This blog post trilogy takes a closer look at what implications the amended European Network and Information Security (NIS2) directive will have for companies (our entities as they are called in the directive). The 1st part discusses the practical limitations many companies will face when implementing the requirements. Part 2 sheds light on the specific requirements that focus on visibility, cyber intelligence and intrusion detection. Finally, part 3 argues that NIS2 is indeed part of a larger plan to harden cybersecurity in the entire industry, not only essential and important entities.
The NIS2 Directive will cause a stir in companies by October 2024 at the latest. The Directive for Cybersecurity in essential and important entities will have to be transferred into German law by this date. In Germany, the NIS2 Implementation Act has already been initiated for this purpose, which already offered a preview of the guidelines in the draft bill of April 2023.
There is good news for all companies that have already had to implement the amended IT Security Act (IT-SiG 2.0): They already meet many of the requirements. In parts, the IT-SiG 2.0 has already anticipated the coming NIS2. However, NIS2 goes a couple of steps further.
It's simple, but…
In principle, the ten categories represent the foundation of a functioning information security management system (ISMS), which covers the entire spectrum of prevention, from the operation of a security system to emergency management.
On the preventive side, there are:
- Guidelines and work instructions on information security, which give company employees clear technical and behavioral guidelines. According to the principle of cyber hygiene, these should be internalized by all employees with regular training sessions, so much so that they become habits. This requires perseverance.
- Human resources security processes in which cybersecurity is already a part of recruitment, so as to further reduce internal cyber incidents caused by human error. This means that future employees will have to be screened in advance for their trustworthiness and reliability. A process must also be established for the termination of the employment relationship to prevent former employees from becoming a security risk. There will certainly always be gaps. And rage (e.g., about a termination) can also make the most laid-back person unpredictable. Nevertheless, such processes are enormously helpful in reducing the likelihood of an internal security incident.
- Basic technical measures then ensure information security inside and outside of the company. Classically, these measures include:
- Strict authorization and access management with multi-factor authentication (MFA) and single-sign-on (SSO). The latter may sound paradoxical since it permits access to multiple applications with only one set of credentials. Though, in practice it has been shown that with SSO, employees tend to choose strong passwords because they only have to remember one. However, this requires a strong system integration. MFA, on the other hand, requires that all employees have with them a second source for the authentication.
- The use of secure communication channels that cannot be accessed by unauthorized persons. In practice, this point is a double-edged sword since companies today mostly use platform providers such as Google, Microsoft, Zoom or Meta. Although these offer relatively good security performance, they raise, among other things, legal data protection questions since the providers have their headquarters in the United States.
- If possible, encryption of digital communication and data storage. In practice, this has thus far only been possible to a limited extent, at least in OT, often due to real-time processes. Though there are more and more offers enabling it.
- Business continuity processes, which also enable a company to function or at least quickly restore its ability to function in the event of system failures. These include multi-level backups, a stringent disaster recovery plan (DR) and proven and tested crisis management. This also includes knowing what actually went wrong at which locations (more about this in the second part of the blog post).
Looking at security externally
So far, so good. With these measures, the company's own employees are briefed, the intra-company systems and communication channels are secured, and a functioning emergency management system has been established. Though, one problem that has been discussed for years remains: companies always work together with other companies, purchase applications from these firms and exchange data with them. In short: Every company is closely tied to and dependent on other companies, whose cybersecurity they have no influence on.
With these many third-party components in OT, one insecure device is enough for network disruption by supply chain compromise (source: Pixabay)
The NIS2 addresses this very real problem with two new requirements:
- Cybersecurity must be a key aspect in the purchase of IT/OT systems or services.
- Cybersecurity must be a key aspect in the selection of supplier companies. This should even go so far that the supplier should be forced to have a secure product development.
These NIS2 requirements are absolutely welcome because they take into account how networked and complex business relationships are these days. Through a cunning move, they also make NIS2 a directive that obliges virtually ALL companies in the market – and not just the ones explicitly listed – to establish cybersecurity (but more on this in Part 3 of our trilogy).
In the medium term, however, this has two quite practical consequences for companies that are subject to NIS2:
- The selection of available systems, devices, applications and services will be greatly restricted (at least initially). This is already the case in Germany for the selection of smart meters, which in contrast to other countries require a security certification (in Germany from the Federal Office for Information Security [BSI]). In theory, companies that are subject to NIS2 may only work with subcontractors that operate an ISMS as per ISO 27000, or that have implemented IEC 62443.
- So as not to be completely hamstrung – because honestly: Which OT systems and components would you call secure? – unsecured devices and systems must be (more) closely monitored during operation. This is especially true for critical systems and components.
The lack of secure smart meters can put a hard stop on smart grid initiatives (source: Unsplash)
The technical and process-related limitations in OT, as well as the supply chain security that cannot be fully implemented, at least in the medium term, means that the prevention of cyber incidents can only be implemented to a very limited extent in OT environments. Therefore, the trend goes from pure prevention to continuous monitoring and detection as the second frontline of cybersecurity. The NIS2 also addresses this.
More about this in the 2nd NIS2 blog post.