OT Cybersecurity Regulations Evolving
In just the last few years, operational technology (OT) cybersecurity has witnessed significant changes driven by an increased recognition of an expanding attack surface and vulnerabilities in critical infrastructure (CI) and industrial control systems (ICS). Regulators and governments have become concerned about the danger to their critical infrastructure and that is driving several ongoing initiatives, which will shape CISOs choices.
Evolving regulations and standards
First, regulations and standards are growing in significance and adoption:
The NIST Cybersecurity Framework (CSF) has just been updated from v1.1 to v2.0, with a more broad scope encompassing both IT and OT systems. Crucially, CFS now underscores the critical role of cybersecurity governance. Introducing a new 'Govern' function, the CSF covers an array of facets including organizational context, risk management strategy, cybersecurity supply chain risk, roles and responsibilities, policies, processes, and oversight.
The International Electrotechnical Commission (IEC) 62443 is an increasingly accepted standard, as it provides comprehensive guidelines for securing ICS environments. One of the fundamental aspects of IEC 62443 calls for conducting thorough, periodic risk assessments, involving the identification of potential vulnerabilities, assessing their impact, and determining the likelihood of exploitation.
the upcoming EU NIS2 directive is perhaps the most relevant for the local region: it is now being implemented across EU member states and is expected to be enforced no later than October 2024. The updated version focuses on cybersecurity risk management and cyberattack reporting requirements. Elements of the directive will also influence legislation in neighboring countries that may not be in the EU (yet).
Expanded regulatory coverage
For example, NIS2 more than triples the number of sectors and types of entities affected compared to the current NIS regime, thus involving a big chunk of a national economy. It also introduces corporate accountability and risk management measures.
Incident reporting requirements
Regulatory frameworks are placing greater importance on prompt and effective incident response and subsequent reporting of any breach to the appropriate regulatory body. For example, the NIS 2 Directive includes an obligation that organizations affected by a cyber breach report the incident to the designated authority within 24 hours of becoming aware of the incident. Recently, the US Securities Exchange Commission (SEC) has just passed new rules requiring that organizations more strict cybersecurity disclosures.
Focus on supply-chain security
Regulations are more explicit in terms of risk management measures to be implemented. One of them is supply-chain security and associated requirements to mitigate the risks from third-party vendors and suppliers. To be compliant, organizations must conduct due diligence, implement vendor risk management processes, and ensure the security of their supply-chain components.
Convergence of IT and OT Regulations
Regulatory bodies are recognizing the growing interconnectedness of information technology (IT) and operational technology (OT) systems and networks and the sharing of information. They see an increasing need for a holistic approach to cybersecurity that crosses the once-air gapped boundary between IT and OT. Among other requirements, regulations now include the alignment of governance structures, risk management processes, and security controls between the IT and OT realms.