It is very likely that most operational technology (ot) systems will also be covered by NIS2. After all, these systems can be found in various sectors and perform tasks ranging from monitoring critical infrastructure to controlling robots on a production floor. Organisations can check with the National Cyber Security Centre (NCSC) whether they are covered by the NIS2 directive.

Slow and vague

Although NIS2 is a good initiative, it already appears that the preparation for the consultation on the Dutch implementation of the European cybersecurity directive is delayed. Outgoing minister Dilan Yeşilgöz-Zegerius recently made this known through a letter to the House of Representatives. In it, she reported that transposing the directives into national legislation requires more time than initially expected. She expects the draft bills to be submitted for consultation before the summer of 2024. Given the follow-up steps required in the legislative process, the ministeress concludes that the European Commission’s implementation deadline of 17 October 2024 for both directives will not be met.

“Previous experiences with GDPR implementation showed that entrepreneurs had great difficulty in applying measures.”

That implementation will take longer is worrisome. After all, previous experiences with GDPR implementation showed that business owners had great difficulty applying measures. It is therefore important to get clarity as soon as possible. Moreover, the entire directive is still quite unclear. According to NIS2, the government emphasises the crucial importance for organisations to take ‘appropriate measures’ to ensure the security of their networks and information systems and effectively address cyber threats. However, the definition of ‘appropriate measures’ remains somewhat vague, despite the list of measures in Article 21 of the NIS2 directive.

However, the Digital Trust Centre (DTC) does offer a three-step plan that organisations can consider in preparation. Very first step is to determine what you want to protect. Therefore, make a risk analysis of the digital threats that could disrupt your organisation’s services. This involves clearly defining which aspects of your organisation, networks or information systems you want to secure. Next, it is necessary to identify the risks and create scenarios. This involves recognising possible threats, such as ransomware or a data breach, and creating corresponding scenarios.

Customised

After developing the risk analysis, the DTC recommends taking measures where possible to (better) protect your organisation against these risks. The answer to the question of which measures to take as an organisation is of course tailor-made and depends on your own analysis and assessment of the risks. Finally, the DTC indicates that organisations should ensure that procedures are in place to detect, monitor, resolve and report incidents to the central government.

Although the three-step plan reflects well what organisations can do to prevent risks, the steps do not provide enough guidance to comply with the new NIS2. Moreover, organisations often do not have the knowledge to implement the steps. For these organisations, it may be more practical to outsource the steps. This way, they are sure to have a solid security policy and know where the weaknesses are in the network. Include an incident response plan in the security policy as well. Besides identifying the risks, employees should be made aware of the risks and the company’s digital interests. By educating and making employees aware of the risks and what actions to take, attacks are preventable.

Interestingly, the roadmap gives little advice on what technology choices organisations can make. Choosing new technology is often a complicated process, given there are so many security solutions and providers that organisations can’t see the wood for the trees. When organisations are looking for a solution to protect their ot, it is crucial to choose a technology with an ‘agentless architecture’. This approach eliminates the need to install separate software on operational technology assets.

“Choosing new technology is a complicated process, given there are so many security solutions and providers, leaving organizations scrambling to see the forest for the trees.”

Moreover, an agentless approach allows for secure testing of customizations in a separate environment before they are actually implemented. Also, an agentless solution automates the process of cyber security for it devices in operational environments, resulting in significant savings in maintenance time. Automated cyber security also provides users with real-time and continuous detailed information about the assets present in the it infrastructure. In this way, threats can be responded to more quickly and efficiently and human error is reduced.

In addition, automation allows all changes, such as configurations, updates and revisions, to be automatically checked and compared against databases to detect known vulnerabilities in real time. Furthermore, implementing protection and hardening measures is critical. Hardening involves sealing and protecting the computer system so that it can only perform the primary function for which it is intended. In this way, assets are protected from missing patches, misconfigured services and other security issues.

Effective and fast

In short, the government must work to ensure that NIS2 can be applied effectively and quickly in practice. This can be achieved through greater clarity, a precise approach and targeted (practical) support. Previous experiences with the implementation of GDPR show that entrepreneurs are struggling to apply measures, which poses risks. On the other hand, organizations will also have to take responsibility and implement cybersecurity measures from intrinsic motivation. In this way, we can make NIS2 a success, prevent cyber risks and make digital society safer.

Source: Bert Willemsen for Computable.nl