Hands down, by now there are probably a trillion articles offering advice on how to “get ready for NIS2” (just do a search in your search engine of choice). Some contain sensible tips, most simply re-list the requirements of the updated Network and Information Security directive and leave the reader in limbo.
Still, even just 1.5 months away from the EU's NIS2 directive turning into national law, many customers in the electrical sector we speak to have difficulties getting their heads around the full impact of NIS2. In particular, the extension of thorough cybersecurity to the OT networks of their grid infrastructure causes headaches. For many electric and multi-utilities this is still new territory with many blind spots and unknown challenges.
Start with the measures that have most impact
But fear not. There is no requirement to have the dozen NIS2 requirements fulfilled at once. As always, cybersecurity in OT is a process – even if it comes with a steep learning curve.
From a practical point of view, that is from the perspectives of minimum compliance as well as attack surface and growing cyber risk for electric and multi-utility companies, take the first steps that have immediate positive impact on your OT cybersecurity posture. I propose a 3-step approach that delivers transparency and visibility to your OT black box and enables fast progress to defense-in-depth in your OT.
Here are the three most relevant steps to get your operational technology networks ready for NIS2. All steps, resources and procedures are carried out as part of your individual security management. An appropriate, practical and systematic approach is crucial. The key is always the people.
1|Understand your OT and its vulnerabilities
Before you can establish cybersecurity in your OT networks you need to open the black box they typically remain. This can be done with a risk analysis and vulnerability assessment of your OT communication, configurations and architecture. What sounds like a mammoth task, can actually be done in less than 2 months' time. Landis+Gyr and its OT security subsidiary Rhebo use non-intrusive, passive monitoring of OT communication to get the full picture of:
- Which components are active in the network
- How they are connected
- How they communicate
The setup of the network-based intrusion detection system (NIDS) can be done within minutes. The recording happens without any changes or impacts to your network’s performance and availability. After a defined period, the recorded OT communication is thoroughly analysed by our OT security experts to identify any vulnerabilities, cyber risks and misconfigurations that could impale cybersecurity.
2|Establish basic cybersecurity procedures
This step might take a bit longer but can be divided into micro-steps. The most important thing is to get started, step by step,
Generally, utilities deploy firewalls at their network perimeters, on the IT and OT side. They also have solutions for secure remote access installed. Some companies even have network segmentation in place, both physical and logical, to avoid the use of common resources and suppress vertical and horizontal threat propagation. Ensure that none of your OT components are directly accessible via the internet (https://www.shodan.io/ is still an excellent source to cross-check). If these measures are missing, this is what to prioritise.
Additionally, zero trust principles and multi-factor authentication for 3rd party and remote access should be incorporated since neither the VPN technology nor the cybersecurity practices of subcontractors can be fully trusted.
Landis+Gyr customers already start with a strong foundation since cybersecurity has always been an integral part of the Landis+Gyr infrastructure. Industry standard encryption, validation techniques and secure cloud environments are the default for Landis+Gyr as are regular security reviews and updates.
3|Get a grip on supply chain insecurity and remaining OT risks
You probably guessed it, there are some security risks that won’t be easy (or able at all) to mitigate.
Supply chain compromise, where attackers compromise a sub-contractor or service provider first to reach the actual target company, remains a serious risk in a world of growing interdependencies. This can include your software provider as much as your 3rd party maintenance engineer who connects to your OT network or systems.
- OT components and systems remain an endless source of vulnerabilities. Built to keep industrial processes going, little thought has been given to making them secure in the past. Most companies still operate legacy systems and protocols because shutting them down would seriously impact their operations. However, security research teams have proven once and again that once attackers are inside the OT network, they have virtually free rein.
These risks will continue to haunt industrial companies for some time to come due to lack of options and long lifecycles.
While these risks won't be easily mitigated, they can be controlled: by making them visible and by continuously monitoring them. The NIDS mentioned in step 1 can be switched from risk analysis to continuous monitoring at the click of a mouse. So basically, you can go from risk analysis to intrusion detection in a second.
It will continue to monitor all OT communication but will add the functionality of intrusion and anomaly detection. This enables utilities to identify communication and activities that deviate from the legitimate baseline. Incidents are reported with all details in real-time so that security officers can swiftly evaluate and react to prevent blackouts or other disruptions to critical processes.
By this, exploitation of hidden or unpatched vulnerabilities as well as threat propagation from 3rd parties can be identified early on.
With a little help from friends
I know that for some companies even these three steps can be overwhelming. Staff and skills shortage in OT security are still frustrating reality. Though, this should not stop utility companies from starting the process to NIS2 compliance.
Landis+Gyr customers can take advantage of our 125 years of experience in the electrical sector and the secure, stable and safe energy distribution. Not only has Landis+Gyr, together with the long-standing OT experts of its subsidiary, Rhebo, developed security solutions that cover the entire grid, from central OT to substations, to head end systems and grid edge devices. Landis+Gyr also provides managed services for OT security and the operation of the OT network-based intrusion detection system with the aim to foster knowledge transfer to build your in-house expertise step by step.
