Contact Us
arrow

NIS2 Directive and IIoT

As industrial computing and embedded systems become increasingly interconnected through initiatives like the Industrial Internet of Things (IIoT) and Industry 4.0, the cybersecurity landscape is evolving at a rapid pace. We have produced a comprehensive overview of the Network and Information Systems Directive 2 (NIS2), a regulatory framework established by the European Union to enhance cybersecurity for critical infrastructure. 

We explore key questions such as: What is NIS2? What are the requirements for compliance? When does it come into effect? How will it impact industrial IT and Operational Technology (OT) networks? What affect will NIS2 have on the UK?

Cybersecurity in Operational Technology (OT) Networks

Operational Technology (OT) networks control physical processes and machinery, making them critical to industrial operations. Unlike traditional IT systems, OT networks require unique security considerations due to their direct impact on physical processes.

While the world of OT is at risk from the same cyber security issues as domestic and traditional IT infrastructures, there are a number of added risks when it comes to Operational Technology Networks.

Common Threats to OT Networks

Increased Attack Surface

More connected devices mean more potential entry points for cyber threats.

Complexity of Systems

The complexity of interconnected components increases the potential for vulnerabilities.

Sophistication of Threats

Cyber threats are becoming more advanced and targeted.

Regulatory Requirements

Compliance with regulations necessitates ongoing cybersecurity improvements require additional investment

Critical Infrastructure Targeting

Systems controlling essential services like power plants and transportation suffer from high risks of attacks.

"The NIS2 Directive expands the scope of its predecessor to cover medium and large entities from more sectors, including providers of public electronic communications networks, digital services, waste management, and space services."

(NIS2 Directive, Recital 4)

What is the NIS2 Directive?

The Network and Information Systems Directive 2 (NIS2) is a regulatory framework established by the European Union (EU) to enhance cybersecurity for Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs)

It aims to address the evolving cyber threats and ensure the resilience of critical infrastructure sectors.

Key Measures of NIS2 Regulation

NIS2 mandates that organizations implement comprehensive cybersecurity measures, including risk management, incident reporting, and cooperation with national authorities. 

These legal obligations are designed to enhance the overall security posture of critical infrastructure.

Access Control Policies and Asset Management

Organizations must train its employees in security practices, manage access rights to systems and monitor the use of IT assets.

Security for Network and IS Acquistion, Development and Maintenance

When acquiring new software, organizations must ensure that it is free from known vulnerabilities, and apply patches where necessary.

Secure Communication Tools and Emergency Communication Systems

Companies need secure communications resources to coordinate responses in the event of a major incident, such as a crisis room equipped with reliable communications technology.

Incident Handling

Organizations must have a cyber-attack response plan, including notification of incidents to the approriate authories.

 
 

Risk Analysis

Companies need to define procedures to assess the vulnerabilities of their information systems and draw up a security policy to mitigate these risks

Business Continuity & Recovery

Organizations need to draw up a business continuity plan to guarantee the availability of their services in the event of a disruption, such as a server failure.

Cryptography

Organizations must define policies on the use of cryptography to protect sensitive data, for example by encrypting sensitive communications.

Assessment of Cyber Risk Management Measures

Organizations must regularly reassess their security posture through audits and vulnerability tests.

Industries Affected by NIS2 Directive

The NIS2 Directive, as outlined in the EU’s February 2023 briefing, identifies a broad range of industries that will be impacted. The directive categorizes affected businesses into "essential" and "important" entities, depending on their role and impact on critical infrastructure and services. Here is a detailed list of the sectors and subsectors:

Essential Entities

These industries are considered as 'Essential' within the NIS2 Directive and are required to fully adhere to the guidelines.

The threshold for these industries vary across the different sectors, but in general companies with 250+ employees, an annual turnover of €50 million or balance sheet of €43 million.

Space Waste Water Drinking Water Transportation NIS2 Essential Entities Digital Infrastructure Public Administration Health Sector Financial Banking Energy Markets

Important Entities

These industries are considered as 'Important' within the NIS2 Directive. As with 'Essential Entities', those within the thresholds and specific industries must fully adhere to the guidelines of NIS2.

