Cybersecurity through the value chain with NIS2: “We do it together”

Last Wednesday, members of the Building Automation and Industrial Automation sectors came together for an important theme: cybersecurity. The reason? The Network and Information Security Directive (NIS2.) The translation of this directive into Dutch legislation started this year and we discussed this together with the Digital Trust Center, Siemens and Rijkswaterstaat.  

The coffee is ready in the atrium at FHI in Leusden. There are enthusiastic greetings and members shake hands. This meeting is organized for members of the Building Automation and Industrial Automation sectors.

Branch manager Wendy Debets explains why it is important to bring both branches together around this theme: “The collaboration between the FHI branches is very natural on this subject. The companies face the same challenges. By discussing this topic from different points of view and angles, you will gain new insights and creative ways to tackle this important topic. FHI seeks out synergy between the affiliated industries.”

“It was a very interesting day. The most important thing is the awareness part. It is important to be aware of the legislation in the Netherlands, so I will certainly continue to keep an eye on developments.” – Joris Lit, JUMO Measurement and Control Technology

Secure infrastructure

Rijkswaterstaat (RWS) manages socially vital processes within water, shipping and traffic management. The objects vary from lighthouses to rush hour lanes, bridges and tunnel complexes. The majority of these are controlled digitally. Mark van Leeuwen, cybersecurity advisor at RWS, tells the audience what challenges this entails. “Our processes used to be local, but now everything is digital and linked together by technologies. Some objects are ten to twenty years old and are therefore not designed to be resilient to cyber threats.”

Mark explains that RWS uses an integrated approach based on three pillars: monitoring, prevention and control. “For monitoring, we have set up a detection and response team for 24-hour surveillance and monitoring. We prevent this through security-by-design. This means that cybersecurity is an integral part of the design, construction and realization of the entire life cycle of an object. Controlling is continuous risk management. We do this with tools and asset testing.”

Cooperation

“Why is OT cybersecurity no longer optional?” Ton Mes and Ruud Welschen from Siemens open their presentation with that question. The cybersecurity specialists mention four aspects: protecting business, legislation, digitization and increasingly professional and better organized hackers

Ruud emphasizes that we still have a lot of work to do and points out the current state of affairs with an article from the Financieel Dagblad: “A quarter of industrial companies are weekly victims of cyber attacks,” the FD headlined yesterday. At the same time, we read today that CEOs are not aware of their own liability in the field of cybersecurity.” But where do you start? According to Ton and Ruud, it is a tough journey, but you don't have to make it alone. “We need each other, we do cybersecurity together.”

NIS2

After lunch, Rajko Smaak, cybersecurity advisor at the Digital Trust Center (DTC), continues with an overview of the NIS2 guideline. Rajko: “The NIS2 prescribes four obligations: duty of care, reporting obligation, registration obligation and supervision. The duty of care starts with a risk analysis. Map your crown jewels and assess the possible risks. In addition, get started with incident handling. Draw up an incident response plan and prepare the organization through exercises.” The NIS2 also refers to Supply Chain Risk Management. Companies are highly dependent on the products or services of suppliers. A hack therefore not only affects the company in question, but can also have major consequences for organizations with which it is (digitally) interwoven.

“We are very enthusiastic about the workshop part, it is nice to have conversations with each other in a smaller setting. In addition, it is also good that parties from the government and the legislative side were present. This ensures a good transfer of information.” – Jeroen Bronkhorst and Pieter de Gier, Emerson

Chain agreements

We end the day with two short break-out sessions. The participants break into groups to discuss the different aspects of the NIS2. There is a lot of discussion and writing on post-its and flip charts. The most important results? Cybersecurity is a joint responsibility, so joint agreements must be made. Map your chain and record agreements contractually. Avoid having different requirements imposed on you by customers and approach them proactively with cybersecurity agreements.

After today it is clear that cybersecurity affects us all. With the increased digitalization and connectedness of the OT world, we are opening the door wide. At the same time, awareness is also increasing. This is evident from the good turnout at this meeting alone.

Do you want to stay informed about activities and news from the industry? Then visit the website or sign up for the newsletter.