Countdown to compliance: how NIS2 will transform OT security

As the 17 October deadline for the Network and Information Systems Directive 2 (NIS2) looms, many organizations – including those in industries that rely on operational technology (OT) to carry out critically important tasks – still have work to do to comply with this new cybersecurity regulation.  

The directive aims to improve the cybersecurity of critical infrastructure and essential service providers across the European Union.

Its scope extends to large and medium-sized organizations operating in “very critical” sectors (including energy, transportation, banking, drinking water and government) and “critical” sectors (such as postal and courier services, waste management, chemicals, food and manufacturing). “Direct suppliers” of affected sectors are also affected.

• ALSO READ → Cybersecurity: the clock is ticking to become NIS2 compliant

Some of these sectors, like financial services, were not typically included in OT conversations in the past. Organizations in these sectors may therefore be even less prepared than others for the new regulations.

Under NIS2, some organizations are deemed “essential”, regardless of their size, if a security breach affecting their digital infrastructure would have serious consequences. These entities face the highest level of scrutiny, and noncompliance can result in fines of up to €10 million or 2% of their annual revenue.

OT is a weak link in the security chain

OT systems and networks often present major security risks. Some were designed and implemented years ago and may lack the capability to be updated or patched against the latest threats.

When there was a clearer divide between OT and IT, OT was less exposed to cyberthreats. Now, as systems have become more interconnected, outdated and vulnerable OT systems are exposed new risks.

Take an electricity grid, for example. The utility will have a conventional, secure IT network serving the needs of their office workers alongside a massive OT network, which may be poorly secured.

OT systems and networks also tend to be customized or tailored to specific industrial tasks, leading to a lack of standard security practices and protocols across installations.

Why OT system issues are difficult to address

A broader challenge in addressing OT system or network issues is the need for business continuity. In OT environments, the main focus is on maintaining uptime. The cost of shutting down a factory for any length of time to implement OT upgrades may simply be too high.

This can leave organizations reluctant to apply updates or changes that might disrupt their operations – even if these changes are necessary for security.

There’s also often a gap in OT-specific cybersecurity expertise in organizations. At the operational level, traditional IT security skills do not always translate directly to the OT environment. And, in the C-suite, executives need a better understanding of NIS2 and its associated risks so that they can budget for and coordinate an organization-wide implementation.

Business leaders should understand that NIS2 compliance is not a one-off exercise. Once the regulations are in place, organizations will have to assess their security measures regularly to remain compliant.

The requirements of NIS2 compliance

NIS2 introduces rigorous security measures into the OT ecosystem. These include:

• Conducting annual supply-chain risk assessments, defining clear roles and responsibilities, maintaining a risk register, and integrating a threat intelligence feed into an organization’s cybersecurity strategy
• Documenting all assets and network endpoints, implementing robust business continuity and disaster-recovery measures, and putting in place effective crisis management
• Bolstering security measures through awareness and training, well-defined policies and mandatory incident reporting within 24 hours for significant incidents

Securing OT networks also involves implementing multifactor authentication and adopting a zero trust approach to user identities and credentials.

That’s a tall order for just about any organization, made even more daunting by the level of skill required to put all of these measures in place by the NIS2 deadline.

Ask for expert help

The quickest and most reliable way of dealing with NIS2 compliance in your organization is to access the expertise of a managed service provider (MSP) like NTT DATA.

We start by conducting a comprehensive NIS2 readiness assessment to evaluate your current level of compliance and identify gaps. For instance, some OT networks still rely on now-defunct operating systems like Windows 3.1 or Windows 95, which creates serious vulnerabilities – but these need to be identified in a nonintrusive way to minimize business interruptions.

Next, we develop a compliance strategy using frameworks specifically designed for NIS2 compliance.

We can also help you design, implement and integrate your updated security equipment and controls – with minimal interruptions to your operations – and implement continuous monitoring to help you remain compliant over time.

Global expertise for local implementation

Our comprehensive NIS2 compliance assessment is designed to check a range of NIS2-related parameters in your organization and produce a heat map of your level of compliance. This leads to a scoping workshop and a strategic roadmap for moving your organization to full compliance.

Because of our close relationships with cybersecurity solution providers like Fortinet, we can then apply a carefully designed blend of expertise and new technology to secure your OT environment transparently and nonintrusively.

This end-to-end approach is a key benefit of working with NTT DATA. Many other MSPs cannot handle both the consulting and implementation phases of an NIS2 compliance project along with the continuous monitoring of security compliance that should follow implementation.

NTT DATA is also at the forefront of using AI-enabled technologies in cybersecurity – for example, using AI to detect, diagnose and report potential security breaches faster than any human operator can.

Our global reach – we’re in more than 50 countries – makes it easy for us to meet the needs of, say, a large, South America-based manufacturer whose products are made in Asia, assembled in Africa and sold worldwide. We draw on our global expertise and roll out security on the ground, wherever our client needs us.

To ensure proper implementation from the top down, we educate C-level executives and other stakeholders about the implications of NIS2 noncompliance.

This approach not only addresses your immediate NIS2 compliance needs but also lays a foundation for long-term cyber resilience across your OT and IT stacks.

• ALSO READ → Securing success: why cyber resilience is crucial to business resilience and performance

It’s time for decisive action

There is little time left to comply with the NIS2 Directive’s stringent requirements.

We have the expertise you need to meet the directive’s demands, secure your operations and avoid potential fines. Get in touch to see how we can help.

This article includes contributions by Shaun Bergset, Consulting Systems Engineer: Global Alliances and Operational Technology at Fortinet.