Two drivers that increase cybersecurity compliance for Operational Technology (OT)

3.1 Compliance

A clear driver for organizations to take action is compliance and regulations. For Europe, the NIS2 should become active in the last quarter of 2024, although local implementations by member states might take some more time.

On a high level, one might say that the NIS2 follows the same implementation process as the GDPR in 2016. Where GDPR focuses on data protection and privacy with the assurance of confidentiality and applying the need to know/need to have principles, the NIS2 will cover breaches to logical IT and OT networks in general on all security aspects, like safety, availability, integrity, and confidentiality (see 5.1).

The NIS2 forces organizations to take responsibility by applying fines when negligent. It not only stimulates organizations to improve their own security posture but also to pay proper attention to the area of vendor management from a security perspective, reducing the risk of supply chain attacks.

3.2 Cyber Insurance

Another stimulation comes from the opportunity to reduce cyber insurance premiums. Insurance companies have learned over the years that the average security posture of OT environments is low and have increased their premiums. Often, premiums can be reduced when an organization can prove to have taken adequate security measures, reducing the likelihood and impact of successful cyber-attacks.

Some organizations have experienced cyber insurance not covering damages in certain conditions, for example, when the cyberattack turned out to be an act of war. This was the case with the NotPetya malware in 2017, as its origin led back to a state actor. Most organizations that were hit by NotPetya were not targeted but collateral damage by the supply chain.