Operational Technology (OT) Cybersecurity

Operational Technology (OT) cybersecurity involves safeguarding the industrial assets and processes that operate on OT networks from cyber threats. These OT networks control and monitor physical devices and machinery across various sectors, such as manufacturing, energy, water, and transportation. A related term often used is Industrial Control Systems (ICS) cybersecurity, which refers to a major subset of OT.

OT cybersecurity is distinct from Information Technology (IT) cybersecurity. While OT cybersecurity protects the systems controlling physical processes, IT cybersecurity focuses on protecting data and information systems across domains like finance, healthcare, and education.

Internet of Things (IoT) and Industrial Internet of Things (IIoT)

The Internet of Things (IoT) describes a network of interconnected devices that collect and exchange data, integrating the physical world with computer systems. Common IoT devices in OT environments include label printers, handheld inventory scanners, sensors, cameras, and badge readers.

The Industrial Internet of Things (IIoT) applies IoT technology in industrial settings, using connected devices and sensors to optimize processes in manufacturing, the supply chain, and operations. Examples include sensors for predictive maintenance, remote monitoring, autonomous robots, smart meters, and asset trackers.

Interconnection of OT and IT

OT and IT cybersecurity are increasingly interconnected due to several trends:

Digital Transformation: The adoption of technologies like cloud computing, AI, and IoT to enhance productivity, quality, and innovation in industrial operations.

Business Integration: Aligning business objectives and processes between OT and IT to optimize resource utilization, reduce costs, and improve customer satisfaction.

Cyber Threat Landscape: The emergence of sophisticated cyber threats targeting both OT and IT networks, aiming to cause physical, financial, or reputational damage. (1)

 

New Legal Landscape for OT/ICS/IIoT Cybersecurity

Network and Information Security (NIS2)[1] and Critical Entities Resilience (CER)[2] Directives

The NIS2 directive (2022/2555) and CER (2022/2557) directive aim to reduce vulnerabilities and strengthen the resilience of critical and digital infrastructure against threats, including cyberattacks and physical hazards. These directives are effective, with full implementation into national law expected by October 2024.

NIS2 Directive expands the scope to include more businesses and sectors, such as energy, transport, healthcare, the food industry, and manufacturing. It requires these sectors to implement stringent cybersecurity measures.

CER Directive focuses on protecting critical infrastructure from physical threats, and defines the sectors deemed “critical,” including OT providers mainly.

Cyber Resilience Act (CRA) Regulation

Passed by the European Parliament on 12 March 2024, the Cyber Resilience Act (CRA) aims to improve product security. It sets requirements for “products with digital elements” that contribute to their functionality and security.[3]

“Product with digital elements” means a software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately.

The CRA, effective from 2027, will be the first global regulation setting security requirements for the market entry of these products. Products without adequate security can no longer be sold in the EU. The CRA is extending the use of CE marking to digital products.

The products differ based on their criticality. The strictest requirements, above all the mandatory need to have the fulfilment of cybersecurity requirements verified by a third-party conformity assessment, only apply to “important products with digital elements” and “critical products with digital elements”. These can be found in the annexes of the CRA and cover three product types:

Basic IT infrastructure: browsers, operating systems, routers, modems, switches, network management systems, boot managers, network interfaces and virtualization infrastructure.

Products with security functions: authentication systems, password managers, virus protection, VPN, SIEM, PKI, microprocessors, microcontrollers and other embedded systems with security functions, firewalls, IDS and IPS, smart home products with security functionalities, (including smart door locks, security cameras, baby monitoring systems and alarm systems), smart meter gateways within smart metering systems and hardware devices with security boxes, smartcards or similar devices, including secure elements.

Products recording personal data: Internet connected toys that have social interactive features (e.g. speaking or filming) or that have location tracking features, Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose, or personal wearable products that are intended for the use by and for children.(2)

Radio Equipment Directive (RED)[4]

The RED directive (2014/53) establishes a regulatory framework for radio equipment, ensuring safety, electromagnetic compatibility, and efficient use of the radio spectrum. It also covers privacy protection, personal data, fraud prevention, interoperability, and emergency service access. This is crucial for IoT and connected products that integrate wireless radios and network stacks like WiFi.

The matters need to be addressed by the harmonized standards that are prepared in support of the essential requirements. The original implementation date has been prolonged by one year to 1 August 2025 (https://eur-lex.europa.eu/legal-content/SK/TXT/HTML/?uri=OJ:L_202302444)

Data Act (DA) Regulation[5]

Effective from 12 September 2025, the Data Act (Regulation 2023/2854) enhances data accessibility and usability, particularly industrial data. It grants users of connected products greater control over the data they generate and establishes conditions for data sharing. The act also includes measures to increase fairness and competition in the European cloud market and protects companies from unfair contractual terms related to data sharing. (3)

 

At PETERKA PARTNERS, our Cybersecurity, Data and Privacy team is equipped to help your OT organization understand and comply with these new regulations. For more information, please reach out to us.

_______________________________________________________________________________________________________________________________________________________

(1) https://www.dragos.com/blog/what-is-ot-cybersecurity/?utm_content=293354801&utm_medium=social&utm_source=linkedin&hss_channel=lcp-11050198

(2) https://industrialcyber.co/expert/what-the-cyber-resilience-act-requires-from-manufacturers/

(3) https://digital-strategy.ec.europa.eu/en/policies/data-act

[1] Text of NIS2 directive si available at: https://eur-lex.europa.eu/eli/dir/2022/2555 

[2] Text of CER directive si available at: https://eur-lex.europa.eu/eli/dir/2022/2557/oj 

[3] Text adopted by the European Parliament is avalable at: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf 

[4] Consolidated text of the directive is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02014L0053-20231001 

[5] Text of the regulation is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202302854 

 

* The image was generated by DALL-E.