Cyber-resilience in industry

It is obvious that digitalization, connectivity, and automation are drivers of productivity and differentiation for industry. On the other side of the coin, however, are the cybersecurity risks. Cyberattacks against industry are causing losses of control over processes and products, as well as service disruption.

The problem becomes even more complex when industrial systems include elements of the Internet of Things (IoT).

They do not differentiate by the size of the business, the product being manufactured, or the position in the value chain within a particular sub-sector. All businesses are potential targets for organized perpetrators. Such cyberattacks have highly diverse motivations, including economic motives such as extortion, disrupting supply, or simply as a practice run for higher-impact targets in the future.

The European Union has put in place an integrated set of regulatory measures that seek to improve cyber-resilience in different sectors. The measures target the fortification of the protection of digital infrastructure, critical services, and supply chains against the constantly changing environment of cyber threats.

One of the cornerstones of this effort is the NIS2 Directive, which was adopted in 2022 to replace the original Network and Information Security Directive of 2016. NIS2 expands the regulatory framework to cover a range of other sectors such as healthcare, public administration, and energy. The directive introduces more robust cybersecurity risk management methods and more significant incident reporting for critical and essential organizations. The directive also places emphasis on further coordination and sharing of information between EU Member States for enhanced overall resilience of digital and critical infrastructures.

The other central feature of the EU regulatory policy is the Cybersecurity Act, introduced in 2019. The law established the European Union Agency for Cybersecurity (ENISA) as a central body to play the role of providing advice and support in averting, discovering, and countering cyber attacks. The Cybersecurity Act also introduced a framework for a cybersecurity certificate to ensure ICT products, services, and processes meet high-security standards, guaranteeing trust and security in the digital single market.

In the financial sector, the EU has enacted the Digital Operational Resilience Act (DORA), which falls under the broader Digital Finance Package. DORA focuses on the resilience of financial institutions such as banks and insurance companies against cyber attacks. It establishes ICT risk management measures, sets guidelines for ICT third-party service providers, and imposes an incident notification and threat evaluation mechanism to deliver business continuity upon the occurrence of cyber incidents.

Protection of data is also an extremely significant part of the cyber-resilience policy of the EU. The General Data Protection Regulation (GDPR), enacted in 2018, establishes high standards for data security and privacy throughout the EU. The GDPR mandates organizations to adopt adequate technical and organizational measures to guarantee data security, prescribes rigorous breach notification obligations, and introduces accountability frameworks for data controllers and processors. By ensuring personal data protection, the GDPR also enhances resilience against data breaches and other cyber attacks.

To safeguard key infrastructure, the EU has embraced the Critical Entities Resilience (CER) Directive. The aim of this directive is to establish the resilience of key entities in the transport, energy, and water sectors. The directive requires such entities to conduct risk analyses, implement resilience solutions, and have incident reporting and response mechanisms. Collaboration and sharing of information among Member States for the purposes of countering physical and cyber threats to key infrastructure are also encouraged by the CER Directive.

Another key initiative is the Joint Cyber Unit (JCU), whose role is to align the EU’s response to large-scale cyber incidents. The JCU facilitates cooperation between national cybersecurity authorities, ENISA, and CERT-EU (the Computer Emergency Response Team for EU Institutions). It enhances information exchange and improves response capacities to generate a consistent EU-wide response to cyber crises.

Finally, the European Cybersecurity Strategy, introduced in 2020, aims to protect citizens and businesses from cyber attacks. The strategy focuses on collective resilience hardening to detect, respond to, and recover from cyber attacks. It also fosters international cooperation on cybersecurity and mobilizes backing for research and innovation in cybersecurity technology to create a secure and resilient digital environment across the EU.

The ISO/IEC 27001 standard, which explains the requirements needed to establish, implement, keep up, and continually improve an information security management system, could be a handy guide. Risk management is a good idea in any case for organizations that the NIS2 Directive is not intended for since it is always better to be safe than sorry.

For industrial companies whose products include digital components, in addition to the above, the relevant references are the sectoral standards themselves (IEC 62443, ISO/IEC 27001, ISO 21434, etc.). All of them share one feature with respect to the secure product development life cycle, considering both the product and the process of its development.

Together, these regulatory strategies form a comprehensive framework that aims to address the complexity of modern cyber threats, ensure high levels of cyber-resilience, and facilitate cooperation between public and private players in Europe.