NIS-2 security measures and vulnerability management: The BSI requires these measures

1 What are NIS-2 safety measures?

In its #NIS2know series, the BSI highlights security measures relating to IT systems and focuses in particular on vulnerability management. The article makes it clear that NIS 2 does not look at security in isolation, but rather classifies it across the entire life cycle of systems and processes. For many companies, the requirements for safe operation are particularly relevant.

‍

Safety must be considered throughout the entire life cycle

Safe handling of systems and processes must be considered throughout their use, from purchase to the end of the lifecycle. For many companies, however, the focus is primarily on secure ongoing operation. This is exactly where you can see whether safety requirements actually apply in everyday life. This includes configuration management, regulated changes, regular security checks, patch and update management, and the protection of systems and networks. This is particularly evident when it comes to vulnerability management.

‍

Vulnerability management is a key component

Companies must be able to identify, evaluate and fix known security gaps at an early stage. One-time checks are not enough because threats and attack methods are constantly evolving. Regular maintenance, updates and security checks are therefore crucial to keep systems resilient and avoid operational interruptions as far as possible.

‍

In addition, weak points must not only be considered internally. Disclosure is particularly important when third parties could be affected or compromised by a security vulnerability. But even with purely internal systems, it can be useful to report identified vulnerabilities to manufacturers or competent authorities. Vulnerability management thus serves not only to protect oneself, but also to minimize risks for third parties and to ensure that information security is handled responsibly.

‍

‍

2 For which companies are the requirements relevant?

According to the BSI contribution, these requirements do not apply across the board to all companies. Rather, are committed important and particularly important institutions in accordance with the NIS 2 Implementation Act. These include companies and organizations that operate in relevant sectors and fall within the scope of regulation, depending on their size and importance.

‍

What exactly is meant by an important or particularly important institution cannot therefore be answered in a general sentence. However, the BSI provides its own NIS-2 impact assessment ready with which companies can understand their classification. This is a useful first step, especially for companies that have not yet fully addressed their regulatory classification.

‍

‍

3 What specific safety measures does NIS-2 require?

The BSI understands the requirements not only to classic IT systems, but also to all information technology systems, components and processes that are necessary to provide the respective services. Depending on the company, OT systems, such as industrial control and automation technology or building automation, may also fall within the scope.

‍

The requirements apply simultaneously in several places. They start with secure procurement, continue through development and extend to operation, maintenance and dealing with weak points. Security measures should therefore not be implemented in isolation, but as a coherent framework for all relevant systems and processes.

‍

Make purchasing and development secure

Even during purchasing, the focus is on supply chain security. Products and service providers should be selected according to safety criteria, requirements should be contractually agreed upon and regularly reviewed. In this way, risks can be reduced at an early stage.

‍

According to the BSI, safety must also be considered from the outset in development. This includes secure development principles, reduced attack surfaces, suitable tests and systems that can be operated securely even in the standard configuration. Safety requirements must therefore be an integral part of the development process.

‍

Securing operation and maintenance in a structured way

During ongoing operations, the BSI mentions a number of specific measures that companies should set up cleanly from an organizational and technical point of view. In particular, this includes:

• configuration management

• regulated changes and maintenance processes

• regular safety checks

• Patch and update management

• Network segmentation

• Protection against malware

• Protection against physical threats

‍

In particular, we have already discussed patch and update management, configuration management and protection against malware in our own contributions. On the one hand, this applies to our topic Patch Management on NIS 2, on the other hand, for NIS 2 compliant client hardening as a practical example of secure configuration management. We have also already addressed protection against malware, for example with regard to Endpoint Protection and Microsoft Defender as important building blocks for securing end devices and systems during operation.

‍

‍

4 Think about vulnerability management and disclosure

The best security measures quickly lose their effect again without structured vulnerability management. As a continuous activity, this is of particular importance. Companies should systematically identify, prioritize, fix security gaps and comprehensibly document the measures taken. This also includes clear reporting channels so that identified weak points reach the responsible authorities quickly.

