Airbus Protect recently attended the CS4CA OT security conference in London.
As with all the best cybersecurity conferences, there was a good mix of independent experts and companies at the event, who provided state-of-play updates, shared best practices, and engaged in some crystal-ball gazing.
Though the conference covered a wide range of topics, a few came up more than others, such as NIS2, cyber ranges, implementing standards, supply chain security and cultural challenges. In this blog, we’ll dive into a few of these themes and reflect on what we learned at the conference.
NIS2 is a new EU directive that aims to strengthen cybersecurity requirements for ‘essential entities’ and ‘important entities’ irrespective of their size. It will apply to companies in sectors like energy, transport, health, digital infrastructure, banking, utilities, government, space, chemicals, food, manufacturing and more.
NIS2 is expected to come into effect in 2024. It will have a significant impact on the manufacturing sector as ‘supply chain’ organisations will now be classed as EE/IEs. New reporting requirements will demand that these organisations submit a report to the national CSIRT within 24 hours of becoming aware of an incident. It will also become mandatory for management to take responsibility for their organisation’s OT security maturity. This includes having regular risk assessments and signing-off on mitigations and risk treatment plans.
There were several presentations on NIS2 at the conference. These covered its key requirements, how to comply and the potential impact on organisations. From listening to them, it’s clear that NIS2 is a complex piece of legislation. This means it’s essential for OT organisations (operations and management) to start preparing now, especially those that weren’t part of the original NIS-D roll-out.
The UK will not be directly replicating NIS2. However, it intends to apply a proportionate approach to any updates to the current legislation. This will encompass new areas such as managed service providers, supply chain security and more stringent reporting obligations. It’s expected that UK regulations will ensure that its organisations achieve a similar level of assurance as those in the EU.
Cyber ranges are virtual or physical environments that allow organisations to train staff and test their cybersecurity capabilities. Cyber ranges can be used to simulate a wide range of cyberattacks, including those that target OT systems.
At the conference, there was a lot of interest in cyber ranges, particularly from organisations that are looking to improve their OT security maturity. Airbus Protect gave a well-received presentation and interactive demonstration of OT system compromise with the Airbus ‘CyberRange’ product. This demonstrated how pentesting on a digital twin of your OT environment can prevent system vulnerabilities from becoming catastrophic events.
There are several cybersecurity standards and frameworks that are relevant to OT systems, such as NIST CSF, NIST SP 800-82 and IEC 62443. Implementing these can help organisations improve their OT cybersecurity posture.
This was a recurring theme of the event, with many presenters and delegates talking about IEC62443 and how it could help them. In fact, IEC62443 seems to be becoming the de facto OT security standard! However, it was also clear that these standards are complex to understand and even more difficult to interpret. So, it’s one thing to know what standard you want to use, but quite another to implement it.
There were several presentations on the importance of implementing OT cybersecurity standards. Case studies from organisations that have successfully implemented cybersecurity standards were also well-received by those in the audience looking to do something similar.
It was great to be back at an OT security event, meeting up with some familiar faces. The attendees at CS4CA were a good mix of end users, academics and vendors, which gave the agenda a nice balance. We were impressed by the number of people looking for more information on cyber ranges and digital twins – it’s clear that more people are now seeing how these can directly benefit their organisation.
Cybersecurity Supply Chain attacks are an underestimated risk for companies, where cyber threat actors can hack into a software vendor’s network, posing a significant danger to many companies. Who may be affected by these attacks? Every company of every branch who is in a business relationship to a third-party vendor who offers services or software to […]
Read more
Cybersecurity The use of network scanners with a graphical user interface has been observed in a number of former IR engagements conducted by our CSIRT. Discover how operators use these tools to map networks and minimize detection.
Read more
Cybersecurity In 2023, Airbus Protect demonstrated unparalleled achievements in cyber defence, marking a significant milestone for the company. Four key events in Germany contribute to the organisation's commitment to excellence and innovation in the ever-evolving landscape of cybersecurity.
Read more