On 2023-10-24
by Ben Worthy, OT Specialist
Cybersecurity

Here’s what we learnt at the CS4CA OT conference – NIS2, IEC 62443 and cyber ranges

CS4CA blog

Airbus Protect recently attended the CS4CA OT security conference in London.

 As with all the best cybersecurity conferences, there was a good mix of independent experts and companies at the event, who provided state-of-play updates, shared best practices, and engaged in some crystal-ball gazing.

Summary

Though the conference covered a wide range of topics, a few came up more than others, such as NIS2, cyber ranges, implementing standards, supply chain security and cultural challenges. In this blog, we’ll dive into a few of these themes and reflect on what we learned at the conference. 

What will NIS2 mean for us?

NIS2 is a new EU directive that aims to strengthen cybersecurity requirements for ‘essential entities’ and ‘important entities’ irrespective of their size. It will apply to companies in sectors like energy, transport, health, digital infrastructure, banking, utilities, government, space, chemicals, food, manufacturing and more.

NIS2 is expected to come into effect in 2024. It will have a significant impact on the manufacturing sector as ‘supply chain’ organisations will now be classed as EE/IEs. New reporting requirements will demand that these organisations submit a report to the national CSIRT within 24 hours of becoming aware of an incident. It will also become mandatory for management to take responsibility for their organisation’s OT security maturity. This includes having regular risk assessments and signing-off on mitigations and risk treatment plans.

There were several presentations on NIS2 at the conference. These covered its key requirements, how to comply and the potential impact on organisations. From listening to them, it’s clear that NIS2 is a complex piece of legislation. This means it’s essential for OT organisations (operations and management) to start preparing now, especially those that weren’t part of the original NIS-D roll-out.

The UK will not be directly replicating NIS2. However, it intends to apply a proportionate approach to any updates to the current legislation. This will encompass new areas such as managed service providers, supply chain security and more stringent reporting obligations. It’s expected that UK regulations will ensure that its organisations achieve a similar level of assurance as those in the EU.

 

What about cyber ranges?

Cyber ranges are virtual or physical environments that allow organisations to train staff and test their cybersecurity capabilities. Cyber ranges can be used to simulate a wide range of cyberattacks, including those that target OT systems.

At the conference, there was a lot of interest in cyber ranges, particularly from organisations that are looking to improve their OT security maturity. Airbus Protect gave a well-received presentation and interactive demonstration of OT system compromise with the Airbus ‘CyberRange’ product. This demonstrated how pentesting on a digital twin of your OT environment can prevent system vulnerabilities from becoming catastrophic events.

 

Why do we need to talk about IEC 62443?

There are several cybersecurity standards and frameworks that are relevant to OT systems, such as NIST CSF, NIST SP 800-82 and IEC 62443. Implementing these can help organisations improve their OT cybersecurity posture. 

 

This was a recurring theme of the event, with many presenters and delegates talking about IEC62443 and how it could help them. In fact, IEC62443 seems to be becoming the de facto OT security standard! However, it was also clear that these standards are complex to understand and even more difficult to interpret. So, it’s one thing to know what standard you want to use, but quite another to implement it.

 

There were several presentations on the importance of implementing OT cybersecurity standards. Case studies from organisations that have successfully implemented cybersecurity standards were also well-received by those in the audience looking to do something similar.

 

Wrap-up

It was great to be back at an OT security event, meeting up with some familiar faces. The attendees at CS4CA were a good mix of end users, academics and vendors, which gave the agenda a nice balance. We were impressed by the number of people looking for more information on cyber ranges and digital twins – it’s clear that more people are now seeing how these can directly benefit their organisation.

 P.S. Need more information on the Airbus CyberRange? Want advice on how to comply with NIS2? Looking to implement IEC62443 and don’t know where to start? Reach out to our OT security consultants.

  • Share

More on Cybersecurity

Ship on the ocean Cybersecurity

What is Export Control? A Well-Kept Recipe!

Are you sure that you are authorised to sell your products to foreign companies and to domestic ones established in foreign countries? Have you checked whether all the components and subsystems of your product can be exported ? Are you certain that you are allowed to share technical information with your foreign interlocutor ? Having[...]

Read more
understanding digital risk management Cybersecurity

Digital Risk Management: A Business-Aligned Approach

Organisations today face a complex and evolving array of risks that require effective management. Some are inherently digital, while others are traditional risks amplified by technology. From cyberattacks to technical disruptions, these threats pose significant challenges for businesses, holding the power to impact operations, finances, reputation, and ultimately bottom line.  To safeguard their future, organisations [...] Read more
Airbus Protect explains Vulnerability Management Cybersecurity

Airbus Protect explains: Vulnerability Management

What is vulnerability management? Vulnerability analyst Pierre Louis Gensou explains. Vulnerability management and vulnerability intelligence are crucial elements of IT security. As a vulnerability analyst, my role is to identify security flaws, assess their impact on the components we monitor, and inform customers of the associated risks. What is a vulnerability? When we say "vulnerability", [...] Read more