As with Essential Entities, the size threshold for Important Entities varies by sector, but on average they have 50+ employees, an annual turnover of €10 million or a balance sheet of €10 million.

Food Sector Postal Services Digital Providers NIS2 Important Entities Waste Management Chemical Industry Manufacturing

Timeline for Compliance with NIS2

NIS2 came into force on January 16, 2023. Member States of the EU have until October 17, 2024, to adopt and publish the necessary measures to comply with the directive.

January 16 NIS2 comes Compliance Deadline 2024 October 17 into effect 2023

Global Implications of NIS 2

NIS2 Beyond the EU

NIS2 has significant implications beyond the European Union, affecting global cybersecurity practices and regulatory landscapes. NIS2 broadens the scope of critical sectors and introduces stricter cybersecurity requirements, impacting companies outside the EU that do business within its member states. These non-EU companies must comply with NIS2 standards to maintain market access, which often involves enhancing their cybersecurity measures, reporting mechanisms, and incident response capabilities.

Moreover, NIS2's influence extends beyond direct regulatory compliance, setting a new benchmark for cybersecurity standards globally. It encourages non-EU countries and multinational corporations to align their policies with these stringent requirements to streamline operations and mitigate risks. This harmonization could lead to a more robust global cybersecurity framework, as countries and companies adopt similar standards to those set by the EU, fostering better collaboration and a more secure digital ecosystem worldwide. This cross-border regulatory alignment may also help in addressing cyber threats more efficiently, as consistent standards facilitate coordinated responses to cyber incidents, benefiting the global digital economy.

"Member States shall ensure that essential and important entities assess cybersecurity risks and adopt appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems."

(NIS2 Directive, Article 18, Paragraph 1)

NIS2 & the UK

With the UK's exit from the European Union, there has been some uncertainty regarding the impact and applicability of EU regulations such as NIS2 on British organizations. Despite not being an EU member, the UK has a vested interest in maintaining robust cybersecurity measures for its critical infrastructure, and it continues to align closely with many international standards, including those established by the EU.

While the NIS2 Directive specifically targets EU member states, the UK's commitment to maintaining a high standard of cybersecurity means that it is likely to adopt similar measures. The UK government has indicated its intention to update its NIS Regulations to ensure they remain aligned with international best practices and evolving threats.

Key areas where UK regulations may align with NIS2 Directive include:

Enhanced Risk Management

Like NIS2, the UK will continue to emphasize comprehensive risk management practices to identify and mitigate cyber risks.

Incident Reporting

The UK already has stringent incident reporting requirements in place, which are expected to be further refined in line with NIS2's standards.

Cooperation with National Authorities

The UK maintains a strong framework for cooperation and information sharing between operators, digital service providers, and national cybersecurity authorities

The Role of the National Cyber Security Centre (NCSC)

The National Cyber Security Centre (NCSC) plays a pivotal role in the UK's cybersecurity strategy. 

It provides guidance, support, and resources to organizations to help them comply with NIS Regulations and enhance their overall cybersecurity posture. 

The NCSC is likely to continue aligning its guidance with the principles outlined in NIS2, ensuring UK organizations benefit from the latest best practices in cybersecurity.

Complying with NIS2 Requirements

To comply with NIS2 Directive, organizations must adopt various cybersecurity measures such as intrusion detection systems, encryption, secure coding practices, network segmentation, and regular security audits.

Security should be integrated into the design phase of industrial systems rather than added as an afterthought. This proactive approach ensures that security considerations are embedded in the system architecture.

Practical NIS2 Compliance Steps

Engineers can Enhance Network Security

by implementing:

  • Intrusion Detection Systems: Monitoring network traffic for suspicious activity.
  • Encryption: Protecting data in transit and at rest.
  • Secure Coding Practices: Developing software with security in mind.
  • Network Segmentation: Isolating critical systems to limit the impact of potential breaches.
  • Regular Audits: Conducting frequent security assessments and updates.

Organizations as a whole can help by Promoting a Cybersecure Culture

Organizations should foster a culture of cybersecurity through regular training and awareness programs. Employees should be educated about the latest threats and best practices to mitigate risks.

"Entities shall notify, without undue delay, the competent authorities or the CSIRT of any incident having a significant impact on the provision of their services, including any measures taken to mitigate the effects of the incident and the impact of such measures."

