Achieving NIS2 compliance: Key steps to ensure OT cybersecurity

May 22, 2024

Understanding the new Network and Information Security directive (NIS2) is critical for industrial organizations operating within the EU. NIS1 was the initial step in standardizing cybersecurity across member states, but NIS2, effective from October 18, 2024, brings stricter measures to combat evolving cyber threats.

 Teemu Kiviniemi, Solution Manager for Valmet DNA

To navigate NIS2 compliance, Teemu Kiviniemi, Solution Manager for Valmet DNA, emphasizes a risk management approach tailored to operational technology (OT) cybersecurity.  

 “You need to know what cybersecurity risks concern your organization, production, and technology suppliers. Do you have obsolete technology? Do you have remote connections to your sites from vendors?” says Teemu.  

 

4 key focus areas for NIS2 compliance   

There’s no predefined checklist you can follow to get a government certification under NIS2. Instead, compliance with this directive requires a deep understanding of your cybersecurity risks and effective mitigation strategies.

Teemu recommends focusing on the following areas:


1. User management 

While IT typically implements strong user management via Microsoft Active Directory, operational technology (OT) often relies on shared accounts with well-known passwords that haven’t been changed in years. 

Switching to individual accounts with regularly updated passwords is crucial to meet the requirements of NIS2.

 

2. Remote connections

Cybercriminals exploit weak network security, making secure remote connections a priority. 

“You should know who has remote connection access rights to your systems. Simply having usernames and passwords are not enough—you need to use multi-factor authentication,” says Teemu. This ensures all your remote access rights are tightly controlled, protecting you from cyberattacks and unauthorized access attempts.

 

3. Recovery capability 

Are your backups truly secure? 

Attackers typically infiltrate systems to steal information, target backups for destruction, and encrypt PCs before issuing ransom demands.

“Despite all the controls, measures, procedures, and training you might have in place, if the unthinkable happens and you get attacked, you need to be covered. You need backups in place and a plan for how to recover your production operations,” says Teemu. 

 

4. Service agreements 

Finally, it’s essential to have clear and up-to-date service agreements with your automation vendors that outline all processes and responsibilities. 

Cybersecurity isn't a one-off project done every other year; it’s a continuous improvement process that requires immediate response to any cybersecurity incidents that may occur.


Steps to improve OT cybersecurity 

In line with these four focus areas, here are some practical first steps you can take to meet NIS2 requirements.  

Conduct an OT asset inventory 

While industrial organizations typically know what's going on with their IT operations, they often have limited visibility on the OT side. Before setting up any new cybersecurity protections, first conduct an asset inventory. 

“You can’t protect things you don’t know you have,” summarizes Teemu. 

Once you have that visibility, you can establish endpoint protection by deploying antivirus on all endpoints and implementing patching

Teemu explains: “You can’t do patching at the same pace as in the IT world, so you need some extra controls protecting the system while it’s unpatched.” Network-level protection, such as intrusion detection and prevention systems, gives you that added security while waiting for patches.

 

Assign a dedicated OT cybersecurity officer

To ensure OT cybersecurity doesn’t get neglected in your organization, assign at least one role to oversee compliance, manage the OT cybersecurity budget, and engage with vendors.

“If your organization has an overall NIS2 project, you can have a subproject that covers NIS2 for OT,” says Teemu. For instance, at Valmet, we work with our customers and their NIS2 consultants within these specific NIS2 subprojects.

 

Talk to your OT vendors

Cybersecurity is not as straightforward in OT as it is in IT: OT systems require specialized handling due to their critical role in industrial operations. Whether you’re running a power plant, pulp mill, or a water treatment plant, you can’t simply reboot your process automation systems whenever you want.

To get help managing this complexity, talk with your OT technology vendors. Teemu explains: “We know your Valmet systems the best—not just in general, but we know the exact installation and configuration details because we’re doing other things for you. We have the comprehensive capabilities to fulfill your cybersecurity requirements.”

Stay up to date with cybersecurity standards 

The European Parliament also recently passed the EU Cyber Resilience Act, which, unlike NIS2, targets technology hardware and software vendors like Valmet.

“While the EU Cyber Resilience Act is more about vendors than end customers, it's important for customers to understand what they are purchasing. Vendors like us need to deliver more cyber-secure products and services as well as ongoing patching,” explains Teemu.

To stay compliant with all relevant standards, Valmet is here to help. We recently released our evolved distributed control system: Valmet DNAe, which brings a higher level of cybersecurity using modern software components and encrypted communication. The system is inherently cyber secure by design, including role-based access control, authentication, audit trail, and encryption mechanisms.