How manufacturers can achieve operational technology (OT) compliance

Regulatory compliance is an increasingly daunting challenge for manufacturers as governmental bodies and standards organizations step up requirements for the management and security of operational technology (OT).

One major issue is that manufacturers rarely update OT or industrial control systems (ICS). For instance, manufacturers rarely refresh computers that operate in Levels 2, 3 and 3.5 of the Purdue Model. Those devices run equipment-specific monitoring and control software on Windows or Linux and interact with the physical objects or materials at Purdue levels 0 and 1.

In industrial environments, the stability of the manufacturing environment is paramount. The potential for an upgrade to break the interaction that Level 2 and 3 devices have with Level 0 and 1 devices is too risky for most manufacturers. A broken connection could shut a production system down altogether. It could also cost a manufacturer compliance certification and lead to fines and penalties.

Running afoul of regulations can have severe financial consequences, but compliance isn’t just a matter of fulfilling government requirements. Running OT systems that are compliant with regulations is also a good way for manufacturers to ensure that their systems are resilient and can survive cyberthreats that are constantly evolving and proliferating.

White paper

Is your business ready for NIS 2 compliance?

Find out now

Among many compliance regulations dealing with the cyber resilience of manufacturing environments, here are three of the most important ones that pose challenges for manufacturers:

The NIS 2 (Network and Information Systems) Directive is a European Union regulation that aims to enhance the security of network and information systems across the EU. It builds on the original NIS Directive and introduces more stringent requirements for a broader range of sectors, including energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure and public administration.

Compared to the first version of NIS, NIS 2 applies to a wider range of entities. The original NIS Directive focused on critical sectors such as energy, transportation, water, banking, finance, health and digital infrastructure. NIS 2 applies to a broader range of organizations, including those in water and food supply, as well as postal and courier services, and the digital infrastructure sector. The directive mandates risk assessments, incident reporting and the implementation of data protection and security measures.

This regulation has financial bite for noncompliance, and penalties for executives whose organizations run afoul of compliance requirements. Failure to comply with NIS 2 can result in significant fines, which vary by member state but can be up to €10 million or 2% of global annual turnover, whichever is higher. NIS 2 also gets personal: Executives can face financial and even criminal liability for failing to follow regulations.

ISA/IEC 62443 is a series of international standards for the security of industrial automation and control systems (IACS). Widely followed in the industrial sector, it provides a framework for securing systems against cyberthreats.

These standards focus on ICS security, including systems used in manufacturing, energy and critical infrastructure, among other sectors. It includes guidelines for risk assessment, security policies and technical measures to protect against cyberthreats.

This voluntary, but widely followed set of regulations does not specify amounts of fines for noncompliance. However, failure to follow ISA/IEC 62443 can lead to severe consequences. They include:

• Fines for noncompliance with standards that reference ISA/IEC 62443, including NIS 2).

• Lost deals where bids are disqualified if manufacturers can’t attest compliance.

• Contract violations when compliance is a stipulation in the contract.

• Increased risk of lawsuits.

•  Difficulty qualifying for cyber insurance.

The Cybersecurity Maturity Model Certification (CMMC) program is a framework established by the U.S. Department of Defense (DoD) to ensure that defense contractors and subcontractors practice a satisfactory level of cybersecurity. The program aims to strengthen the cybersecurity of the defense industrial base (DIB) and protect sensitive unclassified information.

The CMMC ensures that contractors and subcontractors meet specific cybersecurity standards, which can become extremely complex depending on the type and sensitivity of the information they handle. The framework is designed to progressively improve cybersecurity measures and reduce the risk of data breaches and unauthorized access.

Failure to comply with CMMC requirements can result in negative consequences, including loss of government contracts and damage to a manufacturer’s reputation in a market where security and trustworthiness are paramount.

The General Data Protection Regulation (GDPR) is a comprehensive data privacy and security law implemented by the European Union in May 2018. It applies to any organization, regardless of location, which processes the personal data of individuals residing in the EU. The GDPR sets out strict requirements for how personal data must be collected, processed, stored and erased. Organizations must obtain clear consent for data processing, provide transparent information about data use, and ensure that robust security measures are in place.

Non-compliance with GDPR can result in severe financial penalties. For the most flagrant violations, the regulation stipulates fines of up to 20 million euros or 4% of a company's total global annual turnover, whichever is higher. Lesser violations can result in fines of up to €10 million or 2% of annual global revenue.

OT systems exist to manage production as efficiently and with as little downtime as possible. Unlike IT systems, OT systems don’t need constant updating to continue to work properly.

Many manufacturers run OT systems on Windows XP, an operating system that’s nearly 25 years old and that Microsoft hasn’t supported since 2009. Microsoft has not issued security patches or bug fixes for Windows XP in more than a decade and a half.

On the compliance front, many regulations mandate data protection capabilities that older OT systems just don’t have, and bringing systems up to date is too disruptive for manufacturers to consider. Data and systems recovery is a particular sticking point. Many regulations stipulate that OT environments have plans that enable fast recovery, but many industrial systems lack automated backup solutions.

Failing to back up OT systems adequately can lead to steep financial penalties for noncompliance, and other consequences such as canceled contracts. It can also lead to other negative outcomes, including loss of reputation and a lack of confidence among customers and supply-chain partners.

A cyberattack that knocked systems offline for days or weeks could financially cripple a manufacturer or even put it out of business. Manufacturers need to recover immediately from incidents with reliable data and working production systems. So, compliance isn’t just a way of avoiding fines or penalties. It’s a measuring stick manufacturers can use to ensure that their OT environments are secure and can recover quickly from an outage, whether caused by cyberattack, hardware failure, software problem or operator error.  

The bottom line is that compliant manufacturers know that they have the operational resilience to recovery quickly and continue with production, regardless of the cause of downtime.

Manufacturers need compliant backup and recovery capabilities that will deliver resilience but won’t cost them downtime or negatively impact their operations. Acronis Cyber Protect for Operational Technology delivers capabilities that enable manufacturers to develop business resilience and meet compliance requirements:

• An automated backup capability aligns with resiliency requirements laid out the NIS 2 and IEC 62443 standards.

• Forensic backup capabilities that preserve digital evidence of data prior to an incident.

• Integrated cybersecurity and backup that simplifies regulatory reporting and audit readiness.

Other features that are essential for manufacturing compliance include:

Universal Restore: Universal Restore makes it possible to restore legacy operating systems, applications and data to new hardware with the necessary drivers installed. Manufacturers can back up and recover systems to new PC hardware, even if the original was running on a very old system.

One-Click Recovery: With One-Click Recovery, non-IT staffers, e.g., plant-level OT engineers without any IT skills, can quickly restore failed OT systems mere minutes after an incident. Manufacturers can reduce downtime and get production systems back up and online without the need to wait for central IT to dispatch a technician.

Backup without downtime: Acronis Cyber Protect for Operational Technology conducts backups without taking an OT system offline or rebooting it, so critical cyber resilience processes do not disrupt production.

Governments and standards bodies aren’t likely to make regulatory compliance any easier for manufacturers. If anything, they’ll continue to tighten requirements and increase penalties.

But there’s more to compliance than avoiding fines and penalties. Compliant manufacturers know they need business resilience to survive incidents without costly interruptions. Acronis Cyber Protect for Operational Technology delivers automated backup and recovery that manufacturers need to balance resilience with uptime.