NIS compliance 4.0
A pragmatic and comprehensive approach
Digitalization brings many benefits, but it also raises the issue of cybersecurity to a whole new level. According to the ENISA (European Union Agency for Cybersecurity), it would even be an essential prerequisite for any transition to Industry 4.0. This observation applies to all corporations, but even more so to operators of essential services.
Are you one of the corporations that provide essential services for energy, transport or drinking water in Belgium? If so, you probably need to comply with the European Directive on Network and Information Security (NIS), which will be transposed into Belgian legislation on the 3rd of May 2019. For immediate and full NIS compliance, choose the exclusive solution provided by IC4, Siemens and Vandelanotte: “NIS compliance 4.0”.
It may also be beneficial if your corporation is not directly impacted by the NIS directive. Regardless of the legal aspect, this approach can be considered as a best practice in cybersecurity for both IT and OT. It is based on renowned international standards (ISO 27001 and IEC 62443).
Would you like to learn more about this approach?
No person or company is completely risk-free. It is not a question of if you will fall victim to a cyber-attack, it is a question of when. To be protected, technology is generally employed: for example, firewalls and anti-virus software. However, the main factor continues to be users. If they are not sufficiently aware of the risks, your company will remain an easy target for hackers. Therefore, it is extremely important to set up an organization in which responsibilities are clearly defined and to maximize employee awareness of cybersecurity. And you must always be prepared for the worst-case scenario. So an incident response plan is essential.Kurt Callewaert, Head of Research Applied Computer Science at HOWEST
Most industrial corporations are already highly automated and feel ready to make the transition from Industry 3.0 to Industry 4.0. In this transformation, cybersecurity should always be their first priority. Innovative projects in areas such as data analytics, artificial intelligence, digital twins and IIoT will be all the more successful if they are built on a solid basis. Cybersecurity should be considered as the foundation of a skyscraper.Augustijn Degrieck, Industry 4.0-specialist at Siemens
Your company doesn’t comply with NIS legislation? It could face severe penalties. Imprisonment, a fine of up to 50,000 euros (to be multiplied by 8) or an administrative penalty of up to 200,000 euros: these are the sort of things that we would rather avoid. Therefore, everyone in your organization must be aware of what is expected of them!Nikolas Vandelanotte, CEO of Vandelanotte
How to become NIS compliant in 4 steps?
Operators of essential services have four steps to take to fully comply with Belgian NIS legislation.
Set up a reporting procedure
When a cybersecurity incident occurs in your (Belgian) company, you must immediately report it to the CERT. Specify the duration of the incident, the number of users and the geographical area affected. You must therefore set up an ad hoc reporting procedure, or if it already exists, it may need to be enhanced.
Establish an NIS policy to have effective protection
As an essential service provider, you must also establish and implement an NIS policy, i.e. guidelines that stipulate all the actions required to bring your company into compliance with the NIS directive on cybersecurity. This policy must comply with standard ISO/IEC 27001 and/or other international standards considered as equivalent by the Belgian authorities.
The deadline was set for the 3rd of November 2020 for operators of essential services explicitly designated by the sectoral authority as of the 3rd of November 2019. This identification process was carried out in consultation with the Center for Cyber Security Belgium and the Federal Public Service Interior.
Inform the data protection authorities
When requested by the Data Protection Authority or an equivalent body in your sector, you must give them your internal and external security audit reports within 30 days. You must also be able to provide a description of your corporate network and IT systems, if applicable, and appoint an NIS officer and a DPO (data protection officer) as a contact person.
The description and designation of an NIS officer also had to be provided before the 3rd of February 2020 if you had already been identified as an operator of essential services on the 3rd of November 2019.
You are required to organize an annual internal audit of your cybersecurity. You must also have it audited every three years by an external body: an ISO/IEC 17021 accredited certification body or BELAC, the Belgian accreditation organization, in accordance with standard ISO/IEC 17065.
The first internal audit should have taken place before the 3rd of February 2021 and the first external audit must be planned before the 3rd of February 2023, provided again that you have been designated as an operator of essential services on the 3rd of November 2019.
To be compliant with the NIS Directive, you need to develop and implement a set of measures. Together with our two partners, we offer you pragmatic assistance, exclusive in the Belgian market, to help you get through each step with maximum efficiency. You can count on:
Respond accordingly and report incidents correctly to the CERT
With the IC4, Siemens helps you to draw up a response plan to take the appropriate actions and report incidents correctly. A detailed plan to detect and analyze each incident, limit its impact, repair the damage and take all necessary follow-up action. For in-depth cybersecurity.
Vandelanotte then helps you report the incident to the CERT in full compliance with the NIS Directive:
- Policies: what needs or does not need to be reported?
- Processes: what needs to be documented and who do you need to inform?
- Procedures: which documents need to be submitted and through which channel?
Define and implement your NIS policy
You make a description of your corporate network and IT systems in cooperation with the IC4 and Siemens so that this information can be passed on, should it be required. In order to define your NIS policy and achieve the required level of cybersecurity, you must first analyze your current security situation. You can rely on the expertise of Siemens and our partners, the IC4 and Vandelanotte.
The IC4 begins by carrying out a risk assessment in accordance with ISO 27005 to identify the risks to which your IT and OT security is exposed. It then carries out an organizational gap analysis to determine the gaps that need to be filled in order to make your IT and OT security compliant with the NIS Directive based on the ISO 27001 standard.
Siemens carries out a technological gap analysis of your OT security in accordance with standard IEC 62443-3-3 and (with IC4) of your IT security in accordance with ISO 27001.
Inform the data protection authorities correctly
With the support of Vandelanotte, you define the framework that will enable you to properly inform the Data Protection Authority and the equivalent sectoral authority:
- The necessary policies: what needs or does not need to be reported?
- The necessary processes: what needs to be documented and who do you need to inform?
- The necessary procedures: which documents need to be submitted and through which channel?
For us, “NIS compliance 4.0” was the ideal approach. It showed us exactly what we needed to do under the NIS legislation and helped us draw up a roadmap. By combining our in-house expertise with the expertise of implicated partners, we have effectively boosted the maturity of our company’s cybersecurity. Safeguarding the supply of drinking water is in the common interest of all citizens.Gerd De Mey, ICT Manager at FARYS