(NIS2 Directive, Article 23, Paragraph 1)

Upgrading to 62443-4-2 Adherent Devices for NIS2 Compliance

One of the key strategies for ensuring compliance with the Network and Information Systems Directive 2 (NIS2) is upgrading your industrial equipment to adhere to the IEC 62443-4-2 standard. 

This international standard focuses on the cybersecurity of Industrial Automation and Control Systems (IACS), providing a comprehensive framework for securing industrial networks against cyber threats. By upgrading to devices that meet IEC 62443-4-2 standards, organizations can significantly enhance their cybersecurity posture and align with NIS2 requirements. While upgrading your devices does not automatically make you NIS2 Compliant, it does assist with the process and allows you to focus on other areas of the directive.

Learn more about IEC 62443-4-2

Benefits of IEC 62443-4-2 Adherence

IEC 62443-4-2 provides a set of security measures designed to protect IACS, ensuring that industrial networks are resilient against cyber threats. The standard covers various aspects, including security management, policies and procedures, and technical security measures. Key benefits of upgrading to 62443-4-2 adherent devices include:

Enhanced Security Posture

Adhering to IEC 62443-4-2 ensures that devices incorporate advanced security features such as authentication, authorization, and encryption, reducing the risk of cyber-attacks.

Compliance with Regulatory Requirements

IEC 62443-4-2 is recognized globally and aligns with the cybersecurity requirements outlined in NIS2. Upgrading to compliant devices helps meet these legal obligations.

Improved Risk Management

The standard emphasizes risk assessment and mitigation, ensuring that organizations can identify vulnerabilities and implement appropriate security controls.

Interoperability and Standardization

Devices that adhere to IEC 62443-4-2 are designed to work seamlessly with other compliant devices, promoting interoperability and standardization across industrial networks.

Role of Manufacturers Like Moxa

Leading manufacturers such as Moxa are at the forefront of developing IEC 62443-4-2 compliant devices, providing organizations with reliable and secure solutions for their industrial networks. Moxa’s commitment to cybersecurity is evident in their product offerings, which include a range of networking devices and industrial automation solutions designed to meet stringent security standards.

Key 62443-4-2 Certified Products from Moxa

UC-8200 Series Industrial Computers

These are the first industrial computers certified to IEC 62443-4-2. They feature a security-hardened platform with embedded security mechanisms such as hardware root of trust and secure boot processes. 

EDR-G9010 and TN-4900 Series Secure Routers

These industrial routers have achieved IEC 62443-4-2 Security Level 2 certification. They offer features such as deep packet inspection (DPI), intrusion prevention systems (IPS), and robust firewall capabilities.

EDS-4000/G4000 Series Managed Ethernet switches

The Moxa EDS-4000 and EDS-G4000 series industrial managed Ethernet switches are certified under the IEC 62443-4-2 standard. This certification is part of Moxa's broader efforts to enhance cybersecurity for industrial networking solutions. 

Learn More About Moxa

Implementing IEC 62443-4-2 Compliant Devices

To achieve compliance with NIS2 through the adoption of IEC 62443-4-2 adherent devices, organizations should consider the following steps:

Assessment and Planning: Conduct a thorough assessment of your current infrastructure to identify areas that require upgrades. Develop a comprehensive plan to transition to IEC 62443-4-2 compliant devices.

Vendor Selection: Choose reputable manufacturers like Moxa that offer certified IEC 62443-4-2 compliant products. Ensure that these products meet your specific industrial requirements.

Integration and Deployment: Implement the new devices into your network, ensuring proper configuration and integration with existing systems. Follow best practices for network segmentation and secure deployment.

Ongoing Management and Monitoring: Continuously monitor the network for potential threats and perform regular security audits. Keep devices updated with the latest firmware and security patches.

The introduction of NIS2 underscores the critical need for robust cybersecurity measures in industrial IT. Organizations must prioritize cyber resilience by integrating security into their operations and promoting a culture of cybersecurity awareness. By doing so, they can safeguard their critical infrastructure from evolving cyber threats.

Discover More

Discover more about NIS2 and how to become NIS2 compliant today. Contact us using the short form below and one of our experts will call you back to discuss your needs.