The effect of the IT/OT gap on the NIS 2 implementation

Andersson, Niklas

January 2023

Cyber attacks are steadily increasing, and their impact is becoming more significant. To combat this, the European Union has created directives to enhance the cyber security in critical services in the Union, one example being the NIS 2 directive. The directive comes into force during the fourth industrial revolution, where the Operational Technology (OT) is connected to the Information Technology (IT). This creates new vulnerabilities in the OT environments since they can now suffer from cyber attacks. The historical ways of securing OT and IT environments differ, which has caused what is called the IT/OT gap now that they are converging. In order to implement the NIS 2 directive and to enhance the cyber security of the entire organization, the IT/OT gap needs to be minimized. The problem this study then aims to investigate is how the effects of the IT/OT gap can be reduced in the implementation of the NIS 2 directive. This was done by answering the research question: To what extent is the IT/OT gap a challenge for the implementation of the NIS 2 directive in Sweden? The sub-question: In what areas is the IT/OT gap problematic for the implementation of the NIS 2 directive in Sweden? To gain an answer to the research question semi-structured interviews were conducted with respondents with knowledge in IT and OT security as well as the NIS 2 directive. The interviews were transcribed and analyzed using a thematic analysis. The thematic analysis resulted in 6 themes, Need for technical solutions, Lacking resources, Differences in security culture, Lack of cooperation, Supervisory authority and Standards, and six subthemes. The result showed that the IT/OT gap is a challenge for the implementation of the NIS 2 directive in a varying degree depending on the company. Further, it was shown that the IT/OT gap is most likely a problem in the areas regarding the supervisory authority, lacking resources, and cooperation. To comply with the directive and, more importantly, raise the level of cyber security, organizations and companies must handle all their risk in both IT and OT environments. The OT and IT personnel will need to talk to each other and collaborate to do it, and that might be a significant first step to minimizing the IT/OT gap in the long term.

NIS2 Directive

IT/OT gap

OT security

IT security

Computer Sciences

Datavetenskap (datalogi)

The impact of the NIS 2 directive on subcontractors in the transportation sector

Sandström, Isabel

January 2024

This study examines the impact of the NIS2 Directive on subcontractors in the transport sector, a critical infrastructure. By focusing on small and medium-sized enterprises (SMEs) operating as subcontractors, the study analyzes the challenges and obstacles these companies face in implementing the NIS2 requirements in their supply chain. The study also highlights the strategies used to ensure adequate cyber security within the transport sector's supply chain. A qualitative research method was used, where data was collected through semi-structured in-depth interviews and document analysis. The results show that companies with ISO/IEC 27001 certification have a solid foundation to meet the NIS2 requirements, while companies without such certification face greater challenges. The study also identifies the need for cooperation and knowledge sharing between companies to effectively navigate the new regulations and strengthen collective cyber security within the EU. The conclusions show that the NIS2 directive will require significant adaptations for SMEs, but also that it offers opportunities to improve their cyber security capabilities and strengthen the trust of customers and partners. The study emphasizes the importance of implementing robust information security to ensure continuity and protection of critical services, and that proactive adaptation and collaboration are key to achieving full compliance with NIS2 requirements.

NIS2 directive

Cyber security

Subcontractors

The transport sector

Information security

ISO/IEC 27001

Supply chain

Risk management

Incident management

NIS2-direktivet

Cybersäkerhet

Underleverantörer

Transportsektorn

Informationssäkerhet

ISO/IEC 27001

leverantörskedja

Riskhantering

Incidenthantering

Other Engineering and Technologies

Annan teknik