The new NIS 2 Directive and IEC 62443: Establishing an edge-to-core approach to cyber security and risk management in 2024

With the public demanding robust evidence that their data will always remain secure when accessing a critical service, the regulatory landscape has become increasingly complex – a trend that shows no signs of slowing down. Indeed, in October 2024, we will see the launch of the new NIS 2 Directive, impacting a range of organisations that would previously have been exempt.

What is NIS 2 and what does it mean for your organisation?

The Network and Information Security 2 Directive (Directive (EU) 2022/2555) is a new EU legislation, building on the 2022 iteration of NIS 2. While this is an EU directive, its content is largely aligned with NIS UK legislation, which means UK-based organisations will also be affected by its compliance requirements.

NIS 2 is intended to establish a higher standard of cyber security for Operators of Essential Services (OES’s), i.e. organisations delivering services such as healthcare, digital infrastructure, and utilities that are deemed essential for a functional, safe society. The foundation of NIS 2 is the NCSC’s Cyber Assessment Framework – a well-established methodology for gauging an organisation’s ability to identify and mitigate cyber risk – particularly its four core pillars:

1. Managing cyber risk. Developing a clear picture of your infrastructure and its dataflows, drawing on the well-established Purdue Model.
2. Protecting against cyber-attacks. Establishing a robust cyber security posture and effective processes for remediation.
3. Detecting cyber security events. Ensuring cyber-attacks can be detected in real-time, and the appropriate response immediately initiated.
4. Minimising the impact of cyber incidents. Ensuring measures are in place to minimise disruption in the event of a breach and establish a true cyber security culture at all levels of an organisation.

Launching in October 2024, the new NIS 2 expands the range of organisations covered to include digital service providers and MSP’s across a number of new sectors, as well as incorporating an extra level of director accountability (particularly around training and risk assessment), and incident reporting in the event of a potential disruption. Focus areas of the new directive, include:

• Corporate policies around risk management and information security
• Incident management, including both physical and cyber incidents
• Business continuity and disaster recovery/remediation
• The security of supply chains
• Processes for regular testing and auditing

If your organisation operates in any of the areas that fall under NIS 2, you will need to make sure your IT and OT infrastructure is fully compliant with the new regulations. If a security breach occurs, and it is found that compliance has not been maintained in any of the above areas, costly fines will be incurred (as much as 2% of the compromised organisation’s annual turnover).

Why you should consider IEC 62443 in parallel with NIS 2

While NIS 2 certainly offers a robust framework for effective cyber security, as you consider your compliance obligations, you should also determine whether IEC 62443 will be applicable. Established by the US-based International Society of Automation in 2002 and drawing on the German VDI/VDE 2182 guidelines released in 2011, along with the input of numerous other organisations and committees, IEC 62443 is now maintained by the International Electrotechnical Commission as an international standard around the cyber security of operational technology platforms, with a specific focus on automation and control systems. This standard offers a risk-based approach to managing OT cyber security, encompassing both technical and process-related best practice. While a full breakdown of IEC 62443 and its implementation lies outside the scope of this blog, the following two concepts make up its foundation:

• Defence in depth. The creation of redundancy in OT security systems by implementing multiple levels of security throughout the infrastructure.
• Zone and conduits. Zones are areas within infrastructure (physical or digital) with shared security requirements, with each assigned a Security Level (SL), based on an in-depth risk analysis. Conduits are the connections between zones that ensures seamless communications different SL’s can be maintained.

If your organisation maintains industrial control systems of any sort, it is important that you are aware of the IEC 62443 standard and work to ensure your systems and processes are aligned. With the upcoming launch of the new NIS 2, the natural convergences between the two standards mean that establishing both in parallel can significantly streamline the process of achieving compliance and ensure the very latest best practice regarding OT security has been correctly implemented.

Streamlining the path to NIS 2 and IEC 62443 compliance

So, with NIS 2 fast approaching and IEC 62443 another potential concern, what will the necessary measures to ensure compliance look like? There is no simple answer here, as it will entirely depend on what point you have already reached in your own digital journey. For example, a key driver for the new NIS 2 is the increasing convergence of Information Technology (IT) and Operational Technology (OT), with physical devices generating large amounts of unstructured connected data that must be shared, stored, processed, and secured.

The new attack vectors created by the ongoing shift, compounded by the security challenges presented by legacy infrastructure may naturally lead to the conclusion that compliance is only achievable through a full-scale redesign and rebuild of all physical and digital systems – with all the costs and complexities that entails.

But there’s good news… Such drastic measures might not prove necessary. In fact, if approached intelligently and methodically, the NIS 2 Directive, in conjunction with IEC 62443, will provide a robust foundation for more effective cyber security and risk management in the years ahead,ensuring critical infrastructure remains secure as new threats emerge.

Working together to secure your critical data – edge to core

When considering the NIS 2 Directive and IEC 62443, above all, do not make assumptions. It is important to get a clear picture of your physical and digital infrastructure’s design and how it measures up to the new compliance requirements. Vysiion work with our customers to ascertain how to best fulfil such obligations, we begin with a period of deep consultation, establishing the gaps between the current position, and where the customer needs to be. This is complemented by pen testing by a trusted third-party to identify hidden weaknesses, remediation, and the implementation of appropriate threat monitoring and detection tools.

By identifying the problem areas, Vysiion can significantly streamline the journey to full NIS 2 compliance, drawing on a full portfolio of innovations to deliver an end-to-end secure solution. Our years of experience of working in challenging sectors like defence and CNI is critical, allows us to minimise single points of failure and ensure IT and OT are properly integrated, even if we were not responsible for the original installations. This includes remote and on-site activity, working in the most challenging environments, with our own Field Services team on hand to provide expert support, including proactive and reactive maintenance of all your critical assets.

If you are in any doubt about your ability to achieve full NIS 2 compliance before the official launch date, and bring your systems in line with IEC 62443, do not hesitate to reach out to the team at Vysiion. We are ready to work closely with you to establish what steps will need to be taken to bring you up to speed with NIS 2 and – most importantly – how to execute them in a way that minimises cost and disruption, maximises security and resilience, and opens a range of opportunities for operational enhancements.

You can also Join our event on Thursday, 16th May 2024 at The Ivy, Bath with our subject matter expert, Simon Hoy, to learn more about the convergence of IT and OT, and how Vysiion is working with leaders across the manufacturing sector to establish secure-by-design systems that support ongoing innovation – from edge to core. Register here.