Synergizing Standards: How NIS2, CRA, and IEC 62443 Forge a Unified Front in OT Cyber Security

In the rapidly evolving landscape of Operational Technology (OT), maintaining robust cybersecurity measures is crucial. Several key frameworks and directives have emerged to address the unique challenges faced by this sector. Let’s delve into three significant standards—NIS2, CRA, and IEC 62443—that collectively enhance the cybersecurity posture of OT systems.

Key Frameworks and Directives in Operational Technology

NIS2, CRA, and IEC 62443 are significant frameworks and directives that help enhance the cybersecurity posture of the Operational Technology (OT) sector. NIS2 brings stricter cybersecurity regulations to vital sectors like energy, water, and transportation, CRA makes sure any manufacturers of digital components meet a higher set of security standards and the IEC 62443 provides a cybersecurity roadmap tailored for industrial automation and control systems (IACS) and OT. A more detailed whitepaper on each of these standards is available in the links below, but in a nutshell.

NIS2 (Network and Information Systems Directive 2)

• Expands the scope of the original NIS legislation to include more sectors as critical infrastructure.
• Introduces stronger security and incident reporting obligations, as well as a bigger emphasis on supply chain security.
• Encourages EU-wide cooperation and information exchange, with steeper penalties for non-compliance.
• Requires entities to ensure a level of security appropriate to the risks posed, which is particularly relevant for OT systems.

CRA (Cyber Resilience Act)

• Aims to safeguard consumers and businesses using products or software with a digital component, which is often the case in OT environments.
• Introduces mandatory cybersecurity requirements for manufacturers and retailers, extending protection throughout the product life cycle.
• Complements NIS2 by ensuring that products connected to a network meet a higher set of security standards.

IEC 62443

Unlike NIS2 and CRA (which are EU mandates with penalties for non compliance) IEC 62443 is a global best case practice that provides a set of cybersecurity standards tailored for IACS and OT.

• Addresses unique security challenges in industrial environments, such as protecting data confidentiality and maintaining productivity amid potential incidents.
• Outlines a defense-in-depth model, offering guidance on building cybersecurity management systems (CSMS) and conducting risk assessments in IACS/OT environments.
• Helps organizations define security maturity and choose security products and service providers, thereby reducing operational risks and costs.

Together, these frameworks and standards work to strengthen the resilience of the OT sector against cyber threats, ensuring that the systems are secure, reliable, and compliant with the latest cybersecurity regulations. They provide a structured approach to managing cyber risks and improving the overall security of critical infrastructure.

Deciphering the Trio: Unpacking the impact on OT?

Imagine a medieval kingdom as an organization. The kingdom is the “Operational Technology” (OT) environment, and needs to be protected from various threats.

NIS2 is like the kingdom’s laws and policies, established by the king (the governing body). These laws mandate that every village (critical infrastructure) within the kingdom must have defenses (cybersecurity measures) appropriate to the threats they face, and they must report any attacks (cyber incidents) to the king’s council (regulatory authority) to help protect the entire realm.

CRA is akin to the blacksmiths’ guild (product manufacturers). They are required to forge weapons and armor (digital products and software) that meet certain standards of quality and durability before they can be used by the kingdom’s warriors (end-users). This ensures that the frontline defenders are equipped with reliable gear from the start.

IEC 62443 is comparable to the master builders and engineers (cybersecurity professionals) who design and construct the kingdom’s fortifications (security controls and measures). They follow a set of blueprints and guidelines (technical standards) to ensure that every castle and wall is built to withstand sieges and protect the inhabitants effectively.

Together, these three elements create a robust defense system for the kingdom:

• The laws and policies (NIS2) ensure that everyone is aware of the threats and knows how to respond.
• The quality equipment (CRA) means that defenders are well-prepared to face any adversary.
• The strong fortifications (IEC 62443) provide a secure environment that can withstand attacks.

This analogy illustrates how NIS2, CRA, and IEC 62443 work in concert to provide a comprehensive cybersecurity strategy, safeguarding the organization from potential threats at every level.

Timelines

CRA

The CRA agreement received formal approval by the European Parliament in March 2024. As of writing this article, it still requires formal adoption by the Council before being enforced. Much of the CRA becomes enforceable approximately three years after enactment, around 2027

NIS2

By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS2 Directive. They shall apply those measures from 18 October 2024.

IEC 62443

In 2021, the IEC approved the IEC 62443 family of standards as 'horizontal standards'. This means that when sector specific standards for operational technology are being developed by subject matter experts, the EC 62443 standards must be used at the foundation for requirements addressing cybersecurity in those standards.

How do they enhance cybersecurity in the OT sector?

NIS2, CRA, and IEC 62443 complement each other and work together to enhance cybersecurity in the OT sector by covering different aspects of security and stages of the product life cycle:

NIS2 focuses on the operational aspect and resilience of critical infrastructure. It sets out requirements for risk management, reporting, and security measures, which are essential for the OT sector’s day-to-day operations.

CRA targets the product aspect, ensuring that digital products and software entering the market have robust cybersecurity measures in place from the design phase. This act ensures that the hardware and software used in OT environments are secure by default.

IEC 62443 provides a technical framework with specific standards and practices for securing industrial control systems. It offers detailed guidance on how to implement security controls and manage cybersecurity risks in OT environments.

Together, they create a comprehensive cybersecurity ecosystem:

• NIS2 ensures that operators of essential services maintain high levels of security and report incidents, which is crucial for the OT sector’s overall resilience.
• CRA complements this by making sure that the products used in these sectors are secure from the start, reducing the risk of vulnerabilities.
• IEC 62443 bridges the gap by offering technical standards that apply to the specific needs of OT systems, providing a common language and set of practices for industry stakeholders.

By aligning the requirements of NIS2 and CRA with the technical guidance of IEC 62443, organizations can ensure that their OT systems are not only compliant with regulations but also secured against evolving cyber threats. This integrated approach helps in building a robust security posture that protects critical infrastructure from the design phase through to the operational phase.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.