Press Releases Rhebo

News

Ignoring NIS2 compliance is Russian roulette

In this episode of OT Security Made Simple, we talk to Gerald Krebs from TÜVIT about the status of NIS2 implementation in companies. Gerald explains why companies are currently putting off cyber security and how sitting it out can quickly cost a few million euros (and not just because of the legal fines!). More importantly, Gerald gives tips on how companies can take the first steps without overburdening themselves.

 

 

 

Listen to us:

  

 

Transcript

Note: At the beginning of the podcast Gerald Krebs and Klaus Mochalski are mainly referring to the status of the German implementation law of the NIS2 directive. In the English version of the transcript this was slightly re-written to fit for the international audience affected by NIS2 in their respective countries.

 

Klaus Mochalski

Hello and welcome to a new episode of OT Security Made Simple. I am Klaus Mochalski, founder of Rhebo. My guest today is Gerald Krebs from TÜV Information Technology. But Gerald, please introduce yourself to our listeners.

 

Gerald Krebs

Just like Klaus said, my name is Gerald Krebs from TÜV for Information Technology. I am responsible for cyber security services in the TÜVIT division. This includes, for example, penetration tests, product certification and process certification. So it goes into the area of ISMS [note: information security management system, usually in accordance with ISO 27001] and much more.

 

Klaus Mochalski

Tell us what has been on your customers' minds most recently. We always try to look at relatively topical issues and we talked about them a bit beforehand. What are the things that you are currently observing with your customers?

 

Gerald Krebs

So, what you can see is that there are a lot of directives coming from the European Union. I think there are more than 40 directives in this area that are now being pushed onto companies. They cover processes, secure infrastructure, products and so on. And one of the focal points is, for example, the upcoming NIS2 implementation laws, which is now also coming into force in Germany. In principle, it is due to come into force in the European legal area in October.

 

Klaus Mochalski

Yes, exactly. NIS2 is a topic that has been talked about a lot in the sector in recent months and longer. And not without reason. In fact, NIS2 affects many companies that have not yet been affected by similar regulation. These [national] implementation laws that you mentioned will come into force in October this year. We are now recording this episode at the end of September. That means we don't have much time left. What are your observations with your customers? Is the implementation looking good? Are they all well prepared? Or is there some catching up to do?

 

Gerald Krebs

So, perhaps a correction. And this is also relatively new to me: the NIS2 Implementation Act is not due to come into force until March 2025 [in Germany]. It has now been postponed on 27 [September 2024] I just checked the table. The first round in the German Parliament will take place on September 7 and 20. This means that politicians have now also postponed the issue a little in order to get back to the companies.

 

Klaus Mochalski

That's exciting. Did that just happen, or when did it happen?

 

Gerald Krebs

I received this information about a week ago. Yes, that's new now. You can google it relatively quickly and it came as a surprise to me. I thought that, let's say, in the European legal area, the general conclusion had been reached that it would be enforced, that it had to be enforced. We know that there are many attacks. But there seem to be a lot of formalities that have to be taken into account. There has also been a lot of feedback, which may need to be refined. However, I'm not up to my eyeballs in this whole legislative process and what needs to be changed. The fact is, it will be postponed by around six months [in Germany]. That's one point.

But let's go back to your question. It was directed at companies. What we are finding is that companies are not quite ready at the moment for a variety of reasons. Some of them are also trying to, I would say, sit out issues. But we know how it is. They are waiting for the final version of the NIS2 law so that they know: aha, how do I have to align my company now? I don't want to start off in the wrong direction. And in the end, I've wasted a lot of energy on something. And that wouldn't be purposeful, because we know what companies are like. They have a certain amount of economic pressure. That's one of the issues, economic pressure. They are now really trying to use their money as efficiently as possible.

The second issue is also the resource situation. This is a dramatic issue because there are simply not enough resources to implement all these European legislative procedures. They are aimed in many directions, be it processes or products. This raises the question of who is supposed to test, verify, certify, etc. and so on. And we already have problems finding the right experts at TÜV. Of course, the situation is no different for companies.

