OT environments are the weak link for organizations looking to become NIS2 compliant. The specific challenges of OT also mean that the security of the operating environment cannot easily be integrated into an IT process. How do you solve this?

NIS2 forces Belgian and European companies to improve their cybersecurity. The guide encourages organizations to take a risk-based approach to their cybersecurity and protect themselves. In an IT context, this isn’t too complex: companies that have taken security seriously in recent years are usually already more or less NIS2 compliant.

The situation is different for organizations with operational environments, for example in the manufacturing industry. OT environments are unique, fragile and often old environments that are very critical. When a ransomware attack hits the IT infrastructure and paralyzes the marketing department, it is very annoying. However, if there is a production stoppage in the factory, costs rise quickly.

NIS2 for OT?

ITdaily brings together five experts to discuss the challenges of NIS2, with the impact of regulation on OT environments proving to be a key theme. Sitting at the table are Alex Ongena, CEO and founder of AXS Guard, Ron Nath Mukherjee, Cyber ​​Security Consultant at Eset, Driek Desmet, System Engineer at Easi, Koen Pauwelyn, responsible for Industrial Cybersecurity Services at Siemens and Yoran Dons, ICS Security Consultant at SoterICS.

Mukherjee asks an important question: “Should there be a special NIS2 for OT?” The other experts at the table don’t think so. However, there is consensus that tackling OT environments in the context of NIS2 is a different task.

Zero on the base measurement

“There are a lot of legacy solutions running in the OT environment,” explains Pauwelyn. “There you can find Windows XP computers or even older systems, for example. Sometimes there are PLCs (Programmable logic controllers) of forty years. Of course, you cannot provide such systems with the latest security updates. They require a specific approach.”

In an OT environment, you will find older systems that you cannot easily provide with the latest security updates.

Koen Pauwelyn, responsible for Industrial Cybersecurity Services at Siemens

This impacts how companies should view their security. Everything starts with basic measurement: Measuring is knowledge and you can only improve something if you know the initial situation.

Pauwelyn: “If you do such a baseline measurement of the state of the OT environment, everything gets a value of zero. However, you can’t create one NIS2 report for IT and one for OT: everything belongs together. OT is the weak link.”

Clear cost picture

Therefore, it is important to make the OT environment more secure. In any case, the associated costs are easier to justify than for IT. It is difficult to calculate the costs if the above-mentioned marketing department is down, but it is different for a production line.

In an OT environment, the costs of a cyber incident can be easily calculated. An organization knows exactly how much a minute of downtime costs. It takes time to restore the environment after a hack, reset everything, and restore backups. If you can shorten this period by, for example, two or three days, you can easily calculate how much you will save with such an investment.

OT is therefore a critical link that requires attention. This attention is also easy to justify financially. What’s the next step?

Don’t just switch off

“For example, upgrading the XP machines is not an option,” Pauwelyn continues. “There are entire production lines behind these devices. Some companies run continuously for ten years. “It is impossible to shut down the production line,” agrees Desmet. Because shutting down such a line could cost millions.”

Shutting down the production line is impossible; it could cost millions.

Driek Desmet, systems engineer at Easi

It’s not that such companies simply ignore NIS2. “They are also waiting for this window, but in the meantime they must comply with NIS2. “It’s a challenge,” says Pauwelyn.

Multi-layered security

Dons calms down. “There are ways to deal with it. In my opinion the most important thing lies in the architecture and especially in the way you divide the network. Security always comes in multiple layers. For example, if you want to update an XP system, you will immediately find yourself at one of the last levels. There are still many things that can be added.” In other words, Dons doesn’t want to focus on things that can’t be easily improved, as there are enough architectural options that can and are feasible to increase the security of OT environments .

He continues: “The importance of surveillance was already discussed at NIS1 and it was a sensitive issue at the time. A lot has changed since then and many sophisticated tools have appeared. People and companies are starting to better understand the revenue model around OT security.”

Architecture and segmentation

“The best thing you can do now is focus on the architecture,” repeats Dons. In particular, he talks about network segmentation: If components within the OT network are sensitive, you need to shield them and stop threats before they can reach the OT network.

The best thing you can do is focus on the architecture.

Yoran Dons, ICS security consultant at SoterICS

Ongena agrees. AXS Guard has therefore developed specific OT solutions. “Segmentation plays an important role, as does non-invasive viewing of what is happening on the network.”

Monitor and collect

By monitoring access, a security system can learn the normal behavior of an OT environment. With anomaly detection it is then possible to detect and block strange traffic, allowing only legitimate traffic.

“In addition, companies need to collect their OT assets,” says Ongena. “This is a big problem, especially with legacy systems. Organizations no longer always know what is where. A subcontractor may have installed a machine at some point but has since left.” The rest of the table nods. “That’s why automatic inventory is also very important.”

Fast but dangerous

Ongena understands that sometimes things can go wrong. “More and more control systems require Internet access. During installation, contractors solve this problem, for example, by quickly installing a small router that bypasses all security measures. As long as there is internet. Something like that should be banned, but then you also have to offer a solution. You need to provide an internet connection that you can then monitor.”

Sometimes the only solution is to put things in a box with a lock.

Alex Ongena, CEO and Founder AXS Guard

The table agrees on one important point: forcing IT principles on OT doesn’t work. The OT environment needs its own specific approach. Ongena further illustrates: “Sometimes the only solution is to put things in a box with a lock. This seems old, but it’s true. For example, you can physically close USB ports. You don’t see that in the IT world anymore.”

Culture shock

There are technical and practical solutions, but the job is not done yet. Every project depends on the people. “There is also a need for training,” confirms Ongena. “Especially in the OT world. People who work there usually have a different education. They have less knowledge about the IT world and security. We have to provide targeted further training. However, it is not always easy to explain why this is necessary. You really have to explain it from the beginning.”

“Culture plays an important role,” agrees Dons. Organizations need to take this into account in their OT approach. With an understanding of the complexity of the OT environment and a tailored action plan, even companies with complex production environments can pursue NIS2 compliance.

This is the second editorial article in a series of three articles on the topic of NIS2. Click on our topic page to see all roundtable articles, the video and our partners.