Article by Gennady Kreukniet, Senior OT Security Consultant Applied Risk, a DNV company.
Earlier this year, the European Union enforced its NIS2 Directive to respond to the growing threats posed by digitalization and the surge in cyber-attacks as well as to improve the cyber security capabilities of its member states and their critical infrastructure in the long run. It covers multiple areas such as incident response, security of supply chains and leadership accountability. The directive describes what needs to be achieved, although it doesn’t prescribe how one must achieve it targets. For critical infrastructure in the operational technology space, IEC 62443 set of standards helps asset owners to implement the right set of controls to secure their operations. This article will help you to map the NIS2 requirements against IEC 62443 security requirements.
NIS2 compliance is not directly enforced by the European directive but through national laws, which are transposed from the directive. This means that until national authorities have created national laws and requirements, we must work with the guidance from the directive. The directive is written for all 27 member states and, therefore the language is kept high-level to be applicable in all situations. This means that we get many questions from asset owners and operators on how to implement the NIS2 Directive and how it relates to international standards.
IEC 62443 is a set of security standards that are dedicated and/or applicable to asset owners and operators to safeguard industrial automation and control systems. These standards offer a robust framework, which covers the topics of risk assessment, security policies, network architecture, access control, incident response, and security testing. The most relevant IEC 62443 standard for the EU NIS Directive is IEC 62443-2-1 security program requirements for IACS asset owners. This standard provides guidelines for establishing a systematic approach to maintain industrial automation and control systems. This includes aspects such as risk assessment, policies, security measures and a review mechanism to safeguard critical infrastructure from cyber-attacks.
Looking at IEC 62443, we can see a lot of guidance for implementing cyber security risk-management measures that NIS2 requires.