Understanding the NIS2 Directive for IoT Security

In 2016, the European Parliament enacted Directive (EU) 2016/1148 on Network and Information Security (NIS Directive). As the first piece of cybersecurity-focused legislation applied across the European Union (EU), the NIS Directive intended to establish standardized cybersecurity controls across the Member States. While many Member States improved their cybersecurity capabilities, the variations across their implementing acts created confusion. Further, as businesses began moving toward cloud-first architectures, they faced new security threats and risks, especially as companies and member states became increasingly digitally intertwined. 

In response to the new risks arising from these new technologies and interconnected economies, the European Commission updated the NIS Directive, enacting the Directive on Security of Network and Information Systems (NIS2) in December 2022. 

What is the NIS2 Directive?

NIS2 replaces and augments the original NIS Directive, seeking to enhance cross-border cyber resilience by reducing the disparities between EU Member States’ cybersecurity capabilities. It outlines a set of minimum rules within a coordinated regulatory framework to reduce the impact that a single security incident would have across critical sectors and services. 

NIS2 focuses on three primary objectives:

  • Standardizing cybersecurity risk management and reporting across Member States’ critical infrastructures, including energy, transportation, health, and digital communications
  • Incorporating medium-sized and large entities within its scope using a size-cap rule
  • Aligning with pre-existing Member State legislations, specifically the Digital Operational Resiliency Act (DORA) and the Directive on the Resilience of Critical Entities (CER)

As an EU Commission Directive, each Member State’s legislative body is responsible for passing an implementing act specific to its country containing the provisions within NIS2. Entered into force on January 16, 2022, Member States have until October 2024 to pass their national legislation.   

What compelled the EU to modify the original NIS Directive and what is the NIS2 Goal?

As governments and critical infrastructure entities expanded their digital footprints, they increased their attack surface, too. Combined with increasingly disruptive cyber attacks, the European Commission felt the need to update the NIS Directive provisions to:

  • Strengthen cybersecurity requirements
  • Address supply chain security 
  • Streamline reporting obligations
  • Institute more stringent supervisory measure
  • Apply stricter enforcement requirements
Who Must Comply with NIS2?

Annex I and Annex II in the NIS2 text list the critical infrastructure sectors that implementing acts will affect:

  • Energy, including electricity, district heating and cooling, oil, gas, and hydrogen
  • Transport, including air, rail, water, and road
  • Banking
  • Financial market infrastructures
  • Health
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • ICT service management (business-to-business)
  • Public administration
  • Space
  • Postal and courier services
  • Waste management
  • Manufacture, production, and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacturing, including medical devices, computers, electronics, optical products, electrical equipment, machinery and equipment, motor vehicles, trailers, semi-trailers, and other transport equipment
  • Research
  • Critical entities as defined under Directive (EU) 2022/2557
  • Entities providing domain name registration services
Understanding NIS2’s Key Provisions

Every EU Member State must implement laws that align with NIS2’s key provisions. While NIS2 is not a law, it outlines what Member States must include in their law, affecting all companies defined as critical infrastructure. Understanding what NIS2 requires Member States to enact enables organisations to plan appropriately. 

Chapter II – Coordinated Cybersecurity Frameworks

Since its primary objective is to standardize cybersecurity requirements across Member States, the base requirements set forth in Chapter II will be in each country’s implementing act and then applied to the entities within that jurisdiction. 

The unified base requirements for interactions at the Member State level include:

  • National cybersecurity strategy: A governance and policy framework covering:
    • Information and Communication Technology (ICT) supply chain risks
    • Requirements for ICT products and services
    • Vulnerability management and disclosures
    • Internet availability, integrity, and confidentiality
    • Developing cybersecurity skills and awareness
    • Procedures and tools for sharing information between covered entities
    • Cyber resilience and cyber hygiene baselines for entities outside NIS2’s purview
  • Competent authorities and single points of contact: designated authorities to implement laws and communicate with other Member States
  • National cyber crisis management frameworks: competent authorities for managing large-scale cybersecurity incidents, including creating a national cybersecurity incident and crisis response plan
  • Computer security incident response teams (CSIRTs): competent authorities for creating and communicating common practices for incident handling, crisis management, and coordinated vulnerability disclosure
  • Coordinated vulnerability disclosure and a European vulnerability database: coordinator for identifying and contacting entities, assisting the people who report a vulnerability, negotiating disclosure timelines, and helping manage vulnerabilities across various entities

Chapter IV Cybersecurity Risk Management Measures and Reporting Obligations

Chapter IV outlines the responsibilities that implementing acts will place upon the covered entities within their jurisdiction. To begin preparing for upcoming compliance requirements, entities should be familiar with the following two articles. 

Article 21 Cybersecurity Risk Management Measures

Member States will apply an all-hazards risk management approach that includes entities taking appropriate and proportional technical, operational, and organisational risk management measures by creating policies and processes for:

  • Risk analysis and information system security
  • Incident response
  • Business continuity
  • Supply chain security, including between each entity and its direct suppliers or service providers;
  • Network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;
  • Assessing the effectiveness of their cybersecurity risk management
  • Basic cyber hygiene practices and cybersecurity training
  • Cryptography and encryption;
  • Human resources security, access control policies, and asset management
  • Multi-factor authentication use or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems 

Article 23 Reporting Obligations

For covered entities, knowing the definition of a “significant incident” and the reporting timelines is critical. 

