NIS2 Directive: 
Implementation and Compliance in OT Networks
Guideline

OT security, or operational technology security, refers to the protection of systems used to monitor and control physical devices, processes and infrastructure in industrial environments. These include, but are not limited to, systems such as SCADA (Supervisory Control and Data Acquisition), ICS (Industrial Control Systems), IIoT (Industrial Internet of Things) and other automation technologies.

​

The same NIS2 cybersecurity solutions are needed for OT networks as for IT networks. At the same time, however, the focus of security objectives in OT networks is defined differently and additional challenges exist:

​

The main objectives of OT security are:

​

1. Protection against cyber attacks: Ensuring that systems are protected against unauthorized access and cyber threats.

2. Integrity of systems: Ensuring that the data and processes in the OT systems are unaltered and reliable.

3. Availability: Ensuring that the systems are operational at all times to ensure the smooth operation of critical infrastructure.

4. Security of physical infrastructure: Protecting the physical components used in production and operations.

 

Special challenges of OT security:

​

1. Integration and collaboration of IT and OT: The increasing networking of IT and OT systems (e.g. through IoT) creates new attack surfaces and requires a holistic security strategy. In the past, OT systems were isolated from the rest of the company and the internet. As processes are digitized and new Industry 4.0 technologies are deployed, companies need seamless communication between IT, cloud, and operational networks.

2. Legacy systems: Many OT systems are outdated and were not developed with modern security standards in mind. They are vulnerable to malicious traffic such as DDoS and vulnerability exploits. Most companies do not have a comprehensive, up-to-date inventory of the OT resources that need to be protected. As a result, vulnerabilities, threats from internet traffic and misconfigurations are not detected in time.

3. Real-time requirements and availability are paramount: OT systems often have to work in real time, which means that security measures must not impair the performance or responsiveness of the systems.

 

NIS2 implementation in OT networks:

 

The same cybersecurity solutions are required for OT networks as for IT networks. However, additional measures must be taken to address the specific challenges and circumstances of OT networks.

It is therefore obvious to use best practices from ISO 27001 (see also NIS2 implementation IT security) and best practices from corresponding industry standards (NIST, IEC 62443) for NIS 2 implementation of the NIS2 directive.

​

Important steps to achieve NIS2 compliance in OT environments:

​

1. Implementation of an ISMS (ISO 27001)

Develop an ISMS (ISO 27001) that addresses the specific requirements of your organization, industry, and NIS2 policy. (see also NIS2 Implementation IT Security)

​

2. Develop concepts related to risk analysis and information security:

• Conduct a comprehensive inventory of all OT systems and components, including asset discovery and description.

• Identify potential risks and vulnerabilities in the OT networks.

• Establish uniform assessment methods for identified risks.

• Standardized and clear documentation of risks, including their assessments.

• Based on the risk assessment, organizations must develop comprehensive risk management plans that include risk mitigation, monitoring, and reporting measures.

• Establish procedures for continuous risk analysis and assessment.

• Define security policies, procedures, and responsibilities.

 

3. Establish an incident management system to handle security incidents (e.g. NIST Cybersecurity Framework (CSF), ISA99/IEC 62443):

​​​​The aim of the process for handling information security incidents is to take targeted action when an actual security breach or targeted cyber attack occurs in the organization.

The organization must define a classification of incidents that allows the severity to be determined. For example, a distinction between disruptions, security incidents, emergencies and crises. A corresponding incident response plan must be created that describes the processes after an incident has been detected and how the damage is contained or eliminated:

• Develop procedures for early attack detection.

• Develop procedures for fending off attacks.

• Classify incidents.

• Develop an incident response plan that describes how to respond to security incidents.

• Implement technical security measures such as firewalls, intrusion detection systems (IDS) and network segmentation to control access to critical OT systems.

• Ensure that all systems are regularly patched and updated.

• Conduct regular exercises to test responsiveness.

 

4. Maintaining operations:

• Multi-level backup management.

• Plans for rapid recovery after an emergency.

• Crisis management and communication plans.

• Avoid additional disruptions to OT processes.

• Business continuity plan.

 

5. Supply chain security:

Conduct a risk assessment for the security of the supply chain and in particular for the technical security requirements for components in the supply chain (e.g. ISA/IEC 62443 or NIST SP 800-82)

Information security is increasingly provided by suppliers by means of certifications. ISO 27001 or IT-Grundschutz are particularly suitable for this. In the automotive sector, TISAX® has been established.

NIS2 requires certifications for certain types of entities, in particular for operators of critical infrastructure. Likewise, components must also be certified if they are used in a critical OT network.

 

The requirements of ISO 27001 focus on various protective measures, such as defining processes and procedures and contractual arrangements with suppliers, and reporting channels for incidents. Risks from their IT infrastructure and supply chains must also be taken into account.

ISO 27036 offers a more precise consideration of the supply chain. It describes the necessary processes in detail.

It differentiates between:

• Supplier relationships for products

• Supplier relationships for services

• Supply chain for information technology

• Cloud computing

 

6. Security measures for the acquisition, development and maintenance of information technology systems, components and processes, including management and disclosure of vulnerabilities.

• Request certifications when purchasing components and software.

• Ensure the cyber security of components and software developed in-house. Get your products certified.

• Disclose vulnerabilities and deal with them effectively.

​​​​

7. Monitoring:

​

It must be ensured that the requirements for implementing the NIS2 directive are continuously met and ensured in practice, which is documented by means of appropriate monitoring:

• Performance monitoring includes evaluating the effectiveness of the ISMS in achieving the security objectives (including NIS2 compliance) and meeting the requirements of ISO 27001.

• Risk monitoring refers to the assessment and monitoring of security risks in the company and in the ISMS.

• Compliance monitoring refers to the additional monitoring of compliance with legal and regulatory requirements, but also with internal guidelines and standards.

 

8. Communication:

The aim is to describe the need for internal and external communication. This includes, for example, the obligation to report incidents to the BSI or to inform customers. The need for internal communication must be understood and appropriate communication channels must be determined. The results are summarized in a communication plan.

​

9. Awareness and training:

​Creating risk awareness in the company is an essential part of an ISMS. This helps to identify threats at an early stage, avoid security incidents and save the effort that would be required to deal with them. To this end, training concepts and training plans are created.​​​

​

10. Continual Improvement:

Organizations are required to constantly analyze their processes and results, adapt them to new findings and derive potential improvements in order to continuously improve their ISMS.

​

An organization that wants to operate an ISMS in accordance with the standard must therefore define organizational measures on the basis of which continuous improvement takes place in a targeted and planned manner. The organization must demonstrate how it ensures that identified deficiencies are not repeated.