OT security assessment to prepare for NIS2 compliancy
One of our customers, a large energy company, wanted to understand the impact of NIS2 and bring their OT environment on par with increased security regulations. Already heavily regulated and audited, the customer asked us to develop an assessment approach based on their security framework, and create insights into the overall OT security posture. This would allow them to take measures before the legislation takes effect.
A large undertaking, with more than 1000 assets (heat, wind and solar) to be assessed in several business units.
Our first step was to translate the existing security framework, based on IEC62443, ISO27001 and NIS2, into an assessment approach.
We then chose a representative part of the asset portfolio to gain first insights sooner and to be able to start the first measures quickly where necessary.
The assessment included creating a detailed asset inventory, to increase capabilities for incident management, change management and control.
The asset characteristics were compared against the baseline to identify gaps, which were then ranked based on likelihood and impact on the business.
Subsequently, we translated all relevant measures into remediation advice per asset category. This makes implementation much more efficient as repeat visits are avoided, and work can be combined.
The main measure categories were:
- Technical measures
- Patch process improvements
- Network segmentation
- Access management for third parties
- Security monitoring and alerting
- ISMS governance
- Temporary waiver process
We recorded all steps of the inventory phase, to ensure that it would be fully auditable. This provides full transparency and allows for verification of the methodology we used.
A big challenge we encountered was that some suppliers and service providers did not have insight into NIS2 compliance and were sometimes reluctant to share information on their own measures. We learned that it is important to connect with your most important vendors in advance – to explain the intention of your NIS2 project and request their cooperation. Emphasize that security and NIS2 compliance are supply chain challenges that require the cooperation of all relevant entities. Have your business representatives lead these discussions, rather than your legal or procurement teams.
The primary success factor of our approach was uniting stakeholders around cybersecurity awareness. This ensured collaboration and led to the adoption of pragmatic measures that consider both cybersecurity and impact on operations. We acted as the link between the business and the corporate security office.
Both perspectives are essential to improving your security posture. Bringing the right people together ensures that measures are pragmatic and nuanced, supporting ongoing compliance.
On one hand, NIS2 is an important guideline that requires strict compliance to protect against serious cyber threats. On the other hand, NIS2 is not a set of killer requirements to be adopted blindly.
The right combination of measures should lead to compliancy, even if individual measures meet only 80% of the requirements. Additionally, not all assets need every measure. For example, if lateral travel to other assets is impossible, the remaining risk might only be that someone could shut down one single wind turbine. Which may not constitute enough potential impact to justify expensive measures.
To summarize, we advise starting your assessment early. Before NIS2 takes effect in national legislation. This allows you to combine existing security frameworks and cooperate with all relevant entities in your supply chain.