NIS2 Is a National Law Now - Take Action to Protect Critical OT Infrastructure
The NIS2 Directive has taken multiple steps forward since its announcement a few years ago. The law officially came into force on 17th of October 2024 in the EU member states.
The national-level implementation of the law is still ongoing in many countries but Italy, Belgium, and Lithuania just to name a few have already ratified it as a national law and are enforcing it.
Other countries are close to finalizing their legislature, like Finland, where the parliament is waiting for the president to sign the official document any day now.
NIS2 enhances the security of network and information systems within the EU. It requires operators of Essential and Important entities (including critical infrastructure) to implement appropriate security measures and report any incidents to the relevant authorities. It applies to most companies operating within the EU, whether or not they are part of the union.
We at SSH Communications Security can help Operational Technology companies discover their critical assets, manage secure access to them and establish highly secure, fast site-to-site connections for large-scale data transmissions to adhere to essential parts of NIS2.
Our solution portfolio applies to the following elements of NIS2.
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- policies and procedures regarding the use of cryptography and, where appropriate, encryption
- human resources security, access control policies and asset management
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text
Let’s look at some of the benefits we have delivered to our customers.
1. Enhance auditing, monitoring and reporting
Our solution provides comprehensive logs, traceability, and reports that allow for regular auditing and prove compliance during inspections or audits to avoid potential fines, penalties, or legal repercussions. You can also turn on recording and live monitoring of critical sessions.
2. Prevent unauthorized or unencrypted access to OT Systems
We can enforce strong identity-based (like biometric) authentication, device trust & security posture monitoring of the client device, multi-factor authentication (MFA), and role-based access control (RBAC) to prevent unauthorized personnel from accessing sensitive systems.
OT systems are often vulnerable to cyber-attacks due to outdated protocols or unsecured remote access methods. A secure software solution ensures that access to these critical systems is only possible through encrypted, highly controlled, and authorized channels.
3. Scale up secure on/Off-site maintenance and management
Enabling on-site, off-site or global access to industrial systems provides flexibility to scale up or down access control as needed. This agility improves operational responsiveness and allows readjusting governance models as situations change or more OT targets are introduced.
Regardless of your governance model, you only need only one centralized access solution to access IT/OT systems or multiple sites.
4. Streamline workflow approvals, integrations and authorizations
Our solution has built-in workflows for job approvals, and you can integrate it with external ticketing systems, like ServiceNow. For particularly critical sessions, you can turn on external authorization for access (for example, to require approval from the site manager), or define time-boxed access that is valid only for a few hours. The software is integrated with other security measures already in place, such as security information and event management (SIEM) tools.
5. Manage vendor & partner access securely
In OT, industrial control systems (ICS) are provided by different vendors, and they have a long lifetime value. These systems are maintained by many technicians from various locations (such as India, Germany, US or Japan). Without a centralized secure access management solution, vendor technician access is hard to control, track and audit.
With our software, all vendors and partners use the same secure solution to access your valuable OT assets. You can limit the privileges per session, manage all credentials, and ensure no one has permanent access to your critical infrastructure. This all aligns with modern Zero Trust and NIS2 requirements.
6. Transmit data securely between sites up to a quantum safe level of encryption
Our solution allows you to transmit large volumes of critical data directly between sites using post quantum cryptography (PQC). Your organization can embed any data, even unencrypted, inside these connections and be assured of safe delivery of data over the open internet. The solution can operate on both Ethernet (L2) and IP (L3) protocols to deliver data at high speeds and low latency in the more secure layers of network.
7. Discover assets and manage software patches
Patch management operations and file uploads are always scanned for malware payloads to stop ransomware from entering your systems.
We can ensure that you discover all your critical assets, gain visibility into them, can continuously monitor their security posture with always-on threat intelligence - and act in case there is any anomalous behavior.
8. Gain cost-efficiency through secure access management
Reduce on-site travel. Minimize the need for on-site visits by technical experts, save on travel costs and reduce the time spent addressing issues. This can also reduce the strain on on-site IT resources, allowing them to focus on higher-priority tasks.
Enable secure remote troubleshooting and support. Allow engineers and technical support staff to address issues without the need to be physically present on-site.
24/7 access to experts. In case of a critical failure or emergency, you can ensure that authorized experts (both internal and external) can securely access the system without delays to resolve problems fast and minimize disruption to operations.
9. Use secure channels for human-to-human communication
Site managers coordinate activities on sites, plan, budget, allocate resources and are responsible for quality control. They also use digital tools to share this information. These discussions need enterprise-grade security and record-keeping.
PrivX OT – Your Digital Gatekeeper for NIS2 compliance and beyond
SSH Communications Security's (SSH) PrivX OT solution consolidates every component of your IT/OT system into a secure platform for optimal visibility, secure access management, and scalability. Credentials are managed and secured, vendor access controlled, workflow approval for jobs is built in and every session is identified with a solid audit trail of activities.
Reach out to us today to learn more about how PrivX OT can optimize your OT security to align with the NIS2 Directive and keep both your data and people safe.
Jani Virkkula
Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...
