Organisations and risk management leaders across Europe are hyper-focused on preparing for Member States’ implementation of the recently updated NIS2 Directive. The new legislation will take effect in October 2024, raising the collective resilience of European critical infrastructure by enforcing seven broad security requirements. NIS2 does not explicitly discuss OT and IoT assets and networks, but implicitly includes these in its many requirements.
Findings on NIS2 Implementation Preparedness
Nozomi Networks recently directed a survey to gauge preparedness for aligning OT and IoT security to the NIS2 Directive. Based on interviews with 300 IT security decision-makers in Germany, France, Sweden and the Netherlands, the research found that “the upcoming NIS2 legislation will prove to be a substantial challenge for essential and important organisations representing critical infrastructure industries.
Despite competing priorities, a particular focus needs to be put on risk management beyond IT to include operational technology (OT).” Ultimately, NIS2 emphasizes critical review and enhancement of policies and procedures for cybersecurity risk management measures. Requirements include the adoption of risk analysis and information security policies, mechanisms for incident handling, business continuity and crisis management. Security specifics also include mandated supply chain security, network and information systems security, and the use of cryptography and encryption. Member States are currently determining business requirements to demonstrate how each country plans to comply with the legislation.
Below, we highlight some of the findings from the Nozomi Networks-directed survey, and what this means for critical infrastructure organisations working to align OT and IoT security with NIS2.
Who Is Responsible for OT and IoT Cybersecurity?
Increasingly, IT leaders are dispatched to assess OT and IoT connectivity and security requirements to protect their businesses from unauthorized access, manipulation, and unintended downtime from attacks reaching or circumventing OT and IoT assets. According to Fortinet’s 2023 OT Security Report, global survey data responses from over 500 cybersecurity professionals in critical infrastructure reveal that “95% of organizations expect OT cybersecurity responsibility to shift from directors and managers to CISOs in the next 12 months.”
In Europe today, however, respondents to the Nozomi Networks directed survey indicated that “while just over a third of organisations give ultimate responsibility to the CISO (35%), many others rely on the IT department as a whole (24%) and/or operational technology (18%), amongst others. These responses indicate just how far leaders have to go in shifting this responsibility to CISOs. Meanwhile, respondents also indicated that training and education is the least mature policy area for their businesses, followed by vulnerability management.
Taken together, the outlook for OT and IoT cybersecurity ownership increasingly has room to grow in terms of accountability, training, awareness, and action. According to IT leaders surveyed, “responsibility for securing operational technology (OT) and IoT devices and networks is shared between both internal stakeholders and external third parties.”
How Prepared Are Leaders to Defend OT and IoT Networks?
Responses from organisations and decision makers in the Nozomi Networks-directed survey indicated a broad reliance on external managed service providers for consulting, threat intelligence, and incident response. When asked if their organizations conduct and regularly update risk analysis related to critical information systems (CIS), 50% follow a schedule when it comes to conducting and updating a risk analysis related to their CIS. 34% conduct/update CIS risk analysis it on an ad hoc basis. Staggeringly, 15% don’t currently conduct a risk analysis at all.
A majority of the organizations surveyed in the global Fortinet 2023 OT Security Report experienced an intrusion in the last year, and the attack patterns continue to see malware, phishing and social engineering, and ransomware targeting both IT and OT. In the Nozomi Networks directed survey, 81% of IT leaders indicated their organisations are most lacking in programs associated with asset identification and inventory management, with 80% also lacking vulnerability mapping and threat hunting, and 75% lacking situational awareness and data analytics capabilities. These parallel trends indicate that security practitioners may not be set up to successfully identify and remediate security events that lead to catastrophic incidents. In order to reduce the severity of potential impacts from cyberattacks, it is essential to understand what assets you own and operate, their operational and communications status, and potential vulnerabilities. It is impractical to protect what you ignore, and increasingly difficult to perform root cause analysis and review even benign events and activities without visibility into asset and network traffic.
How Does Greater Visibility Help Defend Critical Networks?
Finally, according to data from McKinsey and Company, “approximately 96 percent of business leaders indicate the need to invest in OT cybersecurity, and approximately 70 percent of those who have invested in it are facing implementation challenges.” The key to effective network monitoring and risk management lies in using information to inform an accurate risk view.
Armed with information, an organisation can identify risks and threats active in their environment. “Taking a dual approach (consisting of both top-down and bottom-up elements) to assess OT cybersecurity allows organizations to identify critical risks to OT environments and operations quickly. This is a key starting point for industrial organizations in their journeys to ensure protection against the cyberattacks that present a risk to their operations.”
Based on comprehensive AI behaviour-based analytics and signature-based detection engines, the Nozomi platform reliably detects security incidents, policy breaches and process anomalies that could affect the delivery of essential products, resources, and services. If network activity is not monitored in real time, the status of assets is largely unknown, and whether or not they have vulnerabilities, these assets cannot be protected without the necessary visibility into their day-to-day functionality.