Nozomi Networks recently conducted a study that revealed an urgent need for European Union (EU) critical infrastructure organizations to prioritize operational technology (OT) security and risk management in order to comply with NIS2 regulations. The study, titled “Driving cyber resilience: the impact of the NIS2 Directive,” found that many organizations in the critical infrastructure sector face significant challenges in achieving compliance and effective cyber protection.
The Network and Information Security Directive (NIS2) requires EU critical infrastructure companies to incorporate new regulations into their national laws by September 2024. This means that organizations need to expand their risk management efforts beyond traditional IT systems to include OT. To meet this requirement, it is crucial for organizations to have comprehensive visibility of all their assets and networks, which necessitates regular risk analysis of their operational networks.
The study, which involved 300 IT security decision-makers from large organizations in Germany, France, Sweden, and the Netherlands, was conducted by Vanson Bourne. The findings revealed that only 50% of these organizations follow a scheduled risk analysis process for their critical information systems. 34% opt for an ad-hoc approach, while surprisingly, 15% of companies in Europe do not conduct any risk analysis at all. France and Sweden have even higher percentages of organizations that do not perform risk analysis, with 29% and 22% respectively.
Andrea Carcano, the Chief Product Officer and Co-founder of Nozomi Networks, commented on the study’s findings. He emphasized the need for immediate action from critical infrastructure organizations across Europe, especially with NIS2 regulations looming. Carcano also highlighted the availability of effective technologies and deployment options that can assist organizations in meeting compliance requirements. He stressed the importance of real-time information in informing accurate risk assessments and network monitoring.
The research study also revealed that many organizations only understand the threats or risks they face when they are forced into action or have no understanding of them at all. The majority of organizations lack proper programs for asset identification and inventory management (81%), vulnerability mapping and threat hunting (80%), and situational awareness and data analytics (75%).
The survey findings also shed light on the responsibility for securing OT and IoT devices and networks within organizations. While 35% of organizations assign ultimate responsibility to the Chief Information Security Officer (CISO), others rely on the IT department (24%) and/or OT operators (18%) for this task. Interestingly, the level of responsibility placed on the CISO varies by country. In Sweden, France, and the Netherlands, the CISO has greater responsibility, while in Germany, only 21% of organizations rely on their CISO to secure OT and IoT assets.
It is evident from the survey that the role of the CISO differs across countries. However, with the implementation of NIS2 in 2024, organizations must ensure they have a clear understanding of their OT and IoT assets. They should also perform asset inventory and vulnerability management to conduct root cause analysis and review events during incident response.
In conclusion, the study conducted by Nozomi Networks highlights the pressing need for EU critical infrastructure organizations to prioritize OT security and risk management to comply with NIS2 regulations. Without adequate visibility of assets and networks and regular risk analysis, organizations will struggle to meet compliance requirements and effectively protect themselves against cyber threats. The findings of the study emphasize the importance of immediate action and the availability of technologies to assist organizations in achieving their goals. With the implementation of NIS2 on the horizon, organizations must ensure they understand their OT and IoT assets and have processes in place for their management and security.