Klaus Mochalski & Erwin Kruschitz (anapur AG) discuss the value of NIS2. Learn why intrusion detection isn’t the first step, how to avoid blind spots in compliance, and why OT security must start at the executive level.
Keywords
OT Cybersecurity, Regulation, NIDS, NIS2, Industrial Security, OT Risk Management, Cybersecurity Regulation, Anomaly Detection, Industrial Process Security, C-Level
Sound Bites
Klaus Mochalski: “A provocative question: Would IT/OT security, including the consulting firms in the market, exist today as we know it without regulation? ”
Erwin Kruschitz: “My answer is yes, it would. It existed even before the laws [...] I often find that we’re asked here, for example, ‘Can’t you just come and tell us if we’re NIS2-compliant [...] and this compliance question then often leads tomanagement systems [...] If the laws and audits didn’t exist, the work would likely be more substantive in nature and involve less paperwork, let’s put it that way. ”
Klaus Mochalski: “Regarding intrusion detection systems, I gather that your recommendation here is quite clear: I generally install such a system in Step 3 and never in Step 1. And if I look at intrusion detection systems first, because I just happened to come across a brochure on the subject, then I’m doing something wrong. The first steps should definitely be different. ”
Erwin Kruschitz: “In my view, a good starting point, and I’m grateful to NIS2 for this, is training for company executives, because the financial resources for OT security need to be allocated. There are frustrated engineers who say, ‘Yes, I’d love to do something, but I just don’t have the money.’ I’ve had quite a few of them sitting across from me, and that’s why I think this is a good first step. ”
Erwin Kruschitz: “I don’t have to achieve the maximum level of OT security everywhere; instead, I apply the lever where the risks lie. [...] And once I’ve narrowed it down, that’s where I implement security measures, step by step, and in a way that allows me to actually operate them. After all, the most beautiful Ferrari is of no use to me if I don’t even have a driver’s license."
Klaus Mochalski: “I’ve often heard the response, ‘We have to do the risk analysis.’ After that, the steps actually follow naturally, but the fact that you say the first step is to train management, I find that particularly compelling, and I think it’s a great conclusion. I believe everyone responsible for infrastructure within their organization, and ultimately, that’s the management team, should really make this a priority and ensure they build up expertise so they can make informed decisions. “
Chapters
00:00 Introduction andE rwin Kruschitz's Background
03:59 Regulation as a Driver for Industry Security Awareness
07:43 Benefits of Technical Guidelines like NIST 2 and IEC 62443
10:31 Initial Steps for Companies: Training and Resources
15:18 Cost-Benefit Analysis of Attack Recognition Systems
17:48 Standardization and Best Practices in Attack Recognition
18:49 Step-by-Step Implementation and Management
21:14 Final Thoughts: Management's Role in OT Security
