Is your company already NIS2 compliant?

8 October 2024 About NIS2

On October 18, 2024, NIS2 will take effect. A European directive that requires companies to scrutinize their cyber strategy. But what does that mean for your company?

The first NIS version dates back to 2019 and aimed to encourage companies responsible for critical infrastructures to better protect themselves against cyber threats. When services in sectors such as energy, mobility, drinking water management, or government were disrupted, this could indeed have serious implications for the entire population. The past years have shown that this concern is justified: companies where cybersecurity was not yet up to standard fell victim to cyberattacks.

NIS 2

Broader scope

The main innovation within NIS2 is thus the broader scope. The identified ‘essential sectors’ have been renamed to ‘essential entities’ and expanded with ‘important entities’: waste management, chemicals, food, digital providers, and postal and courier services have been added to the list. In Belgium alone, about 2,000 companies fall directly under this. From October onwards, they will have to prove that they meet the stricter conditions regarding cybersecurity. But their suppliers will also have to keep up with this development. Moreover, heavy fines loom over companies and even their directors.

Taking measures, reporting incidents

Those covered must meet two major obligations: taking security measures and reporting any incidents within 24 hours to the Centre for Cybersecurity Belgium. Which measures exactly depend on the company. Legislation first requires a risk analysis to identify 'weak' points and then take appropriate action. Not only preventive: there must be protocols that come into effect in the event of incidents. And of course raising awareness and training employees to handle cybersecurity is high on the priority list.

Customer data under lock and key

As a supplier to these sectors, Eleantis has also done its homework. In cooperation with IT partner J.V. IT Consulting, a plan was developed to keep customer data securely locked away. Extensive investments focused on three areas: segmenting the network, stopping all insecure access by introducing VPN connections and multifactor authentication, and advanced detection systems to identify intruders.

IT versus OT

Experience that it equally makes available to its customers to secure your network. The worlds of IT (information technology) and OT (operational technology) may be very different, but in an Industry 4.0 environment they are increasingly converging. Then you want a partner who knows how to secure your production processes without sacrificing usability. In an office environment, virus scans and firewalls are a given; unfortunately, they are not in a production environment. Yet securing the PLC control is also essential to prevent intruders from hijacking your production with a ransomware attack. A Fortinet study shows that cybercriminals are increasingly targeting OT systems specifically, rising from 17% in 2022 to 24% in 2023.

Joining forces

But how do you move from an outdated system without security protocols to a modern production with cyber security protocols on board? Eleantis combines all necessary OT and IT knowledge about their specific way of working together with its customers. They start from an audit that checks how cyber secure you already operate today and where possible dangers still lurk.

Building secure bridges

Step 2: closing those gaps. They work closely with your production floor and your IT department to determine which communication is allowed and which is not, who can log in and who cannot, whether that server is still needed, how to limit remote access… Always vigilant over the balance between security and usability. Bridges are indeed built between the segregated compartments in the production, but they are equipped with necessary firewalls, encryption, multifactor authentication, managed switches…

Backup plan

The last focus is having a backup plan, the cornerstone of your cybersecurity strategy. Store backups in multiple locations. Choose so-called immutable backups (which cannot be altered in any way) and ensure multiple versions can exist side by side (‘versioning’). If malware was already hidden in the latest version, you can revert to the previous one. Also don't forget to test them thoroughly. This ensures that if a cyber incident does occur, you can quickly be up-and-running again.

Five minutes to midnight

The arrival of NIS2 intends to make cybersecurity a natural reflex for companies. Currently, a lack of knowledge about risks (thinking ‘that won’t happen to me’) and knowledge on how to address it often hinder more cybersecurity. Budget also plays a role, as you can see there is a lot to be done. But those who do not act will face a much higher bill if hackers strike. That the manufacturing industry is targeted has unfortunately been proven enough in recent years.

https://eleantis.be/contacteer-ons/

Through the website of the Centre for Cybersecurity you will find more detailed information about everything involved with the NIS2 legislation. If you also want your company's OT side to run cyber secure, then contact the specialists at Eleantis.