by Panagiota Lagou, ADACOM Senior Manager, Cyber Security Consulting
Following the NIS2 Directive (Network and Information Security Directive) and pending the local legislation aligning with the directive, organizations are working carefully to study the specifications and implement the necessary measures.
The starting point for each organization to achieve compliance should be the analysis of the criteria that define an organization as critical infrastructure, as well as a Gap Analysis of the internal governance and implementation of cybersecurity in relation to the relevant provisions. It is important to note that during the Gap Analysis, the scope of the compliance project with the directive will be defined both from an operational and a technological perspective. The technological environment will include not only IT systems (Information Technology) but also systems that support operational functions (OT – Operational Technology). This phase is crucial because it will help the management identify gaps and prioritize actions and investments required to successfully meet the relevant provisions.
Following the Gap Analysis, a Cybersecurity Governance model must be designed through the development of policies and procedures that demonstrate the management's commitment and support for cybersecurity. These policies and procedures will define the technical and organizational measures that must be implemented. At this stage, it is essential to identify the necessary roles and responsibilities for cybersecurity, with the most important being the role of the Information Security Officer (ISO). The ISO will be responsible not only for implementing the desired level of cybersecurity but also for monitoring, maintaining, and improving it.
In line with the required security measures for NIS2 compliance, the organization should proceed with the adoption of the necessary technological solutions for both IT and OT environments. Based on our experience with similar studies, we have identified some critical areas where security controls must be prioritized and enforced to protect critical infrastructures.
A key area is access control to the organization's network and systems. Technological environments are becoming increasingly complex and managing access is becoming more difficult, particularly through system accounts and elevated privileges. Therefore, it is essential to evaluate the integration of a central Privileged Access Management (PAM) solution, through which access will be controlled and monitored.
Given the constantly evolving threat landscape, automatic monitoring of network traffic and log files from both IT and OT systems is deemed necessary for the early detection and mitigation of attacks. This need is addressed by a Security Operations Center (SOC) service and is further enhanced with the adoption of EDR (Endpoint Detection and Response) solutions. Using the appropriate technological tools, this approach supports faster and more efficient decision-making when managing attacks and security breaches. These systems are strengthened with the use of Artificial Intelligence (AI) for even better results.
Lastly, technical measures must be implemented to protect information transmitted both internally and externally by the organization, as well as the end devices where this information is stored. With modern infrastructures, manual methods are no longer sufficient. Tools such as Mobile Device Management (MDM), Data Leakage Prevention (DLP), anti-malware, and encryption are essential to ensure the protection of sensitive information during its transfer and storage.
In this journey, ADACOM provides supporting services as well as relevant technological solutions to fully meet the needs of organizations, both in the initial implementation phase and in the maintenance and improvement of the cybersecurity level that will be enforced. With a methodology that aligns with globally recognized best practices and standards and with specialized personnel and many years of experience in the field of cybersecurity, ADACOM can enhance critical infrastructures across their entire operational scope.
You can read the Greek article here: NIS2