In just the last few years, operational technology (OT) cybersecurity has witnessed significant changes driven by an increased recognition of an expanding attack surface and vulnerabilities in critical infrastructure (CI) and industrial control systems (ICS). Governments around the world have become concerned about the danger to their CI and have sounded the alarm. They have responded by implementing and strengthening regulations to protect these essential sectors from cyber threats. Here are the emerging trends in OT cybersecurity regulations and their impact on CI and ICS operators.
Strengthening Compliance Requirements
Due to the increasing daring and damage of cyber attacks, government regulators are raising the bar when it comes to OT cybersecurity compliance. They have come to understand the seriousness of the threat to the well-being of their citizens and are rapidly embracing effective cybersecurity frameworks, regulations, and directives, such as the NIST Cyber Security Framework, IEC 62443, and NIS 2. Increasingly, they are working with industrial sectors and individual OT companies to promote compliance with risk-assessment initiatives, security controls, incident response capabilities, and, of course, stringent reporting obligations.
Expansion of Regulatory Coverage to More Sectors
Regulatory frameworks are expanding their scope to cover a widening range of critical infrastructure sectors. Industries beyond the traditional sectors of energy and manufacturing are now, for the first time, subject to OT cybersecurity regulations. Some of these are transportation, healthcare, and water and wastewater.
Focus on Supply-Chain Security
Regulators increasingly recognize the importance of addressing cybersecurity risks to supply chains. They have begun to incorporate supply-chain security requirements into regulations to mitigate the risks associated with third-party vendors and suppliers. To be compliant, organizations must conduct due diligence, implement vendor risk management processes, and ensure the security of their supply-chain components. For many sectors, such as healthcare that implements many third-party medical devices, this includes a “software bill of materials” (SBOM) that lists all component parts and software dependencies. As OT organizations deploy IIoT devices and complex machines, they will encounter regulations for SBOMs.
Emphasis on Incident Response and Reporting
Regulatory frameworks are placing greater importance on prompt and effective incident response and subsequent reporting. For example, the NIST CSF requires that operators “develop and implement appropriate activities to take action regarding a detected cybersecurity incident.”
Beyond incident response (IR), operators must relay information about any breach to the appropriate regulatory body. For example, the NIS 2 Directive includes an obligation that organizations affected by a cyber breach report the incident to the designated authority within 24 hours of becoming aware of the incident, followed by a final report within one month. The US Securities Exchange Commission (SEC) Companies has just passed new rules requiring that organizations declare “if any risks from cybersecurity threats, including past incidents, have materially affected or are likely to materially affect the company’s business strategy, operations, or financial condition.”
The Role of Information Sharing
No factory is an island. To improve cyber resilience among OT operators, regulatory bodies are encouraging the sharing of threat intelligence and related information. NIST has published a lengthy pamphlet on cybersecurity information sharing among organizations and across sectors including “guidelines for establishing and participating in cyber threat information-sharing relationships.”
Convergence of IT and OT Regulations
Regulatory bodies are recognizing the growing interconnectedness of information technology (IT) and operational technology (OT) systems and networks and the sharing of information. They see an increasing need for a holistic approach to cybersecurity that crosses the once-air gapped boundary between IT and OT. Among other requirements, regulations now include the alignment of governance structures, risk management processes, and security controls between the IT and OT realms.
Global Harmonization of Standards
Threat actors do not necessarily confine their activities to a single region, country, or sector. Operators have to respond accordingly. To facilitate international cooperation and simplify compliance efforts for organizations operating across borders, we see a growing trend towards global harmonization of OT cybersecurity standards, including adoption of internationally aligned regulatory frameworks and promotion of cross-border information-sharing. This trend will pick up steam in the near future.
Conclusion
The landscape of OT cybersecurity regulations is evolving rapidly, reflecting the growing recognition of the importance of protecting critical infrastructure and industrial control systems from cyber threats. Affected organizations must stay abreast of these developments to ensure compliance as they maintain robust security postures..
By understanding
organizations can effectively navigate the dynamic regulatory landscape as they enhance their cybersecurity resilience, protect their assets, and contribute to a safer and more secure operational technology environment. If they don’t do it willingly now, they will be forced to adopt the regulations as they take hold.
Contact us to find out more about Radiflow’s ICS security products and to assess your level of network segmentation.
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3
Cybersecurity e Safety: le sfide della Transizione 5.0 | 15 novembre 2024