Achieving NIS2 compliance in OT environments

Tony Fergusson at Zscaler outlines the importance of zero trust and network segmentation

 

Cyber-security professionals today face a unique challenge when it comes to operational technology (OT) security. Why? Because it’s not just about protecting data in those environments. It’s also about maintaining the integrity of production.

 

This is a result of the rapid advancement of Industry 4.0, which is revolutionizing production processes across many industries. OT and IT environments have become increasingly interconnected with digitalization, creating a growing need for robust security measures that will prove essential in protecting previously isolated factories and production facilities from cyber-threats.

 

Against this backdrop the EU’s NIS2 Directive aims to improve the overall level of cyber-security across the EU. With its stringent security framework for critical infrastructure, the Directive provides an imperative for IT leaders to implement effective protective measures before the 17 October deadline.

 

So, how can organizations effectively protect their OT environments from evolving threats within the framework of NIS 2 compliance? And what role do zero trust and granular segmentation play in addressing these challenges? 

 

Challenges in modern OT security

Historically, OT environments operated in isolation from general IT, managed separately by production teams or OT security specialists. End devices and machines were often integrated directly into the network without considering comprehensive security strategies. 

 

The heart of the problem lies in the difficulty of retrofitting security measures onto machinery with lifespans of 30 to 40 years. Complex changes in these networks are often challenging to implement due to the continuous nature of production processes, which means many organizations shy away from necessary modernizations.

 

But this is an issue they cannot ignore. The convergence of IT and OT environments introduces new risk factors: malware infiltrating IT environments via the internet can potentially spread to production environments through lateral movement, leading to catastrophic failures. This scenario underscores the critical need for innovative security approaches that can accommodate the unique characteristics of OT environments.

 

The third-party problem

Another significant risk factor in OT environments is the necessity of granting access to third-party providers for maintenance purposes. Organizations are understandably reluctant to allow these providers VPN access to their IT networks due to the inherent security risks.

 

The challenge in this scenario lies in providing secured, limited access to specific operationally relevant software or systems for remote maintenance work. This calls for sophisticated segmentation strategies to mitigate potential risks, especially if the service provider has been compromised or lacks necessary security controls.

 

Embracing zero trust and granular segmentation

According to Zscaler’s latest ransomware report the threat landscape continues to evolve and the attacks on production facilities increase. The merger of IT and OT therefore necessitates a paradigm shift in risk mitigation strategies. 

 

The zero trust model, with its principle of least privileged access, offers a promising approach to enhancing security in these complex environments. By implementing granular access controls at the application level and segmentation for production systems and machine parks, organizations can significantly reduce their attack surface and minimize the risk of lateral movement.

 

Until now, traditional segmentation models have proven inadequate for production facilities due to the extensive implementation effort and machine downtime they would require. However, new approaches to segmentation are emerging that can secure East-West data traffic in factories or campus environments without disrupting production.

 

For instance, Airgap Networks has developed an agentless segmentation approach based on an intelligent DHCP (Dynamic Host Configuration Protocol) proxy architecture. This innovative solution can isolate each device dynamically based on identity and context, potentially reducing business risk for organizations with critical infrastructure. 

 

By leveraging machine (ML) and moving each device to its own subnet, data traffic can be analyzed to determine which devices are needed to communicate with each other. This enables granular network segmentation, significantly reducing the risk of lateral movements by malware in the network. 

 

Access policies can also be managed automatically - using traffic analysis to create profiles that define exactly which devices are allowed to communicate with each other. This automation makes management easier and significantly reduces the burden on IT teams. Ultimately, integrating Airgap into the Zero Trust Exchange security platform creates a symbiosis of zero trust and granular network segmentation that covers both IT and OT environments.

 

Implications of the NIS2 Directive

The NIS2 Directive sets specific requirements for OT security. Organizations – especially those that operate critical national infrastructure such as energy or water supply – must implement strict security measures from 17 October to ensure the resilience of their systems. Key requirements include:

• Risk management: Companies must conduct comprehensive risk assessments and take appropriate measures to mitigate identified risks. This includes preventing the lateral movement of malware as a known risk by reducing the attack surface on OT environments.
• Incident management: Companies must be able to quickly detect, respond to and report security incidents. They need appropriate systems in place to monitor all data streams effectively.
• Security precautions: Companies must implement technical and organizational measures to ensure the security of networks and information systems. The zero trust model with the principle of least privileged access can contribute to this.

 

A pathway to resilience in the OT landscape

As we look to the future, it’s clear that securing OT environments requires a fundamentally different approach from traditional IT security strategies. By combining innovative segmentation technologies with zero trust architecture, companies can significantly enhance the resilience of their OT environments.

 

This approach not only helps meet the stringent requirements of the NIS2 Directive, but also provides robust protection against the increasing sophistication of cyber-threats in an increasingly interconnected world.

 

As we stand at the crossroads of IT and OT convergence, embracing these new security paradigms is not just a regulatory requirement—it’s a strategic imperative. The journey towards truly resilient OT environments may be challenging, but with the right tools and mindset, organizations can navigate this complex landscape and emerge stronger and more secure.

 

---

 

Tony Fergusson is CISO at Zscaler

 

Main image courtesy of iStockPhoto.com and MTStock Studio