Cybersecurity risks in industrial plants and can have serious consequences not only for the companies affected. They can threaten entire supply chains - as in the case of the ransomware attack on an American branch of automotive supplier Yanfeng - or public safety, as in the case of attacks on healthcare providers and hospitals.

Due to the increasing number of incidents and the professionalization of attackers, a uniform approach to cyber security is needed. This should include robust protective measures and a rapid, targeted response to incidents, effectively minimize risks and ensure the resilience of critical infrastructures. The first step is not the selection of specific technologies and security products, but a systematic approach that is not only required at company level, but is also actively demanded by government organizations.

Comprehensive security in the digital age

The Network and Information Security Directive 2 (NIS-2) is the European Union's new regulatory framework for information security in critical industries. NIS-2 affects significantly more sectors and companies than the 2013 NIS Directive, introduces stricter supervisory activities and emphasizes the responsibility of top management in matters of cyber security - it is no longer enough for management to be informed, but they must be accountable - also legally - for the company's comprehensive information security.

Nevertheless, NIS-2 should by no means be seen as a compulsory exercise or a threat to management, but represents a strategic opportunity for organizations to strengthen their cyber defences and ensure sustainability in the digital age.

NIS 2 compliance: basics and technical measures

The IIoT platform Nerve securely networks production with the cloud. However, it also enables offline operation for critical applications whose data must not leave the company premises.

© TTTech Industrial

In order to meet the requirements of NIS-2, auditable - i.e. documented and demonstrably effective - processes and measures are required in various security-relevant areas. Risk management with analysis and evaluation of the relevant risks, on the basis of which a systematic security architecture can be developed, is fundamental. This then includes specific technical and organizational aspects such as authentication, encryption, device registration, software provisioning, logging, system administration, patch management and remote administration. The standard also defines requirements for organizational measures such as reporting, monitoring one's own supply chain for security risks and the ongoing promotion of security awareness among employees.

However, NIS-2 does not specify any technical measures or even technologies - the guideline defines what must be achieved in the area of information security, but not how. This is where another standard comes into play for industrial systems: the ISO 62443 series of standards provides a comprehensive framework for the security of industrial automation and control systems (IACS) and covers the entire life cycle of these systems. It defines requirements and processes for the implementation and maintenance of electronically secure IACS and sets best practices for security, the assessment of security performance and the bridge between operational technology and information technology. It therefore follows the same systematic approach as NIS-2, but is supported by concrete technical measures in various areas.

IEC 62443: Backbone for the implementation of NIS-2

Correct implementation of IEC 62443, as is obvious for suppliers and operators of industrial plants and systems, directly helps with compliance with the NIS-2 directive in several ways, including the following aspects:

• Both NIS-2 and IEC 62443 are about risk assessment. IEC 62443 provides a robust methodology for performing risk assessments in industrial automation and control systems.
• IEC 62443 defines specific safety measures for industrial systems. These measures cover many of the requirements set out in the NIS 2 directive. Together with IEC 27001, IEC 62443 is a highly relevant implementation reference to achieve the objectives of NIS-2.
• The operational security and availability of industrial automation and control systems, even in the event of cyberattacks, is an important objective of NIS-2. To achieve this, IEC 62443 defines various methods for verification mechanisms (logging, auditing) that are essential for defending critical infrastructures against ongoing cyberattacks.

IIoT platform as a tool for industrial cyber security

Edge computing enables better protection of sensitive data; local processing can better prevent attacks on data and infrastructure despite cloud connectivity or, in the event of a successful attack, significantly reduce the scope and impact. The introduction and use of a consistently security-oriented solution for edge computing can also increase user awareness of the issue of cyber security. After all, the human factor is an essential part of a comprehensive security culture in companies and cannot be replaced by processes or technical systems. The integration of standards such as NIS-2 and IEC 62443 into the security architecture of companies and the use of certified platforms are decisive steps in overcoming the challenges of cyber security in Industry 4.0 and strengthening resilience to cyber threats.

One example of an edge solution that fulfills the necessary process certifications according to IEC 62443 is the IIoT software platform 'Nerve' from TTTech Industrial. The IIoT platform for machine manufacturers offers scalable, cloud-managed edge computing - a kind of software infrastructure for manufacturing and the cloud that companies can use to implement their IIoT projects. Users can access data, manage devices and machines and deploy applications remotely via a central management system, which can be operated in a public cloud or in the in-house data center as required.

In addition to functions for the introduction and operation of IIoT architectures, such as collecting, processing and analyzing machine data in real time, Nerve enables the remote management of devices and the provision of applications. It also supports standards-compliant security mechanisms for enterprise requirements, such as role-based user and authorization management for edge applications, secure remote access to protected OT operating functions via the Internet, and comprehensive logging mechanisms for checking system integrity. Other functions include data access to devices with different protocols and connections, seamless integration of legacy software through virtualization (virtual machines) and container technology (Docker), encryption of all Nerve communication between edge and cloud with Transport Layer Security (TLS) 1.2, as well as central update mechanisms for security patches and software updates, for example. The key feature, however, is that these functionalities are developed through an IEC 62443-compliant process and made available in such a way that they support the user in their own process certification. Integrated cybersecurity features, annual audits in accordance with IEC 62443 by TÜV and regular penetration tests by external security specialists ensure that the IIoT software platform provides a secure basis for IIoT projects.