News

NIS2 directive – how do I secure my OT network?

arrow_backTo the overview

22 May 2024 | Thiim A/S

NIS2 – Guide for Manufacturing Companies

It has always been important to protect against cyberattacks, but the requirements for companies' measures to secure industrial networks have increased significantly in recent years due to the rising number of cyberattacks.

With the EU's NIS2 directive, top management is now held accountable if the company is cyberattacked, making it even more crucial to know your OT network and where you can enhance security.

You might have heard of the term NIS2, but perhaps you haven't considered if it applies to you? It very well might, as the EU is focusing on raising the standards for companies' efforts against cyberattacks to ensure that our society doesn't come to an unnecessary halt during cyberattacks. The EU aims to ensure that all critical societal productions are optimally secured against cyberattacks, with structured reporting in place.

#### When Does It Concern Your Company?
If you are a supplier of a critical societal product, for example, hand sanitizer for the Danish healthcare system, you are covered by the NIS2 directive. Even as a subcontractor for a critical societal product, you are also covered by the NIS2 directive. In the example above, this could mean supplying an element for the production of hand sanitizer or supplying hand sanitizer to a hospital – your company would then be covered by the NIS2 directive.

The directive covers products, but it also includes other societal and business functions – essentially the sum of critical infrastructure in society.

The main goal of the NIS2 directive is to ensure that society does not come to a halt if a manufacturing company is cyberattacked, and to establish a reporting system where companies have addressed how attacks are reported and have control over security procedure measures.

This article will delve into what NIS2 is, how manufacturing companies should relate to the NIS2 directive, and how they can prepare to meet its requirements.

#### What is the NIS2 Directive?
The NIS2 directive is an update of the previous Network and Information Security Directive (NIS) and is part of the EU's effort to strengthen critical societal infrastructure against the consequences of cyberattacks.

NIS2 aims to increase the security and robustness of digital infrastructures and services within the EU. The directive imposes requirements on selected sectors, including manufacturing companies, and obligates them to protect their systems against cyber threats.

#### Why Should Manufacturing Companies Pay Attention to NIS2?
Manufacturing companies are one of the most important sectors in the economy and play a crucial role in the supply chain of our society. They rely on advanced digital systems and automated processes that are vulnerable to cyber threats.

A successful cyberattack on a manufacturing company can have catastrophic consequences, including operational disruptions, loss of production data, and financial losses.

The NIS2 directive requires manufacturing companies to identify and mitigate risks to their digital infrastructures and ensure they can respond effectively to cyberattacks. This includes establishing appropriate security measures, implementing contingency plans, and reporting significant incidents to the relevant authorities.

#### Practically Speaking – What Should Your Company Do?
To comply with the NIS2 directive, there are two main areas to address:

1. **Product Level**
- Physically add an extra layer of security to your devices by installing a switch that stops unwanted data from getting through. This switch functions like a gate that prevents intrusion.
- Thiim can help with products that are installed on OT devices and can assist with the overview, making your devices less vulnerable to attacks.

2. **Procedure Level**
- The NIS2 directive also requires the company to establish specific procedures and ensure compliance with reporting requirements.
- We can assist with a checklist to ensure all requirements are considered in your procedures.

#### How Can Manufacturing Companies Prepare for NIS2?
To prepare for the NIS2 directive, manufacturing companies should take the following precautions:

1. **Risk Assessment**: Identify and analyze potential threats and vulnerabilities in the company’s digital infrastructure. This can include a review of network architecture, systems, and access rights.
2. **Implementation of Security Measures**: Establish appropriate technical and organizational measures to protect digital systems and data, such as firewall and antivirus solutions, strong access controls, and security training for employees.
3. **Contingency Plan**: Develop and implement a contingency plan that defines how the company responds to cyberattacks or security incidents. This should include procedures for reporting incidents and involving relevant stakeholders internally and externally.
4. **Follow-Up**: Ensure regular monitoring and reporting of NIS2 compliance, such as reviewing security policies, conducting risk assessments, and updating contingency plans.

#### How Can Companies Optimize Cybersecurity?
At the IoT device level in manufacturing companies, NIS2 plays a crucial role in ensuring cybersecurity for connected devices and systems:

1. **Security Requirements for IoT Devices**: NIS2 requires IoT device manufacturers to ensure their products are designed and implemented with a high degree of cybersecurity. This includes both hardware and software aspects and demands the implementation of security standards and protocols to protect against potential attacks.
2. **Protection of Data Transmission**: NIS2 requires that IoT devices in manufacturing companies have secure communication protocols and encryption mechanisms to protect data transmissions. This is crucial to prevent unauthorized access to data and protect the company’s business and confidential information.
3. **Implementation of Security Updates**: NIS2 encourages IoT device manufacturers to provide regular security updates to address newly discovered vulnerabilities and threats. Manufacturing companies must be aware of these updates and implement them timely to maintain robust security for their IoT devices.
4. **Monitoring of IoT Devices**: NIS2 requires manufacturing companies to implement continuous monitoring and control of their IoT devices to identify abnormal activities or attack attempts. This can include implementing intrusion detection systems (IDS) and regular log analysis to identify potential security breaches.
5. **Strengthening Supplier Management**: NIS2 encourages manufacturing companies to have clear guidelines and requirements for their IoT device suppliers, such as following best practices in cybersecurity and adhering to security standards to minimize the risk of vulnerabilities in the supply chain.

By focusing on cybersecurity at the IoT device level, manufacturing companies can minimize the risk of cyberattacks and protect both their production environment and the data transferred between devices.

#### Separate Company Systems
Separating production systems from administrative and other systems within the company is an important and effective security measure within the production environment. This separation can help minimize the risk of unauthorized access and potential attacks on critical production processes.

Consider the following points regarding system separation:

1. **Network Segmentation**: The production environment should be divided into separate network segments where production systems are isolated from administrative and other internal networks. This means establishing separate networks for production equipment and systems that are not directly connected to other company networks.
2. **Physical Separation**: Physically separating production systems and administrative systems involves placing them in separate physical locations or distinct zones within the same facility. This can be achieved through the use of physically separated server rooms or, if possible, separate buildings. Separation reduces the risk of an attack on administrative systems spreading to production systems.
3. **Access Control and Authentication**: Implementing strict access control and authentication is crucial to ensuring that only authorized personnel have access to different systems. This can involve the use of unique user identities, strong passwords, two-factor authentication, and role-based access control.
4. **Segmented Data Processing**: Production data should be processed and stored separately from administrative data. This helps ensure that access to production systems does not automatically grant access to confidential administrative information. Segmented data processing also helps protect sensitive production data from unauthorized intrusion.
5. **Security Monitoring and Logging**: Implementing security monitoring and logging for both production systems and administrative systems is essential to identify and respond to potential security incidents. Monitoring network traffic, system log files, and using intrusion detection systems (IDS) can help quickly detect and respond to potential threats.

By separating production systems from administrative and other systems within the company, the risk of an attack on administrative systems affecting critical production processes is reduced. This separation provides an additional layer of protection and can help ensure that the production environment remains secure and reliable even in the event of a security incident.

#### The Significance of NIS2 at an Overall Level
NIS2 plays a crucial role in protecting digital infrastructure and services throughout the EU. It helps build a more secure and reliable digital economy where businesses and consumers can trust in digital transactions and data exchanges. The significance of NIS2 extends beyond individual companies and contributes to strengthening the EU's overall cyber resilience.

Manufacturing companies should already take NIS2 seriously and prepare to meet its requirements. By conducting risk assessments, implementing security measures, and developing contingency plans, companies can reduce vulnerabilities to cyber threats and enhance their digital security.

If you need assistance, contact Poul or Søren.

More articles from Thiim A/S

This article is written by:

Thiim A/S

Your experts in electrical systems and electrical safety in all industries worldwide.

Founded in Copenhagen in 1971, Thiim has researched, developed and produced professional solutions for industries for 50 years. A technically competent and experienced team of experts are at your service for standard as well as solutions tailored for your specific needs. Naturally, all products apply to the European standards.

You will benefit from our solid experience obtained through 50 years in the market. You will find that we investigate your specific situation, needs and wishes. Because your proje

See profile
keyboard_arrow_up