OT environments are the weak link for organizations looking to become NIS2 compliant. Moreover, the specific challenges of OT mean that you can’t simply include the security of the operational environment in an IT project. How do you solve that?
NIS2 forces Belgian and European companies to beef up their cybersecurity. It asks organizations to take a risk-based view of their cyber security in order to protect themselves. In an IT context, this is not overly complex: companies that have taken security seriously in recent years are usually already more or less compliant with NIS2.
It is different in organizations with operational environments, in the manufacturing industry, for example. OT environments are unique, vulnerable and often old environments that are very critical. If a ransomware attack hits the IT infrastructure and the marketing department is down, it is very inconvenient. However, if the plant’s production shuts down, the costs add up quickly.
NIS2 for OT?
ITdaily brings together five experts to talk about the challenges of NIS2, and the impact of regulations on OT environments emerges as a key topic. Around the table are Alex Ongena, CEO and founder of AXS Guard, Ron Nath Mukherjee, Cyber Security Consultant at Eset, Driek Desmet, System Engineer at Easi, Koen Pauwelyn, responsible for Industrial Cybersecurity Services at Siemens and Yoran Dons, ICS Security Consultant at SoterICS.
Mukherjee asks an important question: “Should there be a specific NIS2 for OT?” The other experts around the table think not. The consensus, however, is that addressing OT environments in the context of NIS2 is a stile apart.
Zero to zero
“In the OT environment, a lot of legacy is running,” Pauwelyn outlines. “There you find, for example, Windows XP computers, or even older systems. Sometimes there are PLCs(Programmable Logic Controllers) that are forty years old. Of course, you cannot provide such systems with the latest security updates. They require a specific approach.”
In an OT environment, you’ll find older systems that you can’t simply update with the latest security updates.
Koen Pauwelyn, responsible for Industrial Cybersecurity Services at Siemens
That has an impact on how companies should look at their security. Everything starts with zero measurement: measuring is knowing and you can’t improve things until you know what the starting situation is.
Pauwelyn: “When you do such a baseline measurement for the state of the OT environment, everything scores zero. However, you can’t do a NIS2 report for IT and one for OT: everything belongs together. OT is the weak link in that.”
Clear costs
So it comes down to making the OT environment more secure. In any case, the associated cost is easier to justify than for IT. It is difficult to calculate the cost when the aforementioned marketing department goes down, but with a production line it is different.
After all, in an OT environment, you can very well calculate the cost of a cyber incident. An organization knows perfectly well how much a minute of downtime costs. It takes time after a hack to restore the environment, reset everything and restore the backups. If you can reduce that time frame by, say, two or three days, you can easily calculate how much you save with such an investment.
So OT is a critical link that needs attention. Moreover, that attention is easy to justify financially. So what is the next step?
Don’t just shut down
“It’s not an option to just give the XP machines an update, for example,” Pauwelyn continues. “Behind those machines are entire production lines. Some companies run continuously for ten years without interruption. “Shutting down the production line is impossible,” agrees Desmet. After all, shutting down a line like that can cost millions.”
Shutting down the production line is impossible; it could cost millions.
Driek Desmet, System Engineer at Easi
It’s not that such companies then just ignore NIS2. “They are also waiting for that time slot, but in the meantime they have to be compliant with NIS2. That’s a challenge,” Pauwelyn knows.
Security in layers
Dons reassures. “There are ways to deal with that. I think the most important one is in the architecture, and more specifically how you divide up the network. Security always comes in layers. For example, when you want to update an XP system, you’re already immediately on one of the last layers. There are a lot of things you can put in between.” In other words, Dons doesn’t want to fixate on the things you can’t simply improve, since there are plenty of architectural options that can boost the security of OT environments and are feasible.
read also
Why traditional SOCs are not sufficient for OT
He continues, “At NIS1 there was already talk about the importance of monitoring, and it was sensitive at the time. Since then, a lot has changed, and a lot of mature tooling has appeared. People and companies are starting to understand the business model around OT security better and better.”
Architecture and segmentation
“The best thing you can do now is bet on the architecture,” Dons reiterates. He talks primarily about network segmentation: if components within the OT network are sensitive, you need to shield them and block threats before they can reach the OT network.
The best thing you can do is bet on the architecture.
Yoran Dons, ICS Security Consultant at SoterICS
Ongena agrees. AXS Guard has developed specific OT solutions for that reason. “Segmentation plays an important role, and not looking invasively at what is happening on the network as well.”
Monitoring and collecting
By monitoring access, a security system can learn the normal behavior of an OT environment. It is then possible to use anomaly detection to detect and block foreign traffic, allowing only legitimate traffic.
“Furthermore, companies need to collect their OT assets,” Ongena knows. “Especially for legacy systems, this is a big problem. Organizations don’t always know what’s where anymore. A subcontractor may have installed a machine once but has since gone.” The rest of the table nods. “So automatic inventory is also very important.”
Fast but dangerous
Ongena understands how things sometimes go wrong. “More and more control systems do require Internet access. During installation, contractors then solve that by quickly installing a small router, for example, that passes all the security. As long as there is internet. You have to prohibit something like that, but then you also have to provide a solution. You have to provide Internet connectivity, which you can then also monitor.”
Sometimes the only solution is to put things in a box with a lock on it.
Alex Ongena, CEO and founder AXS Guard
The table agrees on one key point: forcing IT principles on OT, it won’t work. The OT environment needs its own specific approach. Ongena further illustrates, “Sometimes the only solution is to put things in a box with a lock on it. That seems old, but it’s true. You can start physically sealing USB ports, for example. You don’t see that in the IT world anymore.”
Culture shock
Technical and practical solutions are there, but that doesn’t get the job done. Every project stands or falls with the people. “There is also a need for training,” Ongena confirms. “Especially in the OT world. People who work there usually have a different education. They have less knowledge around the IT world and security. We need to provide specific training there. However, it is not always easy to explain why that is necessary. You really have to start explaining it from the beginning.”
“Culture plays an important role,” agrees Dons. Organizations need to factor that into their approach to OT. Armed with an understanding of the complexity of the OT environment, and equipped with a customized plan of action, even companies with complex production environments can strive for NIS2 compliance.
This is the second editorial in a series of three on the theme of NIS2. Click on our theme page to see all the articles from the roundtable, the video and our partners.