Europe has taken the initiative from the US in OT security. The Cyber Resilience Act (CRA) and NIS2 Directive will impact vendors, integrators, and asset owners who are active in the EU. And I’m standing on the outside watching with great interest.
I was invited to be on a podcast to discuss the CRA. Pass. I’m not qualified. Sure I understand the basics, can explain it in broad terms, and have a meaningful conversation on the topic. I’m not informed and current enough to be handing out advice on how to comply with these regulations.
This is still very new and full of learning and changing interpretations and requirements. Different approaches in different EU countries. I even hear people who I consider qualified experts on one or both of these regulations taking different positions. You should be living and breathing this as your main work project to be telling podcast listeners or asset owners what they need to do to be compliant.
It reminds of me of the NERC CIP regulatory experience. In 2006 – 2008 my team and I did CIP consulting projects to help asset owners prepare and pre-audit their systems. It was loose back then and unclear what compliance meant. If you had a reasonable argument and supporting documentation on compliance all was good. Things started changing in 2009, and you needed to be full time NERC CIP to credibly give advice and help companies meet the regulations and pass an audit.
We bailed on that work. It was decent business, but not much fun. We didn’t do another NERC CIP project since then. It seems to me, as an outsider, that CRA and NIS2 are entering this point.
The other lesson from NERC CIP was addressing the regulation, regulatory risk, boxed out every other OT security project. I had electric sector clients that had made great strides and had sensible plans to address OT cyber risk over the previous 5 years (2004 – 2008). Those plans were abandoned to … what do we have to do to meet NERC CIP?
Regulatory Risk trumped OT Cyber Risk.
Not because the risk was higher. Although it was unclear at the time, the number and amount of NERC CIP fines has been laughably small. Executives understood regulatory risk and non-compliance was not even a consideration.
Finding ways to minimize the spending on regulation was also the norm that applied to NERC CIP. And an unintended consequence was the OT cybersecurity spending on anything that was not required for NERC CIP ended. Why should we spend money on that? The regulator said it wasn’t required. In many electric utilities it was ~10 years before they started looking at OT cyber risk again.
NERC CIP did raise the OT cybersecurity floor. Utilities that were doing little or nothing definitely were forced to improve. It was a hugely inefficient way of raising the floor and slowed progress for all but the laggards.
The European experience with CRA and NIS2 could be, and hopefully will be, completely different than NERC CIP. It is 15+ years later, and the OT security community and knowledge base is more mature. I’ll be watching and learning.