In Part 1 of our blog post trilogy on the NIS2 Directive and the NIS2 Implementation Act, we examined the basic requirements which focus on prevention. We determined that prevention has quite practical limits – whether due to intra-company structures, technical restrictions, or external influences, upon which a company has only little influence, or due simply to practical reasons.
Thus, with all preventive measures, a quite substantial residual risk remains. In industrial enterprises, the residual risk is determined by the following factors, among others:
- In industrial environments, availability – typically 24/7/365 and due to long-term delivery schedules – takes precedence over information security.
- Industrial components with digital interfaces (sensors, industrial control systems, gateways, HMIs, PLCs etc.) usually have no integrated cybersecurity by default, no capacity for additional security functions and are frequently based on very opaque legacy programming, without transparency regarding vulnerabilities and security gaps. To be precise, industrial components were (and still are) developed with a single objective: to keep the systems running. In short, they are often "insecure by design."
A company has only limited influence on:
- the cybersecurity of the supply chain company.
- the cybersecurity and cyber awareness of service companies (e.g., maintenance companies that work on the industrial control system)
- the product development in supplier companies.
These factors are relevant and have an impact, as shown by supply-chain compromise incidents such as Solarwinds (2020), Log4Shell (2021) and ViaSat SATCOM (2022) as well as the daily security advisories for ICS components that are published by the Cyber & Information Security Agency (CISA). Supply chain compromise refers to cyber attacks in which supplier or service companies are attacked in order to reach the actual target company.
OT security is based on visibility of all network assets and their respective properties
Knowledge emerges through visibility
The good news is that companies can also get a handle on this residual risk and do not have to change much at all in their own structures to do so.
The NIS2 Directive provides for several requirements that logically work together:
- Clear asset management
ensures that companies know where devices and systems are located, and what type are in use. In the end, only that which is known to deserve protection can be protected. This also includes being able to understand how the devices and systems communicate and interact with each other. In IT, this is old hat. In OT (operational technology incl. industrial control systems), many companies still operate largely in the dark. An OT monitoring system such as the Rhebo Industrial Protector sheds light on the matter. It passively – read: without putting a payload on the OT components – monitors any communication within the OT and creates a detailed network map out of it. On this map, all devices and systems are visualized with their communication behavior, metadata and connections, and information is provided when vulnerabilities for a component are detected. - A risk analysis
provides clarity as to what the cyber threats are for a company and what weight these should be given. This knowledge includes not only what the external threats are (e.g., current malware types). Rather, it includes an understanding regarding which security gaps, vulnerabilities and internal cyber risks (e.g., from configurations, informal workarounds and functioning of third-party provider systems) exist. Here as well, the OT forms a securely locked black box in a large number of companies. Therefore, Rhebo customers always start with a Rhebo Industrial Security Assessment, in which the OT is thoroughly investigated for existing vulnerabilities and security gaps and the asset inventory is created. - Cybersecurity is both a cat-and-mouse game with the attacker and a success story of knowledge transfer. For this reason, it needs detailed documentation and analysis of cyber attacks and the dissemination of information to companies at risk. The NIS2 therefore requires guidelines on the reporting of attacks, incidents and disruptions. The NIS2 Implementation Act is already very specific in this regard and puts companies under pressure to quickly obtain clarity on incidents. Initial report within 24 hours. Assessment of the incident after 72 hours. After 1 month, final report with detailed evaluation of the causes. The BSI can even ask for additional information on-demand at any time. Companies must therefore be able to log cyber attacks in detail and understand them. That's why the Rhebo Industrial Protector also saves all identified incidents as PCAP, in order to enable a precise forensic analysis.
The blind spots of perimeter security
For incident management, the NIS2 explicitly mentions, in addition to prevention, the detection of attacks (detection) and response to incidents (mitigation). The latter depends logically and chronologically on a well-functioning intrusion detection, as is already required in the IT-SIG 2.0. And these days, this must go beyond a firewall on the perimeter. A SIEM (security information & event management) system alone does not solve the problem.
An OT network must be secured like a city fortress. This includes both perimeter security as well as inner security.
Firewalls lack knowledge about zero-day vulnerabilities. They also cannot detect any malicious network access using authentic access data (credentials). Analysis of the past few years show a trend away from malware-based attacks, to file-less attacks. Between 2018 and 2022, the percentage of (discovered) malware-free attacks increased from 39% to 71%. These attacks are largely based on stolen credentials. Once attackers are in a network, a firewall will no longer help.
A SIEM, on the other hand, requires vast amounts of data in order to detect and report attack patterns. With the blind spot in the OT, an attack in the industrial control system remains unseen, even with the best SIEM.
Firewalls and SIEM systems are reaching their limits with respect to:
- new kinds of attack patterns,
- the exploitation of unpatched or previously unknown vulnerabilities,
- the exploitation of stolen credentials or
- cyber attacks through a supply chain compromise
Effectively closing residual risk gaps
This residual risk can be covered by an anomaly detection, as it is integrated in the Rhebo Industrial Protector OT monitoring. The anomaly detection does not examine the OT communication for known malicious signatures (firewalls and SIEMS systems are there for this purpose), but rather examines communication that deviates from existing, established patterns. This is possible in OT since industrial systems are characterized by repetitive, predictable communication. Activities of attackers are thus easily distinguishable from legitimate communication.
It is also crucial that the OT security monitoring with anomaly detection works within the network. In this way, it also detects attackers that compromise the network through one of the four attack techniques named above without having triggered alarms in the firewalls and the SIEM system.
Since the anomaly notification is delivered in real time, the security officer can respond immediately. On average, attackers need 84 minutes between the first access and lateral movement to another device. As long as security teams can follow the established 1-10-60 rule (1 minute for detection, 10 minutes for understanding, 60 minutes for responding), they have a chance.
Who monitors the monitoring?
Finally, NIS2 poses the question as to how the effectiveness of the security systems used can actually be verified. As already shown above, firewalls and SIEM are important components but also have clear limitations – especially in OT networks.
Due to the increase in successful phishing campaigns and vulnerabilities in the OT area that have become known, blind trust in the existing security mechanisms itself has become a relevant risk.
Thus, an alarm system is required that detects or can derive these (unseen) incidents in order to subsequently improve the existing security system.
Anomaly detection provides a powerful tool in this respect, too. Because anomaly notifications always indicate that something in the network is not running correctly. By this, they also indicate if the existing security architecture itself has gaps, and therefore enabled attackers to penetrate the network.
An OT monitoring system with anomaly detection thus becomes a central tool to provide dedicated OT security and to close numerous residual risk gaps. We have captured this as an overview on a poster.
And here we go to the third part of our NIS2 trilogy.