The Cybersecurity Directive, or NIS 2 Directive, covers all medium and large companies operating in critical sectors. In addition, regardless of size, the directive applies to all organisations that have been designated as critical entities at national level. The NIS 2 Directive will enter into force in October 2024 and affect many sectors, one of the key ones being the energy sector.
The sectors covered by NIS 2 are divided into sectors of high criticality and other critical sectors. The energy sector belongs to the first of these – after all, it is at the heart of our whole infrastructure. From a societal perspective, production and distribution of both heat and electricity are particularly important.
But is there anything specific to consider for the energy sector in terms of NIS 2? Juha Pennanen, Cyber Security Consultant at Loihde, says that the energy sector has one feature in particular that sets it apart from many other industries.
"I would estimate that in the energy sector, up to 80% of the business is outsourced to subcontractors. For example, critical systems are often maintained by external suppliers. In addition, installation or even surveillance, for example, can be entirely the responsibility of subcontractors", he explains.
According to Pennanen, when the role of subcontractors is emphasised, there is a risk that the company's own expertise is not sufficiently retained.
"You can commission work, but you cannot outsource responsibility. Ultimately, a company is always responsible for its own actions. Even if a partner is taking care of something, it is important to know and understand what is happening in practice", Pennanen continues.
OT and IT networks are never completely separate
Another distinctive feature of the energy sector relates to OT and IT networks, which are often managed by different people. This is a challenge from an information security point of view, as security is one inseparable totality. The different networks cannot be distinguished from each other, since OT is also IT.
According to Pennanen, there are no longer any completely closed OT networks in practice, as there is always a need for data transfer, for example for reporting, monitoring or maintenance purposes. The often very diverse and aged equipment in OT networks poses its own challenges to secure data transfer.
"Even in energy companies, for example, the OT networks related to power grids and distribution and monitoring are not completely separate from office IT. It is therefore essential that the organisation has an understanding of its networks as a whole. Overall understanding of and skills in IT are more important than ever", says Pennanen.
According to Pennanen, NIS 2 forces organisations to manage information security as a whole, and there is no longer room for separate approaches.
"There are still a lot of silos – especially in many long-established industries, such as energy. However, information security is a whole and in the context of the Cybersecurity Directive, reporting can only be successful if the organisation knows and understands that whole. Working in silos and not treating information security as a whole are information security risks."
There is always room for improvement in documentation in general
Pennanen has been a consultant in NIS 2 compliance for many energy sector operators. He estimates that most companies have room for improvement, especially when it comes to documentation.
"Documentation makes information security work transparent. For example, it is important to document the network as a whole and how it is maintained. It is also a good idea to keep a record of, for example, trainings and inspections. Nothing has been done unless it has been documented."
Even small, positive observations should be documented.
"Always document, even if there was nothing that needed to be fixed. It is also important to know that an inspection has been carried out. If necessary, this way, you can show that something has been monitored regularly."
The energy sector is already familiar with NIS 1, but NIS 2 comes with potential sanctions. This has galvanised organisations to get more things in order. Pennanen, however, believes that NIS 2 in particular should be seen as an opportunity to improve your own operations.
"NIS 2 is generally welcomed in the energy sector as well as in other sectors. Some companies, for example, have wanted to improve documentation for a while, and NIS 2 has finally provided the impetus."
Pennanen has acted as a consultant for organisations of all sizes. While large companies in particular often have the skills and resources to implement NIS 2 compliance, mapping provides an external perspective on what is worth doing at this exact moment.
"The assessment often highlights the fact that things work well technically, but the administrative side needs improvement. For example, an information security policy may be in place but out of date, or the basic principles of risk management may not be recorded. Risks need to be monitored regularly. Information security documentation lives and changes every day."
Read more about how we at Loihde can help your organisation become NIS 2 compliant.
Check out our previously published NIS 2 articles:
The Directive on Security of Network and Information Systems will soon concern even more organisations
Corporate management is responsible for NIS 2 compliance