NIS-2 and Cyber Resilience Act in the Industry
In industry, the levels disciplines of operational technology and information technology (IT) have long since merged. This boosts efficiency and productivity in many value-added processes. However, it is not all sunshine and roses: networked systems are constantly exposed to attacks from various sources, be it by professional hacker groups or individuals. A security breach can endanger the existence of some companies. To increase the cybersecurity not only of companies but also of the products themselves, the European Union is driving forward the improvement of cybersecurity with the NIS 2 Directive and the Cyber Resilience Act. To meet the requirements of the new guidelines, companies often have to make technical, organisational and legal improvements. Matthias Schmidt, cybersecurity expert at the automation company ifm electronic, explains in an interview what companies should pay attention to when implementing the requirements and what pitfalls need to be overcome.
GIT SECURITY: Mr Schmidt, why are new cybersecurity regulations needed?
Matthias Schmidt: Whether new cybersecurity regulations are needed is a good question. What is more important is that all companies, regardless of their size, become aware of the threats and the impacts that a cyber attack can and will have. Current legislation is largely pushing companies, so that the European economic area is not left defenceless against further losses due to cyber attacks in these difficult times. The figures published by the industry association Bitkom alone should make company managements sit up and take notice.
How do the Cyber Resilience Act and the NIS 2 Directive differ?
Matthias Schmidt: The difference is very straightforward. The Cyber Resilience Act – CRA for short – requires cybersecurity to be taken into account in products and services. The NIS-2 Directive includes measures for company production environments. The CRA aims to ensure cybersecurity in products, while the NIS-2 Directive aims to make production facilities more secure.
Recently, German automation companies have repeatedly been the target of costly hacker attacks – can the new regulations prevent this?
Matthias Schmidt: It would be nice if regulations could prevent attacks. It is impossible to completely prevent attacks. However, the impact on the value creation process can be reduced and the restoration of “normality” can be accelerated.
Which industries particularly need to pay attention now?
Matthias Schmidt: Cyber attacks are not sector or industry-specific. Aside from targeted attacks from well-resourced groups, most companies are compromised by widespread campaigns.
What challenges do companies face? What specific technical requirements are required in their products?
Matthias Schmidt: First of all, companies must clarify whether the CRA applies to them, as many companies do not even have the issue on their radar due to their size. In the area of automation technology, there are additional challenges: in times of semiconductor shortages, inadequate supply chains and a difficult global economic situation, many products may simply have to be redeveloped because the existing platform or system architecture cannot meet the requirements. Companies are also faced with a considerable amount of additional documentation and organisational requirements, for example, in the area of vulnerability management. As a small company, you have to be able to implement this, because a shortage of skilled workers is also massively felt here.
While many companies are facing times of economic hardship, what costs can companies expect when implementing cybersecurity and the guidelines?
Matthias Schmidt: This always depends upon the extent to which the company has already considered the issue of cybersecurity, integrated it into the corporate culture and already established processes and measures. Strictly speaking, I am unable to give a specific cost but we should not lose sight of the subject of “time”.
How does ifm implement the requirements in its own products?
Matthias Schmidt: We have long been observing developments in standardisation in the area of cybersecurity for industrial automation. This enabled us to start integrating general security measures very early on. Because there are currently no harmonised standards for the Cyber Resilience Act, we are guided by those currently available.
The requirements currently seem quite abstract – where should the legislator make improvements?
Matthias Schmidt: On the one hand, it would make sense to provide appropriate details or necessary harmonised standards at a very early stage. On the other hand, giving the affected companies sufficient time is more important.
What advice do you have for small and medium-sized businesses as they soon face the challenge of the NIS 2 Directive and the Cyber Resilience Act?
Matthias Schmidt: Companies, whether it is the CRA or NIS-2 that applies to them, should and must take cybersecurity seriously and provide appropriate resources. As I already mentioned, the time factor plays an important role – in terms of the deadlines for implementing the guidelines and, in the worst-case scenario, before you become the victim of an attack.
Cyber insurance of the past or reliance on external service providers are of little to no help here. Complete recovery and the associated damage usually work out more expensive than the initial investment in security structures.
