EU critical infrastructure companies 'not ready' for NIS2 compliance

80% of organisation are lacking in programs associated with vulnerability mapping and threat hunting – Only half conduct regularly scheduled risk analysis exercises.

  • Monday, 4th September 2023 Posted 1 year ago in by Phil Alsop
Nozomi Networks has released the results of a new study highlighting an immediate need for EU critical infrastructure organisations to revise their operational technology (OT) security and risk management priorities to meet NIS2 compliance.

 

The report “Driving cyber resilience: the impact of the NIS2 Directive” found that the legislation appears to be a substantial challenge for most critical infrastructure organisations. Many still do not have visibility of all assets and networks to ensure full compliance and effective cyber protection.

 

With the Network and Information Security Directive (NIS2) to be incorporated in national laws by September 2024, EU critical infrastructure companies need to focus on risk management beyond IT to include OT. This makes it crucial for them to have greater visibility of all assets and networks, which requires regular risk analysis of operational networks.

 

The study amongst 300 IT security decision makers in large organisations across Germany, France, Sweden and the Netherlands, was conducted by Vanson Bourne and found that for critical information systems, only 50% of organisations follow a schedule in terms of conducting and updating a risk analysis. 34% do so on an ad-hoc basis and 15% of companies across Europe do not currently conduct any risk analysis at all, with an even higher number in France (29%) and Sweden (22%).

 

Andrea Carcano, CPO and Co-founder of Nozomi Networks commented on the findings: ““With NIS2 around the corner, critical infrastructure organisations across Europe need to take immediate action. By 2024, many will be required to revise security and risk management priorities, particularly for OT. The good news is effective technologies and deployment options are available to help organisations cover their bases. The key to effective network monitoring and risk management lies in using real-time information to inform an accurate risk view.”

 

The research also found that many organisations either only understand what threats or risks they face when they are forced into action, or do not understand them at all. Most lack programs associated with asset identification and inventory management (81%), vulnerability mapping / threat hunting (80%) and situational awareness / data analytics (75%).

 

The survey also reveals that while 35% of organisations give ultimate responsibility for securing OT and IoT devices and networks to the CISO, many others rely on the IT department (24%) and/or OT operators (18%), amongst others.

And while the CISO has greater responsibility in Sweden (44%), France (43%) and the Netherlands (40%), in Germany only 21% of organizations rely on their CISO to secure OT, IoT devices and networks.

The survey underpins that role of the CISO clearly differs country-to-country, but with NIS2 coming into effect in 2024, organizations need to ensure they understand their OT and IoT assets, and perform asset inventory and vulnerability management for OT and IoT assets to perform root cause analysis and review events and activities during incident response.