 

Klaus Mochalski

Will this six-month delay help with these problems? Because thinking first of all about the situation you mentioned, many companies or some companies - I don't know the exact number - are sitting this issue out. That means they are waiting to see what happens. Does this six-month deferral solve the problem for them a little? I would assume that those who have sat it out until now will probably continue to sit it out and not use these six months to prepare themselves.

 

Gerald Krebs

That is correct. So when we talk about quantities, it is estimated that 30,000 to 40,000 [companies] in Germany alone are affected by NIS2 [note: in Europe it is estimated to affect 400,000+ companies]. And now to the topic: How long does it take to achieve compliance? You have to know that NIS2 means manager liability, and in some cases - depending on where I am - it also means that I have to certify products, i.e. according to the criticality of products and so on and so forth. There's a massive bucket list of things you have to do.

Many people are familiar with ISO 27001, but how long does it take to implement this process alone, which is in the direction of organizational security? It also takes at least a year. And we are only at the process level. And when I say: I also want to have a secure IT infrastructure - and I'm not just talking about a product, I'm talking about control systems or infrastructures etc. and that I also use appropriate secure products. And you don't get secure products at the snap of a finger. It all takes a lot of time until the products have actually reached a level where you can say: Okay, they are actually secure. Yes, we're talking about many years.

I come from large manufacturers, and it was an iterative process from the introduction of the process until the product was actually secure, until you could say that all the features were actually on board. And it took many years, because nobody says: I'm suddenly going to allocate 100% of my resources to the product. No one will do that, they will say that it will be prioritized. So first of all, what assets do I have? Then you prioritize according to criticality, and then you try to fix all these gaps and that simply takes a lot of time.

 

Klaus Mochalski

In other words, we are talking about a much longer process than for ISO 27001 [certification]. Anyone who has experience with this can compare it and knows that they definitely have to get involved in a longer process because it also involves a lot of very operational changes. For example, the upgrade or replacement of individual system components that you mentioned, which potentially cannot be done quickly because the components may not even be available in a secure version. And in this respect, you have to be prepared for a long road ahead.

That means, of course, that it is all the more important that I start early. Now, you talked about this evasive movement. In other words, companies are waiting to see what the law says before they start their journey. That doesn't sound so stupid from a business perspective. Is that the right approach? Will that be enough at the end? There are still deadlines by which you actually have to have implemented the legal requirements. Is that a good and valid approach from your point of view?

 

Gerald Krebs

It is not. Let's put it this way: we are already familiar with this topic from the IT infrastructure or telecommunications infrastructure, where we have to deal with the same or very similar problems. So, the question is, how do I keep my networks secure? Because we know that the networks are under attack. No operator says: I'm going to wait for the laws. Or shouldn't do that. Instead, they say: I know best practice approaches - IEC 62443, for example, is a very good standard to use as a guide - and think about how I can achieve this. Because I know what best practice looks like. How can I already [implement] key parts of this standard?

It's not about certification procedures, but first of all about how I can implement key approaches or best practice approaches right now. These are all no-brainers along the lines of: What do I know? What do I have to do in order to be a reliable company? That I have experienced employees, for example. That I don't push every employee who can read and write in the company to take care of security. Instead, I train my employees first and then, let's say, introduce [the requirements] to the company. These are all essential issues that are very often ignored, unfortunately. But that's why I can only recommend IEC 62443, for example, to everyone.

 

Klaus Mochalski

What are the possible consequences for companies or management if they sit it out? Are there consequences under the law? When do you have to expect them and what do they potentially look like?

 

Gerald Krebs

Exactly. The NIS2 will come into force at some point. The current status quo would be March 2025 [in Germany], after which there will certainly be some kind of transitional period until the actual activation. There is no defined time frame here.