‍

In addition, the BSI points to the disclosure of vulnerabilities. This is always relevant when third parties could be affected or when companies want to make transparent how security researchers can report found vulnerabilities. Vulnerability management therefore does not end with internal remediation, but also includes the responsible use of external communication.

‍

Documentation is mandatory

In addition, the BSI underlines that the measures and concepts taken must be suitably and fully documented. This includes not only processes and safety measures, but also changes to systems and maintenance work. Documentation is therefore not a formal addition, but the basis for traceability and a reliable security organization.

‍

‍

5 What companies should consider now

Particularly when it comes to vulnerability management, it becomes clear how specific the requirements of NIS 2 are in practice. Security gaps are among the most common points of attack and can never be completely ruled out, even with a high level of protection. It is therefore all the more important to deal with them regularly: Companies must identify, classify and remedy weak points early on before they result in serious incidents.

‍

View security measures and vulnerability management as a permanent task

The BSI makes it clear that neither the implementation of security measures nor vulnerability management should be understood as a one-off task. A single scan, a selective update, or an occasional check is not enough. What is needed is a continuous approach that constantly takes into account new threats, current security reports and changes in your own IT landscape.

‍

First of all, this includes reliably implementing and maintaining the required protective measures in the company. At the same time, companies must identify, evaluate and adequately address known weaknesses. Not every vulnerability is automatically equally critical. The decisive factor is which systems are affected, how likely it is to be exploited and what effects may have on operations. Clear reporting channels, clean tracking and comprehensible documentation are therefore also part of this. In this way, security measures and vulnerability management together become an integral part of a resilient security organization.

‍

Translate requirements into existing processes

One of the biggest challenges is turning regulatory requirements into sustainable processes. Protection measures are only effective if they are firmly integrated into existing structures. This includes operation, maintenance, change processes and cooperation between IT, security and specialist areas.

‍

In concrete terms, this means that responsibilities must be clearly defined so that information about security gaps is not lost between teams. It should be defined who receives reports, assesses risks, sets priorities and controls implementation.

‍

Topics such as patching, hardening or security testing also need fixed processes so that they are carried out reliably and repeatedly. In addition, there is the documentation just mentioned. It must be clearly verifiable what has been implemented.

‍

Plan for typical challenges early on

Many companies do not start out on green fields, but in established IT and process landscapes. There is often no complete overview of the systems, components and dependencies used right from the start. Without this basis, it will be difficult to sensibly assess risks and implement measures in a targeted manner.

‍

In addition, there are often scarce personnel and time resources. Security requirements must be implemented in parallel with ongoing operations, while existing environments are managed, incidents are processed and projects are driven forward. As a result, topics such as documentation, regulated approvals or regular checks quickly come under pressure.

‍

This is compounded by inconsistent processes, coordination problems between teams or the lack of involvement of service providers and manufacturers. Anyone who thinks about such hurdles early on can plan more realistically and gradually translate requirements into sustainable structures.

‍

‍

6 Conclusion

The BSI contribution shows that NIS 2 is becoming much more specific when it comes to security measures. The focus is not only on technical protection mechanisms, but also on the orderly handling of procurement, development, operation, maintenance and, in particular, weak points. For affected companies, this means that security requirements must be comprehensibly incorporated into existing processes and considered permanently.

‍

Vulnerability management in particular makes it clear what is important. Security gaps must be identified, classified, processed and properly documented. At the same time, it is clear that individual measures alone are not enough. The decisive factor is whether this results in reliable structures that function in everyday life and can also be further developed to meet new requirements.

‍

Anyone who deals with the requirements at an early stage not only creates a better basis for compliance, but also strengthens their own security organization. This is precisely where the real added value lies: NIS 2 cannot be reduced to the fulfilment of obligations, but can be an opportunity for companies to specifically review existing processes and further develop them in a meaningful way.