The EU NIS2 directive came into force in 2023. The objective of NIS2 is to enhance the overall cybersecurity of member states and organisations, to keep up with a fast-evolving threat landscape and to improve cyber resilience in both public and private sectors.
EU member states’ national implementation work is ongoing, and organisations must be compliant by October 2024. In practice this means that organisations should already be working hard to make sure that their capabilities and processes are ready before the deadline.
NIS2 will set new cybersecurity requirements that will influence entities that provide essential or important services to the European economy and society, including requirements concerning risk management, supply chain management and incident reporting. All entities falling in the scope of NIS2 must ensure compliance in their relevant IT environments, but in addition, organisations with operational technology (OT) must also consider how NIS2 requirements will affect their operational environments, including, for example, their industrial control systems (ICS). The legislation requires risk management based on an all-hazards approach, which necessitates consideration of all systems and environments relevant to the organisation’s operations.
This is not only a technical challenge, it also requires a significant effort in change management and culture shaping in order to ensure that the improvements are well received, widely implemented and produce as much benefit to the business as possible.
So, what should organisations do?
Continuous risk management
NIS2 will require the active management of cyber risks, including those in OT environments. At minimum, this means periodic risk assessments, clear ownership of risks and concrete actions to mitigate the identified risks. For OT operators, this might mean a completely new risk domain as OT risk management has traditionally focused on site operations and safety. However, OT operators’ strong culture of risk management in site operation and safety contexts can provide a great platform on which to build cybersecurity risk management. Existing processes should be utilised as much as possible to ensure that cybersecurity is built into the existing culture and ways of working.
Risk management will provide a better understanding of the optimal level of security in OT environments. Minimum risk-management measures required by NIS2 include for example basic cyber hygiene practices, business continuity, supply chain security, and network and information system security. However, the complete list of relevant measures and their appropriate depth depends on various factors and must be determined through risk management. Risk management in OT environments should become a continuous activity, connected to broader cyber and enterprise risk management, leading to concrete, measurable and cost-effective improvements in cyber resilience.
Know your assets and environments in order to detect incidents and report them
NIS2 also sets strict requirements on reporting cybersecurity incidents to the authorities. The first incident report must be given within 24 hours of the identified incident and a more detailed report within 72 hours of it.
In order to detect and respond to incidents effectively, organisations must first have proper visibility of the assets and events in their OT environments. This means also implementing technologies and developing the processes necessary to perform effective asset inventory/management and security monitoring in OT environments. Crystal-clear escalation, investigation and decision-making processes are also a must to ensure that incident reports can be sent out within the strict reporting timelines defined in NIS2. This will constitute a significant challenge for many organisations where existing asset management and security monitoring controls have not yet been extended into OT environments and personnel may not be familiar with cyber incident processes. And naturally, this is not only a technical challenge, it also requires a significant effort in change management and culture shaping in order to ensure that the improvements are well received, widely implemented and produce as much benefit to the business as possible.
Identify clear ownership and liability for risks
All this should be tied to strong ownership from senior management. Senior management must take ownership of cybersecurity risks, meaning that they will be responsible for overseeing and approving their organisation’s cybersecurity measures. In the worst-case scenario, this could mean personal liabilities for responsible persons or on the organisational level. A prerequisite for taking ownership of OT cybersecurity risks is having visibility of the said risks and of the organisation’s ability to manage the risks. This means that organisations will need to start measuring cybersecurity risks, including the risks in OT environments, and create suitable governance and reporting structures to ensure that senior management has an accurate and reliable view of the relevant risks, their business impact and mitigation alternatives.
How can Deloitte help you?
In order to focus on the right topics, you should first have a realistic understanding of your organisation’s current state. For example, we can help you map out your current state of NIS2 compliance with a gap analysis and decide on the most effective next steps.
Furthermore, we can support you in defining an implementation roadmap to help you to reach a compliant state in time, and we can support you in executing the development plan, for example, by defining governance and reporting models that suit your business and your current situation.
Contact us for Cyber & OT related matters
Kristian Herland
Kristian on monipuolinen tietoturva-asiantuntija, jolla on laaja kokemus erilaisista tietoturvan hallinta- ja johtamistehtävistä vuosikymmenen ajalta. Kristian vastaa Suomessa Deloitten OT/ICS -palveluista, joiden tavoitteena on varmistaa asiakkaidemme tuotantoympäristöjen, IoT-järjestelmien ja muiden kyberfyysisten ratkaisujen turvallisuus. Briefly in English: Kristian is versatile cybersecurity expert with a wide range of experience in security management over the past decade. Currently Kristian leads Deloitte's OT/ICS cybersecurity services in Finland, which aim to ensure the security of our customers' production environments, IoT systems and other cyber-physical systems.
Mika Nortunen
Mikalla on useiden vuosien kokemus OT-kyberturvallisuudesta. Hänen osaamisensa kattaa teollisen kyberturvallisuuden osa-alueet erittäin laajasti, mukaan lukien tekniset toteutukset ja prosessien kehittäminen. Hän on työskennellyt suurissa monikansallisissa organisaatioissa ja tuo mukanaan sekoituksen käytännön kokemusta ja strategista näkemystä organisaation kyberresilienssin parantamiseksi. Ennen kyberturvallisuustyötä Mika on työskennellyt Puolustusvoimissa upseerina. Briefly in English: Mika has several years’ experience in OT cyber security. His expertise covers wide aspects of industrial cyber security, including technical implementations and process development. He has worked in large multinational organizations and brings great blend of hands-on experience and strategic insight to enhance the cyber resilience. Before working in cyber security Mika has worked as a military officer in Finnish Defence Forces.
