NIS2 as a real opportunity

Why NIS2 is not a compliance issue

Cybersicherheit, Datenschutz, NIS2, EU-Direktive

Nobody likes to follow instructions – even if they are common sense – as long as there is no obligation to do so.

This is precisely why the NIS2 exists, which at a stroke imposes cyber security requirements not just on 5,000 critical systems in Germany, but on almost 30,000 companies of all kinds. And even though we Germans always insist on compliance with the law, grumbling has been spreading since the first drafts of NIS2. Suddenly, the annoying child of cyber security has become a duty for many. Worse still, cybersecurity even has to be implemented in areas that were previously given a wide berth: in industrial infrastructures and their OT networks.

Ad

The desire for entrepreneurial self-preservation and success alone should be enough to deal with OT security in accordance with NIS2. Compliance is only an afterthought, a side effect. This is because the background to the NIS2 requirements for consistent, holistic and firmly anchored cyber security must be taken seriously. They are not based on the backward-looking “nothing has happened so far”, but on current trends such as artificial intelligence, deep fakes and malware-free cyber attacks. It is realpolitik with a clear view of the existing and upcoming geopolitical crises.

Are we waiting for Godot?

Unfortunately, this discussion is only taking place in Germany to a limited extent and with the necessary depth of detail. Even the responsible authorities and ministries remain rather vague (or silent) when it comes to cyber risks that go beyond ransomware crime. Search for “living-off-the-land” (LOTL) on the BSI website. This describes the trend of carrying out cyberattacks without malware and instead abusing the systems and opportunities found in the respective target network. The problem with this? Firewalls, virus scanners and the entire access management system can’t see any of it.

In July 2024, the BSI published a rather philosophical essay on the topic of “prepositioning”, which is becoming increasingly relevant in the current geopolitical tensions. Prepositioning describes the long-term strategy of quietly and secretly infiltrating networks, establishing oneself as a legitimate user and positioning oneself in such a way that one can strike quickly and effectively at a future point in time. Instead of providing clear instructions for action, the BSI degraded itself with the statement “The BSI must rely on well-founded reports from partners and service providers for this assessment due to a lack of its own competence and perspective”. How are German companies supposed to remain capable of acting?

Ad

The tunnels behind your own lines

As is so often the case, it helps to look across the pond when assessing the threat situation.
Back in May 2023, the Cybersecurity & Infrastructure Security Agency (CISA) warned of the increasing use of LOTL techniques by Chinese advanced persistent threats (APTs) and included a number of artifacts for identification.
This was followed in February 2024 by an analysis of the APT Volt Typhoon – presumably supported by the Chinese government – entitled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure”.
Volt Typhoon are known for their highly professional and long-term use of LOTL techniques.
Apparently, APT activities were found in several networks, especially in critical facilities.

Based on the techniques used and the identification of already compromised networks, CISA has come to the conclusion that Volt Typhoon has very probably been sitting and waiting in many networks for a long time (sometimes several years) – in other words, pre-positioning itself. They have hijacked existing accounts via phishing and password spraying, acquired administration rights, and spread and anchored themselves laterally and horizontally in the networks. The movements were primarily in the direction of OT. In its February 2024 advisory on Volt Typhoon, CISA writes: “The choice of targets and the pattern of behavior do not correspond to traditional cyber espionage or intelligence operations. The U.S. authorities who authored this report believe with high confidence that Volt Typhoon actors are positioning themselves in IT networks to enable the disruption of OT functions in multiple critical infrastructure areas”.

What to do?

In Germany, on the other hand, the assessment remains extremely vague. The BSI refers to possible geographical differences in the threat situation. As if Germany, as an alliance partner of the USA, is far removed from all of this. There is no digital ocean between the countries.

To take up the cudgels for the German authorities at this point, they have at least been developing sensible specifications and guidelines for years, according to which IT and OT can be protected against professional cyber attacks. From IT baseline protection and the ICS Security Compendium to guidance on the “Use of attack detection systems”, there is certainly technical guidance available. Unfortunately, these are often placed primarily in the context of compliance issues. They should be self-evident signposts for cyber security teams, but this requires a clear understanding of the threat situation.

It would therefore make sense to talk about the limited effectiveness of firewalls and other perimeter protection when attackers use zero-day vulnerabilities, LOTL techniques, spearphishing and social engineering. These techniques simply undermine firewalls and the like. When looking for a solution, it helps to take another look at CISA.

The need for a 2nd line of defense

In a 2021 report titled “Ongoing Cyber Threats to U.S. Water and Wastewater Systems,” CISA rightly cites security monitoring of industrial networks as the first mitigation measure when actors are already on the network. Monitoring allows security personnel to detect communication patterns and activities that are unusual for their OT networks, even if the attackers are using LOTL techniques. These include:

  • unknown, new connections of a host within the OT network, from IT to OT and to external sources,
  • unusual requests from hosts,
  • unusual data transfers, especially to external proxies,
  • unexpected changes to functions and parameters,
  • Access to OT systems by unauthorized hosts (i.e. unknown to this connection), even if this is done via accounts legitimized within the company,
  • unsuccessful login attempts as a result of password spraying activities,
  • Access to industrial control systems at unusual times, which may indicate that a legitimate user’s credentials have been compromised, and
  • inexplicable restarts of SCADA systems.

OT security monitoring is therefore the plan B for companies to stay in control if the intruder is already inside (Fig. 3).
It allows cybersecurity personnel to track the intruders’ moves, locate their hiding places, expose their activities, anticipate their next moves and – ultimately – stop them before a devastating disruption occurs.

With regard to the capabilities of state-supported APTs, it makes sense to communicate NIS2 as a real opportunity and not just a constraint within the company. The objective of APTs to spread and anchor themselves in OT networks for prepositioning should also drive the paradigm shift that there is no such thing as 100% security. Security monitoring forms the 2nd line of defense necessary for this, providing visibility and detection of malicious within networks when firewalls and the like have been caught off guard.

Dr. Frank

Stummer

Co-Founder & Business Development

Rhebo GmbH

Ad

Weitere Artikel