EU critical infrastructure companies 'not ready' for NIS2 compliance

80% of organisation are lacking in programs associated with vulnerability mapping and threat hunting – Only half conduct regularly scheduled risk analysis exercises.

  • 3 weeks ago Posted in
Nozomi Networks has released the results of a new study highlighting an immediate need for EU critical infrastructure organisations to revise their operational technology (OT) security and risk management priorities to meet NIS2 compliance.

The report “Driving cyber resilience: the impact of the NIS2 Directive” found that the legislation appears to be a substantial challenge for most critical infrastructure organisations. Many still do not have visibility of all assets and networks to ensure full compliance and effective cyber protection.

With the Network and Information Security Directive (NIS2) to be incorporated in national laws by September 2024, EU critical infrastructure companies need to focus on risk management beyond IT to include OT. This makes it crucial for them to have greater visibility of all assets and networks, which requires regular risk analysis of operational networks.

The study amongst 300 IT security decision makers in large organisations across Germany, France, Sweden and the Netherlands, was conducted by Vanson Bourne and found that for critical information systems, only 50% of organisations follow a schedule in terms of conducting and updating a risk analysis. 34% do so on an ad-hoc basis and 15% of companies across Europe do not currently conduct any risk analysis at all, with an even higher number in France (29%) and Sweden (22%).

Andrea Carcano, CPO and Co-founder of Nozomi Networks commented on the findings: ““With NIS2 around the corner, critical infrastructure organisations across Europe need to take immediate action. By 2024, many will be required to revise security and risk management priorities, particularly for OT. The good news is effective technologies and deployment options are available to help organisations cover their bases. The key to effective network monitoring and risk management lies in using real-time information to inform an accurate risk view.”

The research also found that many organisations either only understand what threats or risks they face when they are forced into action, or do not understand them at all. Most lack programs associated with asset identification and inventory management (81%), vulnerability mapping / threat hunting (80%) and situational awareness / data analytics (75%).

The survey also reveals that while 35% of organisations give ultimate responsibility for securing OT and IoT devices and networks to the CISO, many others rely on the IT department (24%) and/or OT operators (18%), amongst others.

And while the CISO has greater responsibility in Sweden (44%), France (43%) and the Netherlands (40%), in Germany only 21% of organizations rely on their CISO to secure OT, IoT devices and networks.

The survey underpins that role of the CISO clearly differs country-to-country, but with NIS2 coming into effect in 2024, organizations need to ensure they understand their OT and IoT assets, and perform asset inventory and vulnerability management for OT and IoT assets to perform root cause analysis and review events and activities during incident response.
Once integrated into the WatchGuard Unified Security Platform architecture, the CyGlass technology will deliver AI- and ML-based detection of network anomalies and accelerate Open XDR capabilities.
Intel presents a software-defined, silicon-accelerated approach built on a foundation of openness, choice, trust and security.
BlueVoyant and Qualys join forces to offer an integrated managed service for Qualys VMDR and TotalCloud, delivering an enhanced vulnerability identification, cloud security, and compliance solution.
New cloud-centric platform, purpose-built for small and midsize MSPs, improves customer billing, reduces complexity, and maximizes revenues.
CloudBees has introduced a new cloud native DevSecOps platform that places platform engineers and developer experience front and center.
To mitigate ransomware attacks, IT professionals must consider both business-related and infrastructure data equally.
New solution combines forensics evidence with real-time telemetry to deliver unified insights into security incidents analysts need to perform investigation and response activities with efficiency and speed.
Orange Cyberdefense has launched a new security orchestration and automated response ‘as a service’ offering that provides cost-effective automation to streamline security, IT and business operations. By automating response-based actions through to the end user and driving a faster mean time to respond (MTTR) to security threats, AutoXR addresses the need for increased efficiencies and reduced costs, reducing the burden on staff who have limited time to execute tasks.