Abstract

There are digital security threats resulting from geopolitical developments that affect the critical infrastructure (CI). Mainly, targeting CI has become part of the arsenal showcasing geopolitical influence. Furthermore, attacks on CI have increased, putting their integrity and services at risk. Moreover, the trend of digitalization in CI and the ensuing interconnectedness between IT and OT introduces new risks in this domain. The legislation, such as the NIS2 Directive, aims to address this risk, but further improvements to the Directive are required to firmly position OT in regulatory language.

Introduction

Critical infrastructure used to be analogue or fully air gapped and therefore resilient to attacks from untrusted networks like the Internet. By digitalizing critical infrastructures, organizations have unlocked a range of new capabilities, branded as “smartness”, which enable an increase in efficiency and productivity.

However, this approach has led to critical infrastructure becoming more vulnerable due to an increased attack surface. This attack surface grows due to for example a growing number of connections over semi- or untrusted networks and a lack of secure-by-design products. This increases the risk to operations from the cyber domain and thus necessitating a multifaceted cybersecurity approach to mitigation. The uptake of implementing certain measures is lagging behind.

The EU recognizes the importance of protecting critical infrastructure and the role of operational technology (OT) (Critical infrastructure resilience I European Commission). In response, the EU has implemented a broad strategy to create an added incentive to address digital resilience which explicitly includes OT. One of the pillars of this strategy is the NIS2 Directive. However, the language within NIS2 still reflects an IT-focused perspective, which reduces the desired influence and effect to OT personnel and the systems they operate and protect.

Problem statement

In Europe the NIS2 directive is being transposed into national law to achieve a high common level of cybersecurity across the European Union. The directive covers all technology (“network and information systems”), so both Information and Communication Technology (ICT), Internet of Things (IoT) and Operational Technology (OT) systems. Since most vital sectors are reliant on OT for their core functions, this inclusion is essential, but the language used in the NIS2 directive does not consistently reflect this. The NIS2 mentions ‘safety’ (a core quality for OT systems) in e.g. its scope and goals, but in the articles on duty of care, safety omitted as a goal. Additionally, while the classical IT ‘CIA triad’ (Confidentiality, Integrity and Availability) is used frequently within the NIS2 Directive, the term safety is lacking.

The fact that the language discussing the components that require protection is primarily IT centric in its definition of what comprises ‘security of information systems’, this does not correspond with the scope of the directive itself. For example, when looking at the duty of care measures stipulated in Article 21, paragraph 2, measures like (e) and (j) are not common in OT and this wording reflects heavily an IT thought process and approach.

This discrepancy between goal and wording influences how organisations will view the responsibility for implementing this directive. The wording will tend to match and influence what an organisation is told by information security professionals in the IT side of the organisation. Therefore, it’s logical to task the IT operations with implementation of NIS2 while neglecting the OT operations aspects.

Thus, from an engineering viewpoint, the order of importance is as follows: safety first and followed by the CIA triad. Whereas from the IT viewpoint on cybersecurity, only the CIA triad exists.

Recommendations

As a key recommendation, when including OT in IT’s ambitions, one should mention safety as an equal priority to the CIA-triad and not just as a secondary concept to protect CIA.

To take the further next steps, we recommend the following:

Adding OT specific language to policy points mentioning risk

Considering that NIS2 is currently being transposed into the national law, then the countries have the ability to think through their needs to protect their critical infrastructure. As it usually includes OT, considering OT terminology, adding the aspect of safety when mentioning the CIA-triad. This will help countries highlight the importance of OT in securing their infrastructure. Ideally this is implemented at the EU level, but there is often room to address as well this in national interpretation of EU policy.

Acknowledge the interconnectedness between IT and OT systems

To address the risk, knowledge is required from both worlds. Therefore, we advise explicitly including a multidisciplinary approach (e.g. facilitating joint risk assessment sessions, work visits and joint training and exercise opportunities). This will give focus to cooperation by building a bridge between OT and IT. A multi-disciplinary approach should result in a more effective collaboration between the two domains for building an effective defence.

Tailoring training for OT-specific environments

NIS2 calls for board and employee training as part of the basic cybersecurity hygiene. As example, a training on recognizing phishing emails or the safe use of USB storage in an office environment does not translate to work on an asset where common IT functionality like reboots, email or secure online transfer are not available. As the training prioritization and content are different for the IT and OT environments, it is crucial that there is acknowledging that training for IT cannot be used “as is” for OT environments. We therefore recommend addressing this discrepancy between environments by providing tailored trainings for OT.

Addressing the shortage of OT security talent

With digital risk, there should be an understood quality aspect in both domains, with the work itself and as an intrinsic value in the mindsets of employees. To maintain NIS2 compliance, requirements for OT recruitment to certain positions will demand additional education and/or skill training, especially for those recruited within industrial and manufacturing operations. We therefore propose directing efforts towards facilitating this need for upskilled specialists and to incorporate the value of quality to counter digital risk and maintain infrastructure protection.

Having a common language to communicate digital risk effectively

IT and OT have their own unique risk language and therefore it is difficult to effectively communicate about digital risk across environments. In engineering, risk is focussed on safety, which often doesn’t include the digital domain. Having a common language approach that recognizes digital risk in both domains is essential to create a holistic approach towards cybersecurity practices and resilient security measures. Therefore, creating a vocabulary (e.g. an ontology) for digital risk in OT would promote a common understanding between these two worlds, IT and OT.

Conclusion

It's a very positive development that OT is recognized as essential in the digital resilience ambition. This ambition can be further supported by addressing IT and OT in a more balanced way. This policy paper identifies opportunities for future improvement and provides an example of using existing EU funding to further implement this.