At the beginning of 2023, the European Union’s newly updated NIS2 Directive was released, which is aimed at helping improve the cybersecurity of Operators of Essentials Services (OES) within the region. The NIS2 Directive replaces the original 2016 NIS Directive, and it imposes harsher cybersecurity controls on more organisations as their reliance on digital automation grows, and the risks posed by cyber attacks increase. The NIS2 Directive aims to harmonise cybersecurity practices across member states, and it requires OES to adopt appropriate security measures to protect their assets and that they also notify relevant national authorities when serious cyber incidents occur.
Unlike the previous directive, where member states could decide which organisations were to meet the requirements, the NIS2 Directive identifies OES based on their size, which means it covers significantly more organisations and sectors than the previous version. Any organisation that fails to comply with the regulation can risk fines of up to €10 million or 2 percent of their total global annual turnover.
Additional Cybersecurity Requirements for Germany: IT-Sicherheitsgesetz 2.0
Within the German region, the NIS2 Directive is just one of the cybersecurity regulations that organisations must comply with. An update of the country’s own IT-Sicherheitsgesetz 2.0 will be released in May 2023, which places further cybersecurity requirements on organisations.
The IT-Sicherheitsgesetz 2.0 was introduced into Germany in April 2021 and the Federal Council (‘Bundesrat’) adopted it on 7 May 2021. The legislation places security obligations on operators of critical infrastructure (CRITIS) and it allows the German state to penalise organisations that fail to comply with the regulation with fines reaching as high as €2 million.
In May 2023, the regulation is being updated further to include additional mandatory security controls on critical infrastructure organisations and their ability to detect cyber attacks. As a result, this puts heightened pressure on organisations in Germany, which are now forced to meet strict new cybersecurity requirements from two key pieces of security legislation.
So, why are these regulations important today, and how can organisations in Germany meet and exceed the requirements of both the NIS2 Directive and the IT-Sicherheitsgesetz 2.0?
The Importance of Security Regulation
Over the last decade, many industrial organisations have been increasingly digitalising their environments to improve operations. This modernisation has also offered new opportunities for cyber criminals.
Operational technology (OT) is being connected to IT networks, which means adversaries such as criminals or state-backed threat actors now have an avenue to reach critical industrial processes and cause disruptions and serious societal damage.
The NIS2 and IT-Sicherheitsgesetz 2.0 regulations have been introduced to counter this threat. The regulations provide organisations with guidance on how to approach cybersecurity and the measures they need to take to keep their assets safe from attack, while also protecting societies at large from the harsh consequences of attacks.
Meeting the Requirements – Implementing 5 Critical Controls for ICS/OT Cybersecurity
For many organisations within Germany, this will be the first time they are being classified as an OES. This could mean they are at the beginning of their industrial cybersecurity journey, which means driving awareness of the requirements and their importance is a critical first step. These organisations must first work on building awareness of the legislations to ensure leadership and security teams understand how they impact business and the consequences they could face if they do not take steps to comply with them.
When it comes to meeting the technical requirements of the IT-Sicherheitsgesetz 2.0 and the NIS2 Directive, Dragos has identified five critical controls for ICS/OT cybersecurity, which organisations should focus on to improve their cyber resilience. These include:
1 | ICS Incident Response Plan
Incident response planning is critical so organisations can prepare for cybersecurity incidents and practice their response. These plans should include fire drill exercises, so organisations can test their response against various security incidents and work to minimise their losses and damage. Incident response plans should also contain contact details for the entire incidence response team, so that when a situation does occur, everyone can step straight into action to minimise its impact.
2 | Defensible Architecture
OT security strategies often start with hardening the environment – removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points, and mitigating high risk vulnerabilities.
3 | ICS Network Visibility and Monitoring
Understanding all network assets is critical – and this applies to all IT, OT, mobile and Bring Your Own Devices (BYOD). You can’t protect what you can’t see, so ensure all assets are tracked and continuously monitored.
4 | Secure Remote Access
As employees continue to work from home and locations outside corporate walls, secure remote access has become critically important. A key method to achieve this is multi-factor authentication (MFA). If MFA is not possible, consider alternative controls such as jump hosts with focused monitoring.
5 | Risk-Based Vulnerability Management
Knowing your vulnerabilities – and having a plan to manage them – is a critical component to a defensible architecture. While patching an IT system is relatively easy, shutting down a plant incurs significant costs. An effective OT vulnerability management program requires timely awareness of key vulnerabilities that apply to the environment, with correct information and risk ratings, as well as alternative mitigation strategies to minimize exposure while continuing to operate.
Learn How Dragos Can Help
Ready to put your insights into action?
Take the next steps and contact our team today.