Reading Time: 5 minutes Difficulty: AdvancedThe voluntary standard IEC 62443 is a framework for the application of the NIS 2 Directive, because it offers a set of practical and specific tools that help to implement the security measures required by the NIS 2 Directive. Let’s see how.
The voluntary standard IEC 62443 is a framework for the application of the NIS 2 Directive, because it offers a set of practical and specific tools that help to implement the security measures required by the NIS 2 Directive. Let’s see how.
Synergy and complementarity
Although the two regulations operate on different levels and in different contexts, the international standard IEC 62443 (specific to industrial automation and control systems) helps to turn the general requirements of the NIS 2 Directive, developed to protect the networks and information systems of critical sectors in Europe, into practical and technically detailed actions.
Since industrial control systems are broadly used in many of the sectors covered by NIS 2, such as energy, transport and manufacturing, IEC 62443 may be the solution to meet the safety requirements imposed by NIS 2 in these specific sectors.
This is a practical guide for organizations operating in critical industries that will be required to protect their systems from cyber threats as of October 2024. Read on for details.
Need more information on how to meet the requirements of NIS 2?
Main integrations
As mentioned, the synergy between the two standards allows organizations to ensure the compliance of industrial systems, while improving the business continuity of essential services.
In practice, we are faced with:
1) Alignment of the security objectives dictated by the two standards, in order to improve overall resilience against cyber threats
2) Structured approach to risk management, where IEC 62443 best practices represent the absolute benchmark for any company that intends to approach Cyber security Risk Assessment correctly
3) Integration into compliance processes, where audit and certification processes according to IEC 62443 schemes can demonstrate compliance with the requirements of NIS 2, if included in an overall cyber security program
Do you want to know more about assessment and certification options according to the IEC 62443 schemes?
Specific points for implementation of NIS 2
To meet the requirements of NIS 2 listed in Article 21, paragraph 2, we can ultimately refer to part 2-1 of the IEC standard (i.e. IEC 62443-2-1).
Below you will find the first points from which to start to meet the requirements of the European Directive with IEC 62443 best practices.
1) Policies for risk analysis and the security of computer systems
NIS 2 objective: adopt measures proportionate to the risks that must be assessed in relation to the essential service, to implement a “Risk Based” approach.
IEC 62443-2-1 references:
• 4.2.2 Business Rationale
• 4.2.3 Risk identification, classification and assessment
• 4.3.2.3 Organizing for security
• 4.3.2.6 Security policies and procedures
• 4.3.4.2 Risk management and implementation
• 4.3.4.3 System development and maintenance
• 4.4.3 Review, improve and maintain the Cyber Security Management System
2) Management of incidents, procedures and tools for notification
NIS 2 objective: adopt a plan for the containment of any incidents in coordination with the relevant authorities.
IEC 62443-2-1 references:
• 4.3.4.5 Incident planning and response
3) Business continuity, backup management in case of disaster
NIS 2 objective: have a plan to best resume provision of the service.
IEC 62443-2-1 references:
• 4.3.2.5 Business Continuity Plan
4) Security of the supply chain
NIS 2 objective: securely manage the supplier chain to minimize the risk of attack.
IEC 62443-2-1 references:
• 4.3.2.2 Scope of the Cyber security Management System
• 4.3.2.3 Organizing for security
• 4.3.2.6 Security policies and procedures
• 4.3.4.3 System development and maintenance
• 4.4.3 Review, improve and maintain the Cyber Security Management System
5) Security in relation to the acquisition, development and maintenance of systems, including their management and the disclosure of vulnerabilities
NIS 2 objective: management of security during the change, management of vulnerabilities and updating of the systems.
IEC 62443-2-1 references:
• 4.2.3 Risk identification, classification and assessment
• 4.3.2.2 Scope of the Cyber security Management System
• 4.3.2.6 Security policies and procedures
• 4.3.4.3 System development and maintenance
• 4.4.3 Review, improve and maintain the Cyber Security Management System
There are many other requirements in addition to those of the NIS 2 Directive, regarding, for example, procedures for risk management, staff training and policies implemented for cryptography, encryption, access control and authentication; there are as many references in IEC 62443 that can help you consciously meet compliance requirements through targeted analysis, instruction and training plans.
We can help your organization improve its cyber security practices with goal-directed services. Take a look.
To take action now, and protect your infrastructure from cyber attacks, ask for advice.
Go back to the blog