The worst-case scenario is that there is an immediate clampdown, because something happens when the law comes into force. Some company somehow has a problem. The entire production comes to a standstill and the managing director is informed: Here, you have NIS2! You didn't do anything for it! You have invested €0! You have no employees for it! Then, according to NIS2, the managing director can be held personally liable. That's issue one.

And topic two is: there are two categories of administrative penalties. There is a low category, meaning up to €7 million or 1.4% of global turnover. And there is a higher category that says up to €10 million or 2% of global turnover. When will that actually happen? Yes, I would say that you're playing Russian roulette if you try to sit it out for as long as possible.

 

Klaus Mochalski

Who is potentially acting as a plaintiff? Is it the BSI [inGermany] [note: BSI = Federal Office of Information Security]?

 

Gerald Krebs

I assume that it will be the BSI, because you have a certain obligation, even if there are security incidents and so on, to communicate this to the BSI. And that's why I assume that the BSI is actually the one to take the initiative. [Note: In other countries other federal offices will be in charge as required under EU NIS2 directive].

 

Klaus Mochalski

Okay, from the experience that we or the companies have already gained in the past in our cooperation with the BSI within the framework of the critical infrastructure legislation, I expect the BSI to proceed with tact and sensitivity. In other words, it probably won't pull out the big stick and come up with instruments like this on the day it goes live. In other words, there will certainly be a transitional period. The question is how long it will be. It's impossible to say exactly. Formally, you have to be compliant from that date.

 

Gerald Krebs

Correct. One thing is the formal aspect. But we also have to consider that a great many companies are affected. We are talking about 30,000 to 40,000 companies [in Germany alone], which in turn have suppliers and so on. In my view, this is a rat's tail without end. And then there's the question of how much capacity the [authorities] themself have to manage all these companies. I need a certain amount of manpower, and I think that alone will be enough to prevent [the authorities] from saying, “I'm going to fire right now”.

 

Klaus Mochalski

I think that's also one reason why many companies feel secure, because they simply know that the [authorities] won't be able to do it. Hence the second question: Is there also a risk for me as an affected company, for example from suppliers or customers who, because they know that I have not implemented it, might sue me and claim damages?

 

Gerald Krebs

Yes, certainly. Let's say I offer a managed service or a product or a solution or whatever. And I have a large customer, for example. Let's take the worst-case scenario: something goes down. I've already had a similar case where a large system failed. It was in the telecommunications sector. Suddenly, the entire Frankfurt airport was completely down. A certain operator could no longer make any phone calls. That led to enormous claims for damages, because the operator would then say: “You didn't provide me with a patch, you didn't even offer one. I can prove to you that you left a highly critical vulnerability open here. You didn't inform me, you didn't provide a patch. There is still no patch. I have now been attacked. My system has suffered €6 million in damage.”

Then I have the option of going to the manufacturer or whatever and saying that I can hold you liable for the damage under NIS2 because you have blatantly violated NIS2. That is one possibility, for example.

Or what about insurance policies? Nowadays, you can have the relevant damage insured. But which insurance company will cover you if you can't prove that you have implemented certain best practices, an ISO 27001 certification or a secure product development process or a CERT process, etc.? Because if I don't have anything, then I can decide: either I pay a lot for the insurance policy or I don't get one at all.

 

Klaus Mochalski

This means that as an affected company, even if you decide to sit it out, you should first take a very close look at your supply chain. In both directions. Whether there are candidates there who, if an incident does occur, could, in the worst case, perhaps legitimately approach me as the affected company with claims for damages. In other words, that would be a risk that you would have to assess as a first step and see if there are any measures that need to be taken more quickly.

 

Gerald Krebs

Exactly, that is also a best practice measure, for example, that I say when I look at suppliers - because most products consist of 3rd party components, nobody builds their product completely themselves, but 80 or 90 % consist of 3rd parties - and when I choose software components, for example, they will not go end-of-life or end-of-maintenance tomorrow. Instead, I choose products for the defined lifetime of my product that I know are up-to-date in terms of security. And that maintenance is supported.

 

Klaus Mochalski

Then let's take a positive look at what the top measures are that I should implement first as an affected company. Even if I'm not aiming for full compliance [at the date of national implementation] and I know I won't make it. Nevertheless, every step brings an improvement. And for someone who has not yet dealt with the topic in terms of content, what would be your recommendations for the first 2 to 4 measures that should definitely be considered and potentially implemented.

 

Gerald Krebs

So first of all, you should think about what assets you have, or that you do a kind of status quo analysis. What are my assets worth protecting? I first need to know what I want to protect before I take any measures. Identify the assets.

Then: What is my role? Am I an integrator, operator or manufacturer? To see which category I need to go into? ISO 27001, for example, won't help a manufacturer very much, but they are more interested in how I can guarantee a secure manufacturing process.

And I can only really recommend that everyone takes a closer look at IEC [62443]. It is divided into different roles.

There are various parts of the standard, depending on which role I have. Am I an operator, am I an integrator or am I a manufacturer? In other words, you can do some cherry picking. And then you can pull out the relevant processes or product requirements, solution requirements, operator requirements and see if you can pick out the essential requirements. You certainly can't implement them all at once, but rather try to implement these topics successively. 

 

Klaus Mochalski

This is actually a recommendation that I have been giving our customers for years. Many customers, particularly in the critical infrastructure and industrial sectors, are eyeing up IEC 62443, which can of course be overwhelming in terms of scope alone. On the other hand, it is also a document that is still developing. This means that parts are still being added.

I have always recommended this to our customers: Take a look at the table of contents first and use it as a checklist. Look, so to speak, what are the points that light up red for you, for your specific case? That happens automatically, because I look at it, the table of contents is actually relatively practical and then you quickly get a feel for where you are affected. And then you simply look at these points in depth.

 

Gerald Krebs

Yes, right, exactly. And from my point of view, the essential parts of the IEC 62443 standard have actually all already been approved. Yes, at the moment it's already quite sufficient to say that I do cherry picking and - as an operator, for example - I choose either standard part 2-1 or 2-4.

We can certainly help the individual, shall I say, operators etc. in [deciding]. Which is the more appropriate section here? But this is all based on ISO 27001, but only for industrial applications or purposes. And that definitely makes sense.

So, as I said, I come from large manufacturers and have worked for a large operator. So I know what I'm talking about. It's definitely helpful. It's not just another standard that you have to implement, but it has a solid basis. And anyone who simply takes a look at it will recognize that. There are also corresponding webinars on the market that can help and at least provide an introduction. We at TÜVIT, for example, also offer corresponding webinars.

 

Klaus Mochalski

Yes, I don't think there is a lack of good content - at least for both NIS2 and IEC 62443. To summarize once again:

  1. A very clear recommendation is to start with the risk analysis, identify the areas in your own company with the highest risk and then look into them.
  2. What individual measures can we derive from this for the company?
  3. And, if necessary, get help from a trusted service provider. I think the TÜV is happy to help with this.

There are, I think, very, very many who have done this recently. In other words, the clear recommendation is not to do this on your own, but to seek expertise, because many service providers - or I would say all service providers - who are active in this area have probably been engaged with this topic not just for months, but for a long time. In other words, the expertise is high, but the resources are probably not so high, so you have to see how quickly you can actually get someone.

 

Gerald Krebs

Yes, that’s correct.

 

Klaus Mochalski

Okay, great. Thank you very much, Gerald. That was a very good overview with the small surprise that NIS2 has actually been postponed [in some European countries]. Maybe we'll just do another follow-up episode in six months' time and see how things look then, whether anything has changed in the status quo of compliance implementation. For now, thank you very much for your participation. It was a lot of fun and I think it was an interesting insight for our listeners.

 

Gerald Krebs

Yes, it’s been a pleasure.