Navigating NIS2 Compliance: Using IEC 62443 Standards to Strengthen Cybersecurity.
-
02.10.2024Marius Burger
In light of the evolving digital threat landscape, the NIS2 Directive will be a crucial step towards strengthening cybersecurity in the EU. The directive is seen as a means to address and mitigate the challenges and threats faced by businesses and critical infrastructures in the digital age, marking a significant expansion and strengthening of the original Network and Information Systems (NIS) Directive. Key highlights include the broader definition of entities covered under NIS2. For Germany alone, 30.000 additional companies fall within the scope. In addition, stricter security, and incident reporting requirements are addressed, along with a focus on supply chain security.
For the machine manufacturing and operating industry, NIS2 can be an enormous driver for gaining a competitive advantage, provided that companies see it not as a burden but as an opportunity and actively engage with it. Why? Besides raising cybersecurity standards, the directive emphasizes resilience against disruptions and the importance of securing the supply chain which harbors enormous complexity, especially in the manufacturing sector. The directive outlines what must be accomplished, but it does not specify how to accomplish those objectives.
For critical infrastructure operators and important resp. essential entities according to the NIS2 scope, the IEC 62443 standard assists asset owners, product suppliers and service providers in implementing the appropriate set of controls to secure their operations for the OT (operation technology) layer. This article will help you connect NIS2 requirements to IEC 62443 security standards.
What is NIS2 about?
The development of the geopolitical situation has taught us that it can escalate at any time and very quickly. There is no guarantee of geopolitical stability and the “principle of hope” is not suitable for protecting the EU from such challenges. The NIS2 is one approach, among many others, to overcome these challenges. Building upon the foundation laid by its predecessor, the original Network and Information Systems (NIS) Directive, NIS2 introduces several key changes and expansions to address the evolving cybersecurity landscape and to close the gaps identified in the implementation of the first directive.
A summary of the NIS2 Directive, including the major changes from the former NIS and the impact on relevant companies follows:
- Broader definition of relevant entities
- Enhanced security and incident reporting requirements
- Stricter accountability requirements for senior management
- Increased regulatory powers and harmonization
- Focus on supply chain security and third-party risk management
The European regulation does not directly enforce NIS2 compliance; rather, national legislation that are based on the directive are used to do so. This means that until national authorities develop national laws and requirements, companies must rely on the directive‘s guidelines. The directive is prepared for all 27 member states, hence the language is kept high-level so that it may be applied to any case.
What are the major benefits for the machine manufacturers and operators?
The NIS2 Directive is crucial for the machine manufacturing and operating industry for several compelling reasons:
-
Enhanced Cybersecurity Standards
The NIS2 Directive raises the bar for cybersecurity standards across the board. For machine manufacturers and operators, this means adopting more rigorous cybersecurity practices to protect against increasingly sophisticated cyber threats. Given the industry’s reliance on digital technologies and networked systems for operations, enhanced standards are vital for safeguarding sensitive data and operational continuity. -
Resilience Against Disruptions
Machine manufacturing and operating sectors are critical to the economy and infrast-ructure. A cyber-attack in these areas could lead to significant disruptions, not just for the affected company but for entire supply chains and the economy at large. NIS2 aims to minimize this risk by ensuring these industries have robust mechanisms in place to prevent, detect, and rapidly recover from cyber incidents. -
Supply Chain Security
NIS2 places a strong emphasis on securing the supply chain, which is particularly relevant for machine manufacturing and operating industries. These sectors often involve complex supply chains with numerous vendors and service providers. Ensuring cybersecurity throughout this chain is essential to prevent vulnerabilities that could be exploited by attackers. -
Compliance und Wettbewerbsvorteil
Durch die Einführung von NIS2 gewährleisten Unternehmen in der Maschinenbau- und Betreiberindustrie nicht nur die Einhaltung der europäischen Vorschriften, sondern verschaffen sich auch einen Wettbewerbsvorteil. Die Demonstration starker Cybersicherheits-Praktiken kann ein wichtiger Faktor für den Aufbau von Vertrauen bei Kunden und Partnern sein, was potenziell zu mehr Geschäftsabschlüssen führt. -
Innovation und Digitales Unterstützung der Transformation
Die Richtlinie unterstützt Innovation und digitale Transformation, indem sie eine sichere Umgebung für den Einsatz neuer Technologien schafft. Da im Maschinenbau und der Betreiberindustrie zunehmend IoT, KI und andere fortschrittliche Technologien zum Einsatz kommen, sorgt ein Rahmenwerk wie NIS2 dafür, dass solche Innovationen die Produktivität steigern, ohne die Sicherheit zu beeinträchtigen.
In essence, NIS2 will play an important role for the machine manufacturing and operating industry as it ensures that companies in this sector are prepared to face current and future cybersecurity challenges. By promoting a culture of continuous improvement in cybersecurity practices, NIS2 helps safeguard the industry’s vital role in the economy, enhances its resilience, and supports its digital transformation journey.
NIS2 compliance through IEC 62443 certification
The importance of regulation such as NIS2 cannot be overstated. As cyber threats become increasingly sophisticated, the need for robust, comprehensive cybersecurity measures becomes paramount. This is where standards such as IEC 62443 come into play. Specifically designed to secure industrial communication networks, IEC 62443 provides a structured approach to cybersecurity, covering aspects from risk assessment to system development, and maintenance. It’s a framework that not only supports but enhances compliance with NIS2 by offering a clear, actionable path towards implementing the necessary cybersecurity controls and practices.
IEC 62443 provides a lot of assistance for implementing cyber security risk-management measures that NIS2 demands. A high level mapping of IEC 62443’s measures with the corresponding basic cybersecurity risk management requirements, as defined in the NIS Article 21 is described here:
NIS2 requirements
IEC 62443 Maßnahmen
Risk analysis and Security Policies
Conduct risk analyses and develop information system security policies
Die Abschnitte 2-1 und 3-3 sorgen für eine Risikoanalyse und Sicherheitsrichtlinien, einschließlich eines Cybersicherheits-Bedrohungsmodells und einer Cybersicherheits-Bewertung. Diese sind auch wesentliche Bestandteile einer 4-1 ML3-Zertifizierung.
Incident Handling
Aufbau und Aufrechterhaltung der Fähigkeit zur Behandlung von Sicherheitsvorfällen (Incidents).
Sections 4-1 and 3-3 assess and assure comprehensive incident handling processes, including detection, response, and recovery mechanisms.
Business Continuity and Crisis Management
Develop business continuity and crisis management plans
According to sections 4-1 and 3-3, resilience and recovery planning, ensuring operational continuity need to be implemented. Section 3-3 sets out system security requirements and levels.
Supply Chain Security
Ensure the security of network and information systems within the supply chain
Supply chain security risk assessment is crucial part of section 4-1 – Section 3-3 demands technical security requirements for IACS components in the supply chain.
Security in Network and Information Systems
Ensure secure acquisition, development, and maintenance of network and information systems.
This requirement describes exactly what the IEC standard is designed for and is therefore directly addressed by the corresponding sections.
Policies and Procedures to Access the Effectiveness
Implement policies and procedures for assessing cybersecurity risk management measures’ effectiveness
Continuous evaluation against the IEC 62443 standards, specifically sections 4-1 and 3-3, forces assessing and improving the effectiveness of cybersecurity measures.
Use of Cryptography and Encryption
Utilize cryptography and encryption to protect data and information where appropriate
In section 3-3 Data Confidentiality and Integrity is specified including provisions for the use of cryptographic measures in and end-to-end approach.
Human Resources, Security Awareness, and Training
Ensure human resources security through awareness and training.
Consistent with sections 4-2 and 3-3, comprehensive security training and awareness program is underpinning cybersecurity defenses with a knowledgeable and prepared workforce.
MFA and Continuous Authentication Solutions
Use MFA, secured voice, video and text communications and secured emergency communication where appropriate
The IEC requires state-of-the-art access control and secure communications which in turn are appropriately implemented via MFA and continuous authentication solution.
Summary
The alignment of the IEC 62443 standards with the requirements of the NIS2 Directive establishes a comprehensive and robust framework for cybersecurity within the realm of Industrial Automation and Control Systems (IACS). While NIS2 sets forth the overarching objectives for cybersecurity resilience and the protection of critical network and information systems across the EU, it does not prescribe specific methods or technologies for achieving compliance. This ambiguity leaves organizations with the challenge of interpreting and implementing the Directive’s requirements in a way that best suits their operational context and risk landscape.
IEC 62443 steps into this gap by providing a detailed, structured approach to cybersecurity that directly supports the achievement of NIS2 objectives for the operation technology. It’s important to note though, that the IEC 62443 is aimed at the OT-Layer and therefore does not cover all aspects of the corporate IT-Layer, companies must implement suitable information security measures for this layer as well. Common basic standards such as ISO 27001 or BSI IT-Grundschutz are suitable approaches for implementing the appropriate measures in coexistence with the IEC 62443.
This ensures that organizations are not only compliant with current regulations but are also well-prepared to adapt to evolving cybersecurity threats and future legislative changes.
Are you interested in learning how the IEC 62443 certified symmedia Hub takes your cybersecurity to the next level and thus supports NIS2 compliance? Then get in touch with us via:
sales@symmedia.de
+49 (0)521 9665 50