4 November 2024 Line

NIS2 Compliance: 8 Must-Knows for Energies & Chemicals Firms

As industries like Energies and Chemicals embrace digitalization, cyber risks become more complex, ultimately making them business risks—the average data breach costs ~$4.8 million. More concerning is how cyber-related disruptions, like the Colonial Pipeline attack in the U.S., can delay the supply of essential products. Increased digitalization exposes operators to multiple cyberattack pathways. Between 2021 and 2022, cyberattacks on North American energy companies increased by 71%, and ransomware costs are predicted to reach $265 billion by 2031.

Energies and Chemicals companies rely on vast supply networks, meaning a security breach in one network can compromise the entire supply chain. Converging operational technology (OT) and information technology (IT) expands attack surfaces, increasing network vulnerabilities. Additionally, the prevalence and adoption rate of other digital technologies, like cloud-based industrial automation, pose security risks that could be mitigated with proper cybersecurity controls.

Today’s operators face pressures beyond regulatory compliance and associated fines. The relentless pace of cyberattacks and their significant consequences are increasing their stress levels. It is imperative to strengthen baseline security controls to mitigate sophisticated hostile actors from infiltrating critical infrastructure networks and systems.

Within the European Union (EU), the Network and Information Security (NIS) Directive 2 better supports today’s operations.

NIS 2 provides stronger, more effective security for critical infrastructure

The 2016 NIS 1 Directive set baseline cybersecurity controls across the EU but lacked uniform standards, leading to varying compliance levels across the EU. The NIS 2 Directive introduces stronger layers of security, making it more difficult and expensive for bad actors to break into critical national infrastructure, minimizing the risk of cyberattack disruptions. Adopting an outcome-driven security culture and investing in NIS 2 compliance processes helps keep critical networks online 24/7, reduces asset downtime, and improves operational efficiency.

By viewing cyber risk as a business risk, attaining a NIS 2-compliant security posture becomes a collective responsibility across the company. For instance, a chemical plant engineer shares the responsibility for safeguarding critical assets with the IT security team, distributing the burden and helping alleviate the stress on any one person or team.

Securing Energy and Chemical operations: 8 essential NIS 2 requirements

The push for NIS 2 compliance (UK deadline is 2027) not only aids in avoiding fines but also promotes the adoption of cybersecurity best practices and education. For Energies and Chemicals operators, NIS 2 compliance requires:

1. Develop policies to analyze and address information security risks
Understanding OT risks enables stakeholders to implement targeted policies. For instance, chemical plant IoT sensors detecting carbon dioxide leaks can upload data to the cloud for notification to initiate proactive asset maintenance. However, this data transmission exposes the plant’s networks to security risks, which must be mitigated to prevent threats.

2. Implement incident response plans and procedures
Proactively safeguarding assets demands well-documented, continuously structured cybersecurity incident response processes to uncover anomalies within a large volume of events. Recognizing “normal” vs. “abnormal” events helps increase procedure effectiveness. Like fire or chemical hazard incident plans, cybersecurity plans should be at least tested annually.

3. Manage backups, disaster recovery, and crisis management 
Failure to consistently back up critical data increases the risk of data loss in an unexpected cyber incident. For example, failure to back up chemical plant process optimization data risks losing it completely if malware attacks local devices, like laptop computers.

4. Address supply chain vulnerabilities
Operators must identify third-party risks from using non-controlled devices to update automation software. For example, malware risks to industrial terminals’ and suppliers’ networks can cause asset downtime and halt operations across these large, interconnected networks.

5. Monitor the effectiveness of cybersecurity programs 
Adopting a culture of continuous improvement, learning from past mistakes, and adopting best practices strengthens the entire company’s security posture––especially when implementing new industrial automation technologies.

6. Implement cybersecurity training for basic cyber hygiene
Ongoing security awareness training enables all employees, whether engineers, terminal workers, or administrative staff at an industrial terminal or chemical plant, to align on the appropriate security measures protecting local devices and the company’s networks from phishing and other social engineering risks.

7. Control access across the organization
Implementing privileged access restrictions, like role-based access control, allows IT and OT administrators to determine access into critical environments like control rooms and emergency shutoff areas, helping to prevent unauthorized actors from making potentially disruptive changes.

8. Authenticate access to sensitive systems and networks
While multifactor authentication (MFA) is more challenging with OT assets due to potential access barriers for engineers to log into critical systems, restricting access is crucial to help prevent malicious actors from tampering with sensitive systems and operations.

Given the undeniable business and financial implications, Energies and Chemicals operators may find it overwhelming to coordinate security efforts for NIS 2 compliance. You don’t have to do it alone. Schneider Electric offers Cybersecurity services to assist you in developing unique security policies in the face of evolving threats. Contact us today to get started and download our NIS 2 eGuide for essential insights.