The European Union has taken the lead in driving comprehensive cybersecurity and risk management in the form of its NIS2 Directive, aiming to raise the cyber maturity level of critical infrastructure and essential industrial organizations.
Going into effect in October, the goals of the effort could not be clearer or timelier. Perhaps due to its severe punishments for non-compliance, NIS2 is drawing serious attention to cybersecurity and risk issues across EU Member States, especially to operators of essential infrastructure and services. There is NIS2 buzz galore. But it’s awfully late in the game.
The current state of cybersecurity is, unfortunately, not a pleasant one. While we can applaud the goals of the NIS2 Directive, we are forced to admit many of our most precious sectors remain ill-equipped to deal with the consequences of potential failures in industries that our nations, our economies, and our people rely on: Energy, Water, Manufacturing, Transportation and Logistics, Healthcare, and Emergency Services, just to name a few.
Are We Ready?
Dealing with a critical challenge starts with understanding its scale and risks. Next comes a sober assessment of our facilities and capabilities for rising to the challenge. In this case, how prepared are we to cope with the onslaught of cyber attacks on our critical industries?
It appears that we still have a long way to go.
Most European Boards of Directors (BODs) with whom I have interfaced in recent weeks seem unable to even imagine the consequences of failures in their critical industrial domains. They are woefully unprepared for the threats that are already here, not to mention the new ones that are on their way.
BODs still seem to associate cybersecurity issues with their information systems. They think in terms of personal data exfiltration and ransomware. They don’t seem to spend much time contemplating severe industrial attacks. For example, a sudden, uncontrolled rise in the temperature of a furnace can burn down a factory accompanied by substantial loss of life. A bit more disconcerting than confiscation of purchasing records, I would say. An international syndicate of hackers could remotely hijack a valuable sea-going vessel with a billion dollars of goods aboard and sail it to an enemy port, triggering the next international war. How about a nation-state actor who can stop a foreign railroad in its tracks, causing not only financial and reputational damage to the owners, but a trade and travel catastrophe within the entire victim nation. Yet, BoDs still seem to be more worried about confiscation of the travel records.
When cyber gets physical, it gets dangerous! And it must be regarded as such!
NIS2 to the Rescue
Thankfully, NIS2 forces EU-based OT organizations to come to terms with the threat level not only to their own operations, but to national well-being. It compels essential and important entities to adopt effective cybersecurity, risk management, incident reporting, employee training, and other programs.
It seems that compliance with NIS2 might be able to prevent devastating losses to swathes of critical industries. But operators have to be prepared to make an immediate mental shift. In many cases, that hasn’t happened yet.
Radiflow is Here to Help
One of the major impediments to adopting and complying with NIS2 is the shortage of cyber talent, especially knowledgeable risk management experts. Radiflow helps remediate this shortage at two levels. First, our data-driven CIARA Risk Management solution enables operators to conduct rapid and accurate site and overall risk assessments to find their security gaps and to adopt the most cost- and risk-effective controls. Second, Radiflow provides an excellent Risk Management Service where we apply our in-house expertise along with our CIARA solution to provide valuable specific recommendations on minimizing cyber risk while optimizing cyber spend.
We note that some insurance companies, like Allianz, are demanding that their industrial clientele run assessments on their operational risks and measure their NIS2 compliance. CIARA, whether in the hands of the industrial organization, the insurance company, or Radiflow experts, can produce a prompt risk-readiness assessment using a continuous feed of data from the industrial network and industry-specific cyberthreat information.
Radiflow can assist the BoD and cyber stakeholders in planning their risk roadmap, including budget recommendations, that will reduce the risk to acceptable levels and keep the organization within the bounds of NIS2 compliance.
Contact us to get started.
NIS2 is upon us. Get your cyber and risk in compliance before you encounter problems.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3