Various recent EU regulations, most of which were launched in 2022 and are now gradually being transposed into national law in the individual member states, are giving cybersecurity a whole new meaning. These regulations include the EU NIS 2 Directive on Network and Information Security (EU Directive 2022/2555) together with the Resilience Directive 2022/2557, the EU Machinery Regulation 2023/1230 and the drafts for the EU Cyber Resilience Act (CRA). This also includes the EU Commission's draft for new product liability law (see the proposal for a directive on liability for defective products, i.e. the Product Liability Directive from December 2022). This will turn software, for example, into a product. This is likely to result in some serious changes for the networked control systems of machines and systems. However, AI implementations and 3D CAD data will also be included in product liability in future. Reference could also be made to the draft AI Liability Directive (AI Liability Directive-E) or the new radio equipment legislation (EU Regulation 2022/30). After all, machines with Bluetooth, WLAN, 4G or 5G are also affected by this EU legislation in terms of cybersecurity.

Entry point NIS-2

IT applications in manufacturing companies that extend into the OT environment offer numerous attack vectors. In this respect, an organization covered by NIS-2 should clarify and document various issues with the help of suitable process modules. For example: How are source authenticity, data integrity and confidentiality guaranteed for CAD data? With regard to operational continuity, service availability must also be ensured and evaluated.

© SSV

How can you deal with what at first glance appears to be an impressive flood of regulations? First of all, it is advisable to take a systematic approach to check the extent to which you are affected by the respective regulation and from when the regulations apply. For example, although the new Machinery Ordinance formally came into force in July 2023, it is only binding after a three-and-a-half-year transition period. The CRA has a draft from September 2022, which is very far-reaching and affects practically all products with digital elements, including all consumer electronics. However, it has not yet been fully clarified when and how the CRA will be transposed into national law in the EU member states. The situation is very similar with the Product Liability Directive. There is probably still a greater need for discussion here, for example on the overlaps with the EU AI Regulation, the handling of evidence, class action aspects due to the abolition of the 500 euro deductible and much more.

As things stand today, those responsible for management should first take a closer look at the NIS 2 Directive. It is aimed at the "essential" and "important" operators of networks and IT systems in certain areas. This requirement will become legally binding throughout the EU in October 2024. The corresponding draft bill from the Federal Ministry of the Interior for the implementation of NIS 2 has already existed under the name "NIS2UmsuCG" since July 2023. This not only revises the rules of some EU legislation that has existed for many years - i.e. NIS 1 Directive 2016/1148 as well as 910/2014 and 2018/1972 - but also specifies significant penalties for breaches of the law - similar to the General Data Protection Regulation, but with a significant expansion of private manager liability. At the same time, however, the scope of application was also significantly expanded in terms of the organizations affected. NIS-1 practically only covers "high criticality sectors", i.e. essentially critical infrastructure. The new NIS-2 Directive now also includes, for example, manufacturers of electrical equipment and devices, machines and cars above a certain size (50+ employees and/or 10+ million euros turnover). They are referred to in the directive as "other critical sectors". It is estimated that around 29,000 additional companies in Germany alone will fall under the new legal requirements for network and information security compared to NIS-1. However, around 80% of these newly affected companies are probably not even aware that the NIS-2 requirements apply to them.

Two articles of particular importance

The German translation of the NIS 2 EU Regulation consists of 46 articles and Annexes I to III, of which Annexes I and II specify the organizations concerned in three-column tables (sector, sub-sector, type of institution). The entire document comprises a total of 73 pages (Articles 21 and 23 are of particular importance from the perspective of the organizations concerned; see web tip). The table provides an overview of the minimum NIS 2 requirements to be met for a uniform level of cyber security. In this way, the EU aims to ensure that essential and important institutions or organizations in the individual member states guarantee the secure operation of their operationally necessary network and information systems with the help of technical and organizational measures. The regulation also calls for appropriate activities to minimize the impact of security incidents in the organizations concerned and to provide appropriate support to users of the services and products of an institution covered by NIS-2.

Together with the registration and reporting obligations of Article 23, the requirements appear at first glance to be implementable in relation to local networks and IT systems as a whole. However, the requirement of "operational continuity" in Table 1 makes it clear that the NIS 2 requirements not only apply to corporate IT, but also to the networked machines and systems in the production facilities, even to the individual control cabinet with a Profinet or TSN-based network for controlling a packaging system and to the Modbus network for building management; in other words, to everything that is now summarized under the generic term "Operation Technology". This is where things get a little more challenging, as OT technology is often operated as a "black box".

In many organizations, fundamental tasks must first be solved in order to implement NIS-2. It starts with the expert knowledge required to recognize a cyberattack in the first place and runs like a red thread through the entire topic to the effects of a successful attack.

The author: Klaus-Dieter Walter is a member of the management board at SSV Software Systems.

© SSV Software

In the IT world, for example, an attacker could encrypt a company's database in order to launch a blackmail attempt. Most victims usually notice immediately that access to the company databases is suddenly no longer possible. Nevertheless, you can probably continue your operations in an emergency mode. With a bit of luck and a good backup strategy, the problem may even be solved in a relatively short time. In the OT world, a small data manipulation on a production machine or a software component can generate faulty products that may successfully pass the automatic final tests and be delivered to customers and trading partners. In this case, the attacker may only come forward after a year, for example after thousands of faulty assemblies have already been delivered and production is still continuing even with the manipulation, because no one has noticed anything due to a lack of experience. Another challenge is the existing system understanding in the companies affected by NIS-2: there are usually in-house experts for the IT networks and IT systems who are familiar with the interrelationships. This is not always the case for networked OT assemblies and systems - a completely different level of expertise is required to assess the effects of real-time Ethernet jitter on the tolerances of a CNC machine!