This post is the first in a three-part series exploring the complexities of securing remote access in industrial environments. It focuses on the key requirements set by the NIS2 Directive and provides actionable steps to help organizations achieve compliance in relation to Remote Access.
In Part 2, we will discuss how the IEC 62443 (2) series can support NIS2 compliance, particularly in the context of remote access.
Finally, we will offer a detailed guide on configuring Ewon Remote Access Service (3) to meet NIS2 compliance, following the recommendations outlined in IEC 62443.
The growing importance of securing industrial remote access
Remote access to industrial systems is indispensable in modern operations. From enabling real-time monitoring to addressing system anomalies remotely, efficient remote access improves productivity and reduces downtime. However, it also exposes systems to unique vulnerabilities that traditional IT environments do not face.
Challenges in securing industrial remote access
• Cyber threats
Industrial facilities are high-value targets for cyberattacks, including ransomware, unauthorized intrusions, and data breaches. The complexity of these attacks has grown, making it imperative to adopt robust defensive measures.
• Legacy equipment
Many industrial systems were designed with availability and reliability in mind, not cybersecurity. Weak authentication frameworks and outdated protocols in older systems compound the challenge.
• Compliance and regulations
Security standards like ISA/IEC 62443, NIST 800-82, and ISO 27001 stipulate strict protocols for industrial cybersecurity. Meeting these compliance requirements is both critical and complex.
• Reliability and performance
Industrial processes demand consistent and uninterrupted operations. Remote access solutions must not only be secure but also avoid adding latency or disruptions.
What is the NIS2 directive and what is its impact on industrial cybersecurity?
The NIS2 Directive, is a comprehensive update to its predecessor, NIS, aimed at strengthening cybersecurity across the European Union. NIS2 extends its scope to more sectors and requires essential and important entities, to take proactive measures in securing their network and information systems.
Under Article 21 (4) of the NIS2 Directive, organizations are required to adopt risk-based approaches to cybersecurity, mitigate supply chain risks, implement robust defenses, and ensure incident reporting mechanisms are in place. For industrial sectors, this also considers how remote access to Operational Technology (OT) is secured.
Key impacts of NIS2 on industrial cybersecurity include:
• Supply chain security accountability
Organizations must ensure that external service providers adhere to their defined security requirements.
• Secure-by-design practices
Solutions must be conceived and implemented with embedded security controls.
• Incident reporting obligations
Any cybersecurity incident affecting industrial assets must be reported promptly to the respective authorities.
Key security requirements under NIS2 for remote access to industrial assets
The NIS2 Directive mandates a range of specific security controls for remote access to industrial systems. Implementing these measures improves security, ensures compliance, and builds resilience to cyberattacks. Below are the 17 critical requirements for securing Remote Access:
| Category | Measure | Where in NIS2 Article 21 | Requirements |
|---|---|---|---|
| Access Controls | Ensure the strength of authentication is appropriate | (g) basic cyber hygiene practices and cybersecurity training; | Use strong, up-to-date authentication methods to protect remote access |
| Access Controls | Use multi-factor authentication | (j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate. | Secure remote access connections with MFA to add an extra layer of protection |
| Access Controls | Change of authentication credentials initially | (g) basic cyber hygiene practices and cybersecurity training; | Default passwords or credentials should be changed immediately after setup to reduce risks |
| Access Controls | Implement authentication procedures based on least privilege principle | (i) human resources security, access control policies and asset management; | Limit user access to only the systems and resources that are necessary for their roles |
| Access Controls | Require the reset of authentication credentials and the blocking of users after a predefined number of unsuccessful log-in attempts | (g) basic cyber hygiene practices and cybersecurity training; | Define thresholds for failed login attempts and enforce automatic blocking to prevent brute-force attacks. |
| Incident Handling | Use tools to monitor and log activities | (b) incident handling; | Use tools to monitor and log all remote access activities for accountability and threat detection |
| Access Controls | Ensure that it obtains approval from the asset owner prior to using each and every remote access connection | (g) basic cyber hygiene practices | Only allow third-party service providers to connect after they submit and gain approval for an authorization request |
| Network Security | Network Segmentation | (e) security in network and information systems acquisition | Implement segmentation and controls that strictly prevent unnecessary or unauthorized access |
| Network Security | Security patch management | Security patch management | Regularly update all software and firmware with the latest patches to address vulnerabilities |
| Network Security | Deactivate unneeded connections and services | (g) basic cyber hygiene practices | Reduce security risks by deactivating unused services and ports |
| Network Security | Protection against unauthorized software | (e) security in network and information systems acquisition | Enforce policies to prevent installation or execution of unauthorized software on devices |
| Network Security | Allow access to the network only to authorized devices | (e) security in network and information systems acquisition | Implement controls to block devices that are not registered or authenticated |
| Policies & Procedures | Establish, implement and apply a policy and procedures related to cryptography | (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; | Use proven cryptographic methods for Remote Access |
| Policies & Procedures | Applications used in the Automation Solution are commonly accepted by both the security and industrial automation communities | (g) basic cyber hygiene practices | Verify that all applications in the automation solution are recognized and accepted by both the industrial automation and security communities |
| Policies & Procedures | Provide detailed instructions for the installation, configuration, operation, and termination of the remote access | (g) basic cyber hygiene practices | Define and enforce stringent measures for connections to IACS environments |
| Policies & Procedures | Regularly review the identities and, if no longer needed, deactivate | (g) basic cyber hygiene practices | Periodically audit digital identities and revoke access for users who no longer require it. |
| Policies & Procedures | Maintain policies for management of privileged and system administration accounts | (i) human resources security, access control policies and asset management; | Enforce strict policies for managing high-access accounts to prevent misuse or exploitation |
Adopting a risk-based, secure-by-design approach
Compliance with NIS2 is not just about ticking boxes; it’s about fundamentally enhancing the security posture of industrial systems. Following are some practical steps industrial organizations can take to adopt a secure-by-design framework:
• Adopt industry standards
Align with standards like ISA/IEC 62443, which provide actionable guidance on cybersecurity policies and technical controls.
• Conduct risk assessments
Regularly evaluate potential security vulnerabilities and implement risk-based mitigation strategies.
• Train personnel
Educate employees and engineers on best practices for cybersecurity to ensure proper handling of remote access technologies.
• Work closely with vendors
Ensure your machine builders and service providers integrate NIS2-compatible security measures in their solutions.
Securing the future of industrial cybersecurity
Remote access is the backbone of modern industrial operations, but its increasing relevance also increases its potential risks. By adopting NIS2’s security measures and leveraging established frameworks like ISA/IEC 62443, industrial organizations can secure their assets, remain compliant, and build trust with stakeholders.
_________________________________
[1] https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng
[2] https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
[3] https://www.hms-networks.com/ewon
[4] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402690