- All companies subject to the new NIS2 regulation must update their device software to the latest version
- Applies to all devices, machines and systems in offices, laboratories, production and logistics
DUESSELDORF – “The government’s draft NIS2 has been approved and is awaiting announcement. Once NIS2 comes into effect, not only will the IT networks of affected companies be subject to the new cybersecurity regulations, but also all industrial control systems, office and laboratory equipment, and industrial machines and systems that are integrated into the network,” said Jan Wendenburg, CEO of the German cybersecurity company ONEKEY. The cybersecurity expert highlights printers, security cameras, motion detectors, intelligent lighting systems, networked conference systems, whiteboards, and other presentation devices, access controls, room occupancy sensors, mail carts, and intelligent locking systems as typical examples within the office sector. In industry, he cites CNC machines, production lines, warehousing and logistics systems, autonomous vehicles, robots, sensors, and various other systems.
Jan Wendenburg clarified: “All companies subject to NIS2 must check and document that all these devices are equipped with the latest software and are therefore optimally protected against cyber attacks.”
The EU Directive “Network & Information Security 2″ (NIS2) is applicable to all companies classified as critical infrastructure (KRITIS). These include operators and suppliers in the energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, public administration, digital infrastructure, ICT service management, postal and courier services, waste management, aerospace, manufacturing, production and distribution of chemicals, food production, processing and distribution, manufacturing of medical devices, machinery, vehicles, electrical/electronic equipment and research facilities. The German Federal Office for Information Security (BSI) assumes that almost 30,000 companies are affected and offers an online tool to check whether they are subject to NIS2: www.bsi.bund.de/dok/nis-2-betroffenheitspruefung (German). Jan Wendenburg emphasised: “NIS2 covers the entire KRITIS supply chain as well as its suppliers and business partners. Any company that has business relationships with a hospital, an energy supplier or a financial services provider, for example, should prepare for NIS2, including its networked devices in the office, laboratory and production.”
“Printer Software Is Overlooked”
According to the expert in cybersecurity for devices, machines and systems, “very few companies focus on resilience to hacking outside of IT networks.”
He provided a practical example: “Printer software rarely gets attention as long as the printer is running smoothly. However, in reality, outdated