NIS2 (Network and Information Systems Directive 2)

NIS2 expands upon the original NIS legislation, broadening its scope to include vital sectors such as energy, water, and transportation. Here’s what you need to know:

• Stricter Regulations: NIS2 introduces stronger security requirements and incident reporting obligations. It emphasizes supply chain security, recognizing that vulnerabilities often stem from interconnected systems.

• EU-Wide Cooperation: NIS2 encourages collaboration and information exchange across the European Union. Non-compliance now carries steeper penalties.

• OT Relevance: NIS2 mandates that entities ensure an appropriate level of security, particularly relevant for OT systems.

CRA (Cyber Resilience Act)

CRA focuses on safeguarding consumers and businesses using products or software with digital components—common scenarios in OT environments:

• Mandatory Requirements: Manufacturers and retailers must adhere to CRA’s cybersecurity requirements throughout a product’s life cycle.

• Complementing NIS2: CRA ensures that network-connected products meet elevated security standards, complementing NIS2’s efforts.

IEC 62443: A Global Best Practice

Unlike NIS2 and CRA, which carry EU-specific mandates, IEC 62443 transcends borders. It provides tailored cybersecurity standards for Industrial Automation and Control Systems (IACS) and OT:

• Industrial Context: IEC 62443 addresses unique security challenges in industrial environments. It balances data confidentiality and productivity.

• Defense-in-Depth: The standard outlines a defense-in-depth model, guiding organizations in building robust cybersecurity management systems (CSMS).

• Risk Assessment: IEC 62443 assists in risk assessments, helping organizations choose security products and service providers effectively.

Unpacking the impact on OT?

Imagine a medieval kingdom as an organization. The kingdom is the “Operational Technology” (OT) environment, and needs to be protected from various threats.

NIS2 is like the kingdom’s laws and policies, established by the king (the governing body). These laws mandate that every village (critical infrastructure) within the kingdom must have defenses (cybersecurity measures) appropriate to the threats they face, and they must report any attacks (cyber incidents) to the king’s council (regulatory authority) to help protect the entire realm.

CRA is akin to the blacksmiths’ guild (product manufacturers). They are required to forge weapons and armor (digital products and software) that meet certain standards of quality and durability before they can be used by the kingdom’s warriors (end-users). This ensures that the frontline defenders are equipped with reliable gear from the start.

IEC62443 is comparable to the master builders and engineers (cybersecurity professionals) who design and construct the kingdom’s fortifications (security controls and measures). They follow a set of blueprints and guidelines (technical standards) to ensure that every castle and wall is built to withstand sieges and protect the inhabitants effectively.

Together, these three elements create a robust defense system for the kingdom:

• The laws and policies (NIS2) ensure that everyone is aware of the threats and knows how to respond.

• The quality equipment (CRA) means that defenders are well-prepared to face any adversary.

• The strong fortifications (IEC62443) provide a secure environment that can withstand attacks.

This analogy illustrates how NIS2, CRA, and IEC62443 work in concert to provide a comprehensive cybersecurity strategy, safeguarding the organization from potential threats at every level.

Timelines

CRA

The CRA agreement received formal approval by the European Parliament in March 2024. As of writing this article, it still requires formal adoption by the Council before being enforced. Much of the CRA becomes enforceable approximately three years after enactment, around 2027

NIS2

By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS2 Directive. They shall apply those measures from 18 October 2024.

IEC62443

In 2021, the IEC approved the IEC62443 family of standards as ‘horizontal standards’. This means that when sector specific standards for operational technology are being developed by subject matter experts, the IEC62443 standards must be used at the foundation for requirements addressing cybersecurity in those standards.

Enhancing OT Cybersecurity: The Triad of NIS2, CRA, and IEC62443

In the intricate dance of securing Operational Technology (OT), three key players—NIS2, CRA, and IEC62443—take the stage. Together, they harmonize their efforts, covering different facets of security across the product life cycle.

NIS2 focuses on the operational aspect and resilience of critical infrastructure. It sets out requirements for risk management, reporting, and security measures, which are essential for the OT sector’s day-to-day operations.

CRA targets the product aspect, ensuring that digital products and software entering the market have robust cybersecurity measures in place from the design phase. This act ensures that the hardware and software used in OT environments are secure by default.

IEC62443 provides a technical framework with specific standards and practices for securing industrial control systems. It offers detailed guidance on how to implement security controls and manage cybersecurity risks in OT environments.

Together, they create a comprehensive cybersecurity ecosystem:

• NIS2 ensures that operators of essential services maintain high levels of security and report incidents, which is crucial for the OT sector’s overall resilience.

• CRA complements this by making sure that the products used in these sectors are secure from the start, reducing the risk of vulnerabilities.

• IEC62443 bridges the gap by offering technical standards that apply to the specific needs of OT systems, providing a common language and set of practices for industry stakeholders.

Together, NIS2, CRA, and IEC62443 form a formidable alliance. They strengthen the resilience of the OT sector against cyber adversaries. By adopting these standards, organizations gain a structured approach to managing cyber risks. So, whether you’re safeguarding a power plant, a smart grid, or an autonomous vehicle fleet, remember: Cybersecurity is our collective shield!