Most companies acting in the European Union (EU) responsible for their own, or other, critical infrastructures already have stringent processes and procedures triggered by national and industry regulations and through implementing industry standards like IEC 62443 and IEC 62351.
However, new and evolving regulations, like the upcoming implementation of the EU NIS2 Directive in each EU Member State, force companies to reassess the current state of their organizational, operational, and technical security controls, along with their compliance readiness.
The new EU NIS2 directive is targeted for incorporation into local legislation for EU members on October 17, 2024. The pace is picking up for companies to assess how their business is touched by this directive, its legal and organizational impact, and their level of readiness and compliance.
On a tactical level, they must ask themselves questions like these to form an actionable and prioritized improvement plan:
- Is what we know to be in the infrastructure correct? Do I have proper insights into my assets and communication paths and any vulnerabilities?
- Have I mapped the communication flows to the right business applications? Do I know the interdependencies of the assets and application flows?
- Do I have insight into the criticality of my assets, the business applications, and the financial impact on my business if a communication flow is interrupted? In case of a critical event, can I keep (other) operations going?
- Is this criticality properly reflected in my end-to-end monitoring, event management, and service management tools to trigger the proper remediation and resolution processes?
- Is my Security Incident Management process working? Does everyone know their role and how is communication shared between teams? Is there a single owner and coordinator? Have we tested the process?
- How do we track internal and external staff access to devices and the work they perform? Is access based on roles and only to applications and parts of the network that are relevant for their role?
To be able to answer these questions, most organizations start by trying to get an understanding of how good or bad their knowledge of their current infrastructure is: You don’t know what you don’t know, but how much do I not know? Infrastructures in quite a few cases have grown organically with added parts, often siloed, by teams with different goals and responsibilities operating all too frequently in isolation. This seems to be especially true for companies where Operational Technology (“OT”) and Information Technology (“IT”) infrastructures and functions are converging.
A frequent starting point is an assessment to provide visibility into the assets deployed in the infrastructure and to compare these findings with asset databases. This will not only provide data on gaps in knowledge but also the functioning of processes like Change Enablement, Release Management, and Deployment Management.
During these assessments communication paths are captured. Mapping these paths to business applications and processes helps identify the business impact of cybersecurity attacks and outages. Understanding the criticality of business processes and the underlying applications, communication flows and infrastructure allows critical components to be identified and separated from less critical ones. Network segmentation and security zoning are key components of the IEC 62443 standard. In case of a security attack, operational business impact is restricted to specific parts of the infrastructure while keeping operations running in the unaffected areas.
Understanding critical business applications and how they communicate over the infrastructure not only helps restrict and contain security attacks; it also supports the review and optimization of the operational Incident Management and Change Enablement procedures. For example, if the communication paths all go through a single point, troubleshooting and resolving an issue on that component could result in a shutdown or reboot impacting all application data streams and processes running over this component. By untangling these flows, downtime as the result of planned proactive and preventive maintenance or unplanned reactive maintenance can be reduced.
The most crucial outcome of these assessments though is the identification of the risk exposure. For each identified asset, the vulnerability level will be determined against known vulnerabilities and threats. Combining this level with asset criticality, remediation actions can be planned and executed to reduce the overall exposure.
Additional operational assessments can include assessing the Security Incident Management processes and their effectiveness through tabletop exercises, and the configuration and integration of the supporting monitoring, Security Information and Event Management (“SIEM”), and Service Management systems. Common optimization areas are the mapping of event and incident severities to the criticality of the assets and how this is configured in integrated systems and platforms (or the lack thereof), but foremost is the functioning and effectiveness of the Security Incident Management process: Have the flows and procedures been tested end-to-end? Does everyone know these processes and procedures and their roles in them? What should be communicated between teams and who should be informed, especially in case of company-brand impacting events?
Another process with more emphasis on NIS2 is related to role-based controlled and tracked access. In a world where remote operations and applications hosted in the Cloud, even in the OT domain, become more and more dominant, restricting and controlling access to data and assets to only those that should have access is increasingly becoming more important. Again, this doesn’t limit itself to applications like Cisco Secure Equipment Access, but also the processes around defining the access levels, granting access, and monitoring activities performed. Operational assessments will help identify the status of such controls and any potential areas of optimization.
Understanding the risk exposure and responding to vulnerabilities is a continuous process. New threats will appear. Becoming aware of them, assessing their impact, and defining remediation plans as soon as possible is therefore crucial. Intelligence-led proactive cybersecurity services like Cisco’s Talos threat intelligence research organization will inform you quickly about the risk posed by newly discovered threats. However, to respond to the threat and implement remediation quickly still requires often going through an expedited release, test, and deployment procedure. This means the proper processes and procedures will need to be in place. For less critical releases and fixes, the more standard release and deployment management processes can be followed.
The NIS2 Directive is not only about becoming compliant, but also remaining compliant after implementation. This can be achieved through regularly reassessing and measuring improvements.
Acting as the bridge between strategy definition and tactical execution, Cisco is ideally positioned to share best practices with its customers and partners. Its “infrastructure up” approach augments strategy-orientated assessments with practical recommendations on how to prioritize and act on the findings of such assessments. These vendor-agnostic recommendations leverage the extensive Cisco Services experience built up over the years through advising, designing, and optimizing secure and scalable critical infrastructures, not only from a technology perspective but also from a process and people angle. Technology cannot be seen separated from the business operations and the people using it; they feed into one another.
Through a wide range of assessment, design, implementation, and lifecycle services, Cisco Services support customers on their compliance readiness journey, identifying the current security risk exposure and controls maturity gaps along with the effectiveness of security-related processes and procedures; all of which serve as a basis to translate the findings and recommendations into actionable items that can be prioritized based on business impact and available budget and resources.
Cisco Customer Experience (CX) in EMEA has brought together a team of subject matter experts with a background in utilities and other industrial domains such as oil, gas, and manufacturing. The Cisco CX EMEA Center of Excellence for Utilities Digitization assists industrial organizations with their energy digitization and transformation journeys by sharing their experiences, industry trends, and peer-to-peer priorities.
Want to learn more about how Cisco can assist you? Contact your Cisco Services Sales Specialist or email the Cisco CX EMEA Center of Excellence for Utilities Digitization. Of course, you’re welcome to simply comment below as well. I look forward to hearing your thoughts.
Share: