Since the European Union (EU) signed the second version of the Network and Information Security (NIS2) Directive in December 2022, there has been a real frenzy all around Europe about it. NIS2 is now on top of the priority lists of most European Chief Information Security Officers (CISO). But do you know what it is? And most importantly, should you be concerned?
You probably have no choice but to comply with NIS2
The short answer is: Yes! If you work for an organization in an industry sector listed in the NIS2 Directive as critical for the resilience of the European economy, or are a supplier to any of these organizations, the NIS2 regulation should be on your agenda. It is designed to force industries across the EU to strengthen their cybersecurity practices and ensure their suppliers and service providers are not introducing any cyber risks to their operations.
The initial version of NIS voted in 2016 only affected a few critical European organizations. This second version is a completely different beast. Almost all organizations operating in most industry sectors must comply. And if you are found to be out of compliance, regulation authorities across member states can impose hefty financial penalties, and even name monitoring officers to oversee your cybersecurity strategy. For comprehensive details on which organizations must comply and the sanctions regime, read this white paper.
Industrial networks must enforce strong security controls
But what does the NIS2 Directive mandate exactly? The comprehensive list of measures can be found in the same white paper, but if you run an industrial organization, here is what you should look for to ensure your operational technology (OT) infrastructure is compliant:
- Deploy certified OT components. Your OT infrastructure is as strong as its weakest point. NIS2 requires you to ensure the OT devices you are deploying are not introducing cyber risks to your operations. Fortunately, the ISA/IEC 62443 Part 4-1 and Part 4-2 standards define what a secure OT asset is. All Cisco products are developed according to a lifecycle process which is Part 4-1 certified. Cisco industrial switches are certified for Part 4-2 compliance. Ask your networking vendors for their certifications.
- Assess and prioritize OT cyber risks. Many organizations still don’t have a detailed inventory of what’s connected to their industrial network. NIS2 requires you to have visibility into your OT security posture so you can drive best practices. Cisco Cyber Vision automatically builds a comprehensive inventory of assets and their communications activities. It calculates risks scores to help you prioritize risks to be remediated. Unique in the industry, Cyber Vision also leverages scores from Cisco Vulnerability Management to prioritize vulnerabilities based on whether they are actively exploited in the field.
- Implement zero-trust inside your network. Most industrial networks have grown to become large layer 2, flat networks. Malicious traffic can easily spread and compromise your entire operations. ISA/IEC 62443 Part 3-3 requires segmenting the network into small zones of trust where assets can communicate only with those they need to run the industrial process. Cyber Vision together with Cisco Identity Services Engine (ISE) can build these zero-trust segmentation policies and work with Cisco industrial network equipment to enforce them without the need for additional hardware.
- Migrate to zero-trust remote access. Enabling vendors and contractors to remotely access industrial assets is critical to run operations. Cellular gateways that IT is not controlling are at odds with both OT and IT security requirements. VPNs have drawbacks of being always-on solutions with all-or-nothing access to all OT assets. Cyber Vision’s remote access reports list all these backdoors so that IT can take control back. Use Cisco Secure Equipment Access (SEA) to enable Zero-Trust Network Access (ZTNA) to your operational environments. SEA hides assets from discovery so remote users have access only to necessary devices, and restricts access to specific times. It enforces strong security controls such as multifactor authentication (MFA) and security posture checks, and it can record sessions for compliance and security audits.
- Detect and report incidents. NIS2 also requires having the tools in place to quickly detect incidents and be able to take action. The regulation defines a strict reporting timeline, and organizations are expected to run comprehensive investigations to help the entire community better understand and protect against new threats. Cisco XDR aggregates intelligence from all security tools deployed in the environment to provide a 360° view in a unified dashboard. It streamlines detection and investigation across both IT and OT domains, making threat hunting and remediation more effective.
Learn more about NIS2 for industries in our free webinar
To learn more about what industrial organizations should implement to comply with NIS2 and secure operations, have a look at our NIS2 for Industries solution overview. Our OT security experts will discuss it in more details during a webinar on March 5th. Save your seat and register now!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
