Are you aware of the latest developments in relevant cyber laws and regulations for your industry? Do you know which resources you can use to minimize the attack-surface of your production environment? More and more we hear about threats and hacks by criminals who attack and shut down the systems of large manufacturing companies. Following GDPR legislation, governments are working to regulate OT security. The NIS 2.0 Directive tightens security requirements and focuses on more strict supervision. Even more reason for the industry to put OT security high on the strategic agenda.
While we are preparing for the 2022 CGI Industrial Cybersecurity event on May 17th in Veghel, we spoke with three of our local experts. They are working in this particular domain with CGI in the Netherlands and Belgium, with their teams and clients. This blog is the second in a series of expert blogs that we publish around this event. Click here for the previous blog about OT cybersecurity visibility and insights.
What's going wrong? Is there lack of urgency? Are there any wrong decisions?
“You can't protect what you don't know!” says Willem Jan de Graaff, Director Service Delivery for Manufacturing with CGI in the Netherlands. “Due to a lack of awareness, the urgency to take appropriate measures is stil limited.”
Research shows that roughly 10% of the industry is in control, while 30% are still in firefighting mode and 60% is not fully aware of this growing threatlandscape and relevant vulnerabilities. The fact that some of the incidents are 'covered up' does not increase the sense of urgency either. Regardless of where you are, anyone setting out on a course towards optimizing resilience has a lot of obstacles to avoid.
Large production facilities are very expensive and have a depreciation period of up to thirty years or even longer. Assets generally have a long lifespan and are often already aging. The same applies to the operating systems. Sometimes PLCs are controlled with systems that have witnessed the 'birth' of platforms such as Windows XP, that have since become obsolete. So 'upgrading' is complicated, while 'normal' replacement is almost impossible. That would mean shutting down entire production facilities. Not only does this conflict with the requirement of availability, it is accompanied by huge production losses and also requires sky-high investments. Soon the technician's well-known argument is dusted off: “If it ain't broke, don't fix it” – and then do nothing.
New regulation: from NIS 1.0 to NIS 2.0
So there are many reasons why OT security lags behind IT security.
“Doing nothing is not an option. The (business) economic and social impact of a successful hack can be too great.” says Eddy Boonen, Director Consulting Services for Health at CGI in Belgium. “And there's another big stick, with new regulation developing.”
Following the GDPR legislation, governments are working to regulate OT security. In 2016, the EU Network and Information Security Directive, better known as NIS, was already adopted within the European Union. This NIS directive was the first step towards EU-wide cybersecurity legislation. It remained a directive, in order to give each EU member state the space to develop its own legislation, within the framework of the NIS, that took national circumstances into account. As a result, the sectors covered by the legislation differ per country and the amount of fines that can be imposed in the event of non-compliance also varies. A complex construction for internationally operating OT-oriented organizations.
Compliancy is therefore a much more difficult challenge than in the case of unambiguous GDPR legislation. A new NIS 2.0, which is in far-reaching development, already provides more clarity about the sanctions schemes and the sectors involved. But NIS 2.0 is also tightening up security requirements and the incident reporting procedure, and is pushing for stricter surveillance measures. Every reason for manufacturing companies to put OT security high on the strategic agenda.
The good news
The good news is that the latter is already happening more and more. CGI's annual strategic client interviews highlight that 90 percent of participating client executives with production responsibility for IT and OT security view IT and OT security as one of the most important trends in their future investments.
“More and more vendors are coming up with services and solutions for OT security.” says Lucien Sikkens, Director OT Security Center of Excellence at CGI in the Netherlands. “There is also an increasing range of training courses that specifically focus on OT security.”
But what can a manufacturing company, being aware of the urgency and wanting to act accordingly, do to raise their OT security level and compliancy in the relatively short term? How do they get out of 'the fog' and set out on a course for such a clear target?
Click here for more information about CGI OT Cybersecurity Assessments that help increase security awareness and resilience and thus lift 'the fog'.
Are you interested?
Register here for the latest insights, developing regulations such as NIS2.0, relevant best practices and solutions at the 2022 Industrial Cybersecurity event which we are organizing together with Nozomi Networks and Fortinet on May 17 at the Cultuur Haven Veghel.