NIS2 defines a significant incident as one that:

  • Caused or is capable of causing severe operational service disruption or financial loss;
  • Affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Entities that experience an incident will need to notify the Member State’s CSIRT or other competent authority as follows:

  • Within 24 hours of detection: early warning of a significant incident, including any potential unlawful/malicious acts or cross-border impact 
  • Within 72 hours of detection: incident notification updating the early warning with an initial assessment, including severity, impact, and any available indicators of compromise
  • Response to CSIRT or authority request: intermediate report with relevant status updates
  • Within 1 month of incident notification: final report detailing incident description, including information about severity and impact, the triggering threat or incident root cause, applied and ongoing mitigation errors, cross-border impact
Incorporating Internet of Things (IoT) Devices into NIS2 Compliance Strategies

In connected environments, entities that fall within a Member State’s NIS2 implementing act must incorporate Internet of Things (IoT) devices for a comprehensive approach to security. However, these devices are notoriously difficult to monitor as active network scanners that identify vulnerabilities can disrupt services. 

To achieve compliance with these new laws, organisations need a passive scanning solution that enables them to identify vulnerabilities, apply remediations, detect anomalous activity, and integrate into incident response processes. 

Maintain an Accurate Asset Inventory

A fundamental step to identifying risk and protecting against threats is having a comprehensive, accurate IT asset inventory that incorporates IoT devices. 

Organisations that adopt passive scanning tools to manage their IoT risk should ensure that they create an accurate profile that includes:

  • Operating system
  • IP address
  • MAC address
  • Port numbers
  • Applications
  • Hostname
  • Version number

A passive scanning solution prevents device service interruption by inspecting packets rather than initiating traffic, enabling entities to obtain safe, real-time data about:

  • Device behavior analysis
  • Risk assessment
  • Threat detection
  • Remediation

By correlating the data provided by the passive scanning technology and the IT department’s vulnerability scanner, entities create a layered approach to endpoint security for a holistic risk management program. 

Analyze IoT Risk

As part of getting compliant, entities should know their current IoT risk. To complete the initial risk assessment, entities should use their asset inventory and determine a security incident’s likelihood by understanding:

  • What devices contain vulnerabilities
  • If threat actors can use the devices in an attack
  • How an attack on those devices would impact service delivery

As part of maturing their compliance, entities should also be incorporating risk modeling into their procurement processes by:

  • Simulating device risk scenarios that calculate which configurations minimize risk
  • Identifying the configurations that will have the least risk impact within their unique environments
  • Comparing similar device types to find the ones that achieve business objectives while minimizing security risks

Identify and Remediate Vulnerabilities

As the threat landscape evolves, the organisation’s risk changes, meaning that security teams need to continuously monitor their IoT device fleets. Vulnerability management and monitoring are critical to any security program, as threat actors exploit security weaknesses to gain unauthorized access to systems, networks, and data.  

With a passive scanning solution, organisations gain visibility into the vulnerabilities impacting their environments. After identifying vulnerabilities, they need to remediate them, which becomes an overwhelming task when devices have different configurations or connect to network segments without access to the public internet. To prioritize their vulnerability remediation strategy, organisations should adopt solutions that enable them to analyze and leverage:

  • Security data that the manufacturer supplies
  • Open-source software components that developers used
  • Vulnerability criticality 
  • Attacker tactics, techniques, and procedures (TTPs) that can use the vulnerability

Further, with a tool designed for managing IoT device vulnerabilities, they should be able to review actionable recommendations that identify activities like:

  • Deactivating needed services to limit connectivity
  • Blocking risky ports using a Network Access Control (NAC) tool
  • Altering configurations to harden devices

Continuously Monitor IoT Devices

Incorporating IoT devices into the entity’s security program means continuously monitoring for anomalous behavior. To identify anomalous behavior, organisations need tools that understand their unique environments. To eliminate noise and focus on meaningful device alerts, entities should look for solutions that:

  • Identify suspicious activity deviating from normal behavior
  • Enable them to set smart policies aligned to unique threat detection needs
  • Integrate with their incident management platform or security incident and event management (SIEM) tool

Prepare Incident Response Plan

If an entity does experience an incident, it needs tools that enable it to meet the short notification timelines required by all Member States adopting NIS2. With IoT devices, this means ensuring that the solution they use for detection and response enables them to:

  • Capture traffic from any device in a centralized location that can be saved to their preferred destination
  • Block services or ports from a single location
  • Quarantine compromised devices or segment them away from other assets quickly 

Report to Management

While securing the entity’s IoT fleet mitigates risks from threat actors, providing the appropriate reports to management mitigates risks from compliance violations. Senior leadership teams and directors need compliance reports that enable them to make data-driven, risk-informed decisions. 

They often need high-level visibility into the organisation’s security posture that contains technical information without focusing on low-level configuration data. 

For example, they need visibility into the number and severity of vulnerabilities, but they rarely need detailed information about the remediation action, such as applying a specific patch or closing a certain port.

In other cases, they may need aggregated data that gives them visibility into how well the organisation manages its risks. Instead of technical data listing all devices experiencing anomalous activity, they can use visualizations that provide information about activity categories to identify potential areas of improvement. For example, a report noting that insecure communications were their most prevalent anomaly category can help them decide to invest in a secure networking technology, like a Secure Access Service Edge (SASE).

Asimily: IoT Risk Management and Security Monitoring to Enable NIS2 Compliance

With Asimily’s patented vulnerability prioritization capabilities, organisations gain holistic visibility into all IoT devices connected to their networks so that vulnerability management, patch management, and security teams can begin working toward the comprehensive security program that NIS2 implementing acts will require. 

Organisations can efficiently identify high-risk vulnerabilities using our proprietary patented algorithm that cross-references vast amounts of data from resources like Manufacturer Disclosure Statements for Medical Device Security (MDS2s), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. By understanding an organisation’s unique environment, Asimily’s deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.