DeepSec 2024 Talk: Why NIS2 Implementation often fails in Industrial Areas – Michael Walser
Why do most projects preparing for NIS2 fail in practice? Many affected companies complain about the requirements of EU Directive 2022/2555, which are too unspecific and technically difficult to implement. Excessive demands are spreading. Companies affected are uncertain because of the evaluation of the actual implementation, unlike ISO security certification (e.g. ISO27001/ISO62443). The results are often unsatisfactory despite the sometimes massive investment in costs and personnel resources. An Excel spreadsheet or a Visio drawing itself does nothing to change the resilience of KRITIS or industrial facilities against cyber-attacks in practice. We focus on industrial customers and their OT infrastructure, using anonymized, real-world examples to show the challenges in practice and offer examples of solutions to prevent repeating past mistakes. The first steps do not have to cost a lot of money or tie up a huge amount of human resources. A little creativity and knowledge of your own processes are often enough to overcome the biggest hurdles and increase the level of protection enormously.
We asked Michael a few more questions about his talk.
Please tell us the top 5 facts about your talk.
Compared to other security-related frameworks (like ISO27001), the new NIS2 doesn’t just involve documenting the process but also verifies the technical implementation. In contrast to the classic IT landscape, industrial networks, production plants and control systems present operators with special hurdles and almost unsolvable problems: How to deal with the security bugs, what about access management, why is the inventory such a challenge and how to deal with monitoring the changes and preparing for an BCM-Strategy? Also, the corporation with an “Security Operation Center”, SOC in short, is a challenge. We are discussing potential strategies by earning the “low hanging fruits” first to start a decent NIS2-Journey with continuously improved and implemented security level without spending thousands of euros.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We are working with several KRITIS companies, and we have successfully taken part in relevant and successful audits. The way to success was not predefined and challenges had to be overcome. The idea was to widespread our experience with these the challenges and share it with the interested community.
Why do you think this is an important topic?
NIS2 is not “nice to have”, it is a legal requirement which will touch a lot of companies in the EU and abroad. While EU member states haven’t completely implemented the legal framework yet, the requirements are fully established within EU regulations. The good thing is that NIS2 focuses on the implementation and is not another bureaucratic hurdle. We know WHAT needs to be done, and THAT it needs to be done. So many companies are preparing for the implementation and are stuck somewhere in the implementation process. We are focusing on the practical implementation.
Is there something you want everybody to know – some good advice for our readers, maybe?
The talk takes place on the “Tech Track”. For affected companies, NIS2 is a confidential topic – after all, it is about protecting internal critical systems. Therefore, we will not record or document the talk. This allows for an open and exciting discussion, to which we would like to invite you.
A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?
Is NIS2 just another topic on the level of blockchain or AI as it is presented everywhere in the Media? No, this is a topic that must be forcibly implemented by law. Today, everyone seems to have a solution, and many have “that ONE product” that makes companies NIS2 compliant. In the end, however, it is not the marketing budget but the power of innovation that determines what the corresponding solutions look like. Even if working with the companies concerned is a challenge because of the complexity and multi-layered nature, we learn something new every day and are constantly improving. At the end, it is a matter of experience, not just a new tool set to really protect an asset. We look forward to what’s coming next.
Michael Walser is a member of the Management Board and the CTO of the Munich-based industrial security company sematicon AG. In this role, he handles the company’s technical strategy and advises customers on the secure implementation of digital transformation in the industrial sector. He is a recognized expert for OT cyber security in industry and KRITIS environments. After graduating in electrical engineering, he worked for many years as a consultant and advisor on successful IT security projects with a focus on cryptography worldwide and handled their implementation.
sematicon AG is a Munich-based company that specializes in industrial security and embedded cryptography. We support you in successfully and securely mastering digital transformation. With a focus on industry and electrical engineering, we offer specialized security solutions that we have developed based on industry requirements. For example, industry experts consider our “Zero Trust” solution for secure and isolated remote access to industrial plants and systems an innovation. We also support and advise you in the planning and implementation of your OT security concepts. We thus offer comprehensive security services for the industrial and electronics sectors from a single source.