NIS2 puts security requirements into concrete terms for OT environments. To build in protection properly there, organizations can’t rely on the IT playbook.
“Organizations often see OT as completely separate from IT,” says Patrick Banken, Business Development Manager at Kappa Data. “When we visit, we sometimes see admins get a shock when they realize how many devices in the OT environment are actually connected to the outside world.”
Major impact
Under NIS2, organizations must adequately secure their critical assets. That includes not just IT databases but also production environments. In recent years, we’ve repeatedly seen how devastating a ransomware attack can be when it also shuts down production lines.
Banken joins a roundtable on NIS2, organized by ITdaily, to dissect that issue. He is joined by four other experts: Sabine van Hoijweghen, Head of Sales and Partner at Secutec, Bart Loeckx, Director Networking & Security at Telenet Business, Ron Nath Mukherjee, cybersecurity consultant at Eset, and Johan Klykens, Cybersecurity Certification Authority (NCCA) at the CCB.
Alarming
“It’s almost alarming how many different protocols are used within OT,” observes Loeckx. “Every vendor uses its own protocol, and what runs in factories is sometimes so exotic that you can’t realistically compare it to mainstream IT. Sometimes you have no choice but to opt for an air-gapped solution.”
To secure OT environments, you need to look at different technologies.
Johan Klykens, Cybersecurity Certification Authority (NCCA), CCB
“To secure OT environments, you need to look at different technologies,” says Klykens. “We’re seeing solutions gradually come to market with lots of features that are much more accessible. Technical security solutions from the OT world are increasingly gaining ground.”
A Different Economic Reality
It’s unrealistic to expect OT security to suddenly evolve at the pace of IT, everyone around the table realizes. Banken gives an example: “Cloud is commonplace in the IT landscape, but for OT its use is still anathema. OT is still in a completely different place compared with IT. The IT world changes almost daily, and OT doesn’t move at the same speed.”
OT is still in a completely different place compared with IT.
Patrick Banken, Business Development Manager, Kappa Data
“That’s only logical,” adds Loeckx. “This is a purely economic matter. The lifecycle of investments in OT environments is very different from IT investments, and the sums involved are much higher. You can’t just replace a production line or even shut it down for a moment. The economic impact is too great, and we shouldn’t ignore that reality.”
Loeckx actually finds that reassuring. There’s no fundamental problem if the autonomously running systems will, in due course, transition and be replaced according to Zero Trust principles.
No EDR
What’s logical in IT doesn’t automatically work in OT. You can’t just roll out an EDR solution. Banken: “It’s a challenge to scan sensitive systems safely and stably, especially when they can’t process many data packets. OT defenders need to look at hypersegmentation and other forms of security.”
“You shouldn’t put the cart before the horse and think: we’ll buy heavy tools or expensive technology and then our problem is solved,” says Mukherjee. “It’s about getting the basics right first—knowing what assets you have and what’s critical.”
What’S Exposed?
“I also think it’s important to look from the outside in,” adds Van Hoijweghen. “It quickly becomes an asset management discussion. Of course it’s important to know what’s running, but that’s not the whole picture.”
She clarifies: “Which aspects of the organization are visible from the outside? Ultimately, that’s what cybercriminals find. If a vulnerable device or application is exposed to the internet and attackers can get in that easily, it almost doesn’t matter anymore which assets sit inside the network. Securing the outside is usually our first priority.”
Securing the outside is usually our first priority.
Sabine van Hoijweghen, Head of Sales and Partner, Secutec
At the Push of a Button
In the meantime, creative solutions are emerging. “I’ve seen an SME with a small OT environment that only needed very limited communication to the outside,” says Klykens. “They installed a physical button that an operator has to press. Only then is a connection to the outside world established. That shows the creativity of companies in tackling these challenges. And that kind of solution makes me deeply happy,” he concludes.
Overall, the roundtable participants are positive about the situation. OT security is a unique challenge, but that realization has sunk in. As more and more solutions appear that enable monitoring and protection of the OT environment, there are alternative approaches too, where a clear separation between OT and IT is usually important. Occasionally thinking out of the box is certainly part of that.
This is the second article in a three-part series following our roundtable on NIS2. Click here to visit the topic page with the other articles, the video, and our partners.