Though the conference covered a wide range of topics, a few came up more than others, such as NIS2, cyber ranges, implementing standards, supply chain security and cultural challenges. In this blog, we’ll dive into a few of these themes and reflect on what we learned at the conference.
What will NIS2 mean for us?
NIS2 is a new EU directive that aims to strengthen cybersecurity requirements for ‘essential entities’ and ‘important entities’ irrespective of their size. It will apply to companies in sectors like energy, transport, health, digital infrastructure, banking, utilities, government, space, chemicals, food, manufacturing and more.
NIS2 is expected to come into effect in 2024. It will have a significant impact on the manufacturing sector as ‘supply chain’ organisations will now be classed as EE/IEs. New reporting requirements will demand that these organisations submit a report to the national CSIRT within 24 hours of becoming aware of an incident. It will also become mandatory for management to take responsibility for their organisation’s OT security maturity. This includes having regular risk assessments and signing-off on mitigations and risk treatment plans.
There were several presentations on NIS2 at the conference. These covered its key requirements, how to comply and the potential impact on organisations. From listening to them, it’s clear that NIS2 is a complex piece of legislation. This means it’s essential for OT organisations (operations and management) to start preparing now, especially those that weren’t part of the original NIS-D roll-out.
The UK will not be directly replicating NIS2. However, it intends to apply a proportionate approach to any updates to the current legislation. This will encompass new areas such as managed service providers, supply chain security and more stringent reporting obligations. It’s expected that UK regulations will ensure that its organisations achieve a similar level of assurance as those in the EU.
What about cyber ranges?
Cyber ranges are virtual or physical environments that allow organisations to train staff and test their cybersecurity capabilities. Cyber ranges can be used to simulate a wide range of cyberattacks, including those that target OT systems.
At the conference, there was a lot of interest in cyber ranges, particularly from organisations that are looking to improve their OT security maturity. Airbus Protect gave a well-received presentation and interactive demonstration of OT system compromise with the Airbus ‘CyberRange’ product. This demonstrated how pentesting on a digital twin of your OT environment can prevent system vulnerabilities from becoming catastrophic events.
Why do we need to talk about IEC 62443?
There are several cybersecurity standards and frameworks that are relevant to OT systems, such as NIST CSF, NIST SP 800-82 and IEC 62443. Implementing these can help organisations improve their OT cybersecurity posture.
This was a recurring theme of the event, with many presenters and delegates talking about IEC62443 and how it could help them. In fact, IEC62443 seems to be becoming the de facto OT security standard! However, it was also clear that these standards are complex to understand and even more difficult to interpret. So, it’s one thing to know what standard you want to use, but quite another to implement it.
There were several presentations on the importance of implementing OT cybersecurity standards. Case studies from organisations that have successfully implemented cybersecurity standards were also well-received by those in the audience looking to do something similar.
Wrap-up
It was great to be back at an OT security event, meeting up with some familiar faces. The attendees at CS4CA were a good mix of end users, academics and vendors, which gave the agenda a nice balance. We were impressed by the number of people looking for more information on cyber ranges and digital twins – it’s clear that more people are now seeing how these can directly benefit their organisation.
P.S. Need more information on the Airbus CyberRange? Want advice on how to comply with NIS2? Looking to implement IEC62443 and don’t know where to start? Reach out to our OT security consultants.