- Number of organisations regulated by NIS2 and KRITIS umbrella expands to over 30,000
- eco Association provides 9 tips to increase the cyber resilience of industrial control systems
With the increasing networking of machines, industrial plants are becoming more vulnerable to cyberattacks. In addition, Regulation in this area is changing significantly this year with the KRITIS Umbrella Act and NIS2 Implementation Act: the number of regulated companies in future will increase to over 30,000. The KRITIS Competence Group in the eco Association provides nine tips on how companies can also fulfil the stricter requirements in their OT (Operational Technology).
Industrial control and automation systems, commonly known as OT for short, are developed with a long-term perspective: It is not uncommon for production plants to be controlled and monitored using the same software for 30 years. Therefore, many OT systems have already been put into operation without being able to take modern cybersecurity methods into account. And because they cannot be brought up to the necessary level of security technology without considerable effort, they are popular targets for criminal cyberattacks. Even against the backdrop of the changing Regulation through the KRITIS Umbrella Act and NIS2 Implementation Act, there is an urgent need to review and strengthen security strategies in order to insure the integrity and reliability of critical infrastructures.
“Now is the time for operators of critical systems to ensure greater cyber resilience,” says Ulrich Plate, nGENn GmbH and Head of the eco KRITIS Competence Group. “This sounds easier than it is, and for industrial control systems it can sometimes be particularly complicated: Maintenance windows for a software update can’t simply be scheduled for next week, but perhaps only next year.” When NIS2 and KRITIS-DachG come into force in Germany, numerous new organisations that have not yet been counted as critical infrastructure operators will also fall under the Regulation, and production facilities with a distinct operational technology environment will also be affected for the first time. The cybersecurity requirements for them will also become significantly more demanding as a result. “Violations of obligations such as inadequate implementation of security measures or missed reporting and registration deadlines can result in hefty fines and, above all, personal liability risks for Managing Boards,” says Plate, providing nine concrete tips for improved OT security:
- Identify vulnerabilities and threats in your OT systems. Conduct regular risk analyses to identify and assess current and potential vulnerabilities.
- Network segmentation: Separate IT and OT networks to minimise the attack surface. Further segment OT networks to limit the damage in the event of an attack.
- Hardening OT systems: Disable unnecessary services and ports on OT devices. Ensure that only authorised applications and users can access these systems.
- Security updates and patch management: Keep all OT systems and devices up-to-date by regularly applying security updates and patches. Develop procedures to install critical updates in a timely manner.
- Access control and authentication: Implement strong access control mechanisms. Use multi-factor authentication (MFA) and ensure that only authorised users have access to OT systems.
- Employee training and awareness: Regularly train your employees on cybersecurity best practices. Ensure that all employees who work with OT systems are aware of current threats and protective measures.
- Monitoring and incident response: Implement continuous monitoring and detection mechanisms for OT networks. Develop and test incident response plans to respond quickly to security incidents.
- Security policies and procedures: Create and implement clear security policies and procedures for the operation and maintenance of OT systems. Ensure that all employees understand and follow these policies.
- Collaboration and information sharing: Promote collaboration and information sharing with other companies and public authorities. Use information platforms to stay informed about current threats and security incidents.