assess and then harden their supply chains against technology (hardware and software) and relevant non-technical risks¹.

This is not something organizations can neglect. The penalties for a cybersecurity incident arising from a supply-chain flaw are just as severe as the penalties for any other kind of breach: fines of up to €7,000,000 or at least 1.4% of the total worldwide annual turnover².

But how can you secure operational technology (OT) supply chains that often take in hundreds of vendors and thousands of machines of different makes and ages?

The challenges of NIS2 supply-chain compliance

Right now, manufacturers and operators of infrastructure need to confirm that the machines, technologies, and services they procure meet the security requirements of NIS2. But often, there are no specific security standards for these different parts of the OT ecosystem.

Take, for example, connected and automated machinery. The EU Machinery Regulation (EU) 2023/1230 comes into force in 2027. We can expect the text to take its final shape by some time in 2026.

OEMs and operators will then be able to use the regulation to shape their NIS2 compliance strategy for the machines they operate. Until then, they will need to work with OEMs to map NIS2 against a range of other existing standards and use this exercise to create their own machine-compliance plan — one that will meet regulatory requirements.

Other challenges of NIS supply-chain compliance include:

• The hazard threshold: NIS2 states that a breach may not result in a hazard — but how can an OEM or operator know when hazard-prevention measures are sufficient?
• System heterogeneity: often OT operators run systems and machines from multiple vendors and of various ages, all of which need to be made compliant.
• The technical challenge: how can OEMs and operators be confident that they have identified, documented, and mitigated all relevant vulnerabilities?

The initial task is to audit supply chains — the machines, systems, and services being procured as well as, where relevant, the systems used throughout the lifetime of the supplier relationship — as they stand, without hard and fast specifications against which to audit, and then to document those vulnerabilities so they can be addressed.

For organizations starting with little or even no existing knowledge base or documentation, and without the internal expertise and tools required, this can be a daunting and potentially time-consuming task, with no guarantee of a result that commands confidence.

Put yourself on the fast track to NIS2 supply-chain compliance

As End Users strive for smarter, more secure operations, the value of robust OEM and cybersecurity partnerships becomes unmistakable. These collaborations are essential in developing equipment that not only meets the current demands but also anticipates future needs. The experience of maintaining and securing OT machinery throughout its lifecycle highlights the pivotal role of coherent collaboration among machine builders, technology partners, and End Users.

For most OT operators and OEMs, the best way to access the expertise required to ensure that NIS2 compliance across the supply chain is to work with a specialist external partner. An organization that has experience in OT cybersecurity and cybersecurity can help you:

• Access the required expertise rapidly, without the prohibitive costs and time constraints involved with building an internal team.
• Secure both the OT and IT networks at relevant manufacturing or infrastructure facilities.
• Draft documentation that attests the compliance steps you’ve taken in a way designed to satisfy regulators.

A partner with the right skills and technology will help you document potential vulnerabilities in supply-chain relationships, relevant technologies, and both your existing inventory as well-planned purchases. They can also help you develop demonstrable processes and methodologies for risk-assessing future purchases and supply-chain relationships. 

Rockwell Automation is a market-leader in cybersecurity for manufacturers and infrastructure providers. Our specialists, who have extensive experience in bringing both client and Rockwell Automation operations into compliance with relevant standards, will help you audit, document, and verify the compliance of your supply-chain relations. 

By working with Rockwell Automation, you get instant access to the technology, the expertise, and the experience you need to bring your supply chains into compliance with the NIS2 directive in time.

¹https://eur-lex.europa.eu/eli/dir/2022/2555#tocId230

²https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs