Understanding the NIS2 Directive’s impact on RTUs

Cyberattacks are alarmingly on the rise, with a recent EnergiCERT report revealing that the energy sector has seen cyber threats double between 2020 and 2022, resulting in 48 successful cyber attacks against European energy and utility companies (15 of which impacted OT networks). Every segment of DSO infrastructure in the EU is increasingly targeted by DDoS, ransomware and data theft schemes, resulting in the increase from 9,8 percent to 46,5 percent of all global targets during six months in 2023. What is more, IBM report estimates the cost of a data breach to 5.5 million USD in 2024 (25% increase) for the world Energy sector, showing also economic impact of cybersecurity.

Utilities are a cornerstone of critical infrastructure, essential for maintaining society’s fundamental needs. Even minor service disruptions can lead to severe repercussions for related industries and individuals. For instance, transmission and distribution infrastructure must be continuously monitored to keep system loads and renewable generation balanced and whole system stable. As a result, energy sector heavily depends on digital systems and digital communication for crucial decision-making, which unfortunately creates vulnerabilities in their reporting and control mechanisms. These weaknesses can be exploited during cyberattacks, potentially resulting in catastrophic outcomes such as blackouts and systemic instability.

Overview of the NIS2 Directive

The NIS2 Directive, officially introduced by the European Union, represents a significant step forward in enhancing cybersecurity resilience within critical infrastructure sectors including energy, water, transport, and healthcare. Its primary objective is to fortify these essential services against a growing landscape of cyber threats, ensuring that they can continue to function reliably and securely in the face of potential disruptions.

In its scope, the NIS2 Directive recognizes the interdependencies of various systems and technologies that form the backbone of our infrastructure. While it primarily targets high-level ICT systems—such as SCADA servers—it also encompasses a wider array of operational network devices. This includes thousands of Remote Terminal Units (RTUs), gateways, and communication units from different vendors installed in the transmission and distribution substations that are crucial to daily system operations. By underscoring the importance of these devices, the directive emphasizes that robust cybersecurity practices must be embedded at all levels of the operational landscape, beyond just the more visible, high-level systems.

Key challenges of securing RTUs

Securing RTUs is essential in today’s interconnected landscape. By effectively addressing the unique challenges at hand, we can ensure compliance with the NIS2 Directive, which is vital for bolstering our cybersecurity. Prioritizing the security of these units not only protects systems but also enhances our overall cybersecurity integrity, reducing the risk of vulnerabilities and safeguarding against potential threats. Investing in robust RTU security measures is not just a requirement, it’s a necessity for a resilient and secure operational framework.

Securing RTUs presents a unique set of challenges that must be navigated to comply with the NIS2 Directive while ensuring overall cybersecurity integrity.

• Mass remote deployment

Thousands of RTUs with communication devices like 3G/4G routers are often installed in remote locations with varying levels of network connectivity, which makes regular physical access for maintenance, security updates, or incident response logistically challenging. This inconsistency can hinder the ability to monitor, update, and protect devices effectively causing additional delays in the necessary interventions and increasing the risk of prolonged exposure to threats. On the other hand, it makes them susceptible to physical attacks when i.e. the SIM card or router could be stolen giving access to the OT network inside private APN. Protecting these devices from tampering or theft is as crucial as securing them digitally.

• Lack of over-the-air software and configuration update mechanisms

A significant number of RTUs were not designed with modern cybersecurity practices in mind, leading to a lack of support for secure remote firmware and configuration updates. This presents a severe vulnerability, as devices that cannot be updated remotely may remain open to exploitation due to outdated software. Lack of centralized and automated password management systems leads to higher probability of using vendor-default and public passwords.

• Legacy systems

Many older RTUs with limited processing power, memory and storage may lack the built-in security capabilities necessary to defend against contemporary cyber threats. These legacy systems often fall short in implementing modern encryption protocols, authentication measures, and intrusion detection systems, rendering them more susceptible to attacks.

• Diverse manufacturers

The RTU market is populated by a variety of vendors, each with their own approaches to device security. This diversity complicates the standardization of security measures across different devices, creating gaps that malicious actors can exploit. Adhering to the NIS2 Directive requires RTU operators to implement strict security protocols and reporting mechanisms. Understanding and meeting these requirements can be a challenge, especially for organizations with limited cybersecurity expertise.

• Underestimation of cyber threats

There is often a prevailing misconception that physical security is sufficient, leading to an underestimation of the cyber threats that can target RTUs. This lack of awareness can result in a failure to prioritize necessary cybersecurity measures. The evolving nature of cyber threats, such as malware attacks, phishing attempts, and DDoS attacks, means that RTU security measures must continuously adapt and update. Keeping abreast of the latest threats and vulnerabilities is essential to protect against attacks.

Addressing these challenges requires a comprehensive approach that includes investment in technology, ongoing training for personnel, and the development of clear policies that prioritize security and regulatory compliance.

NIS2 requirements for cybersecurity and RTU compliance

The NIS2 Directive imposes several critical requirements that organizations must meet to ensure compliance, particularly in relation to RTUs and similar devices:

• Risk management

Organizations are mandated to implement a systematic risk management framework specific to cybersecurity vulnerabilities. This entails assessing potential risks associated with RTUs and establishing protocols to mitigate them effectively.

• Incident detection and reporting

The directive emphasizes the importance of establishing mechanisms for the rapid detection of security incidents. Organizations must have processes in place for promptly reporting these incidents to competent authorities, thereby fostering accountability and enabling a coordinated response to threats.

• Supply chain security

A crucial aspect of NIS2 is the requirement that organizations assess and ensure compliance of their entire supply chain with cybersecurity standards. This encompasses all third-party vendors, including manufacturers of RTUs and communication devices, underscoring the need for comprehensive security practices throughout the supply chain.

For further information on the implications of NIS2 for critical infrastructure compliance, additional resources can be found in reports published by the European Union Agency for Cybersecurity (ENISA NIS2 awareness materials), which include compliance guidelines and best practices.

How does Netcontrol deliver NIS2 compliance for its own RTUs?

The importance of securing RTUs and communication devices extends beyond merely adhering to the NIS2 Directive. Effective cybersecurity for these devices is critical for minimizing operational risks, preventing expensive downtimes, and ensuring the continuity of services that society relies on daily. A sophisticated cybersecurity framework not only protects commands and controls but also safeguards the data integrity essential for decision-making processes.

For over 30 years, Netcontrol has been an agent of change transforming electricity network management. Our cybersecurity-oriented commitment is described in three words: ”Securing your control”. Our organization operates from the beginning with a proactive mindset focusing on resilience, rather than a reactive one addressing problems post-incident.

To navigate the path toward NIS2 compliance successfully, utilities and maintenance teams should take immediate action by focusing on several strategic initiatives. Netcontrol accompanies its partners delivering tools, technologies, and insights they need to manage their networks and devices with confidence.

• Centralized device management

Implementing a centralized management system allows for streamlined monitoring and maintenance of RTUs and other field devices, facilitating regular security assessments and updates. Our ONE service and Netcon Application Manager (NAM) provide centralized monitoring, backup and security management for large fleets of RTUs, streamlining compliance and reducing operational complexity.

• Securing communication channels

Employ encryption and secure protocols to safeguard data transmissions between RTUs and central servers, reducing the risk of interception. All Netcontrol RTUs like Netcon 200 supports internal firewall and port hardening parallel with VPN tunneling and secured SCADA communications in compliance with IEC 62351. The cybersecurity toolkit includes also dedicated services protecting against DDoS attacks and filesystem intrusion detection, which becomes crucial in the system cybersecurity implementation by securing each single device.

• Automating security updates

Establish processes that enable automated, secure updates for firmware and software on RTUs. This minimizes human error and ensures all devices are equipped with the latest security patches. NAM addresses all above-mentioned requirements, delivering scalable solution enabling seamless deployment, observability, updates, and continuous backup for all Netcon devices. Moreover, regularly released and digitally signed OS patches keep Netcontrol devices up to date and secure in fast changing digital environment.

In conclusion, the NIS2 Directive serves as a pivotal framework in advancing cybersecurity resilience for critical infrastructure. By addressing the unique challenges associated with securing RTUs and ensuring comprehensive compliance with NIS2 requirements, utilities can safeguard their operations against increasingly sophisticated cyber threats while contributing to the integrity of public services. The path to enhanced cybersecurity involves not only adherence to regulatory mandates but also a commitment to ongoing improvement in security practices to create a safer operational environment.

Netcontrol supports its partners by wide service portfolio bringing solutions aligned with NIS2 Directive. VALVOT & DOME services offers real-time cybersecurity monitoring and predictive maintenance, ONE service keeps all your Netcon devices secure and up-to-date using centralized asset management.

Author

Roman Jaloza is a Product Manager at Netcontrol. He joined the company in 2024 and has worked in R&D and sales in the global network automation business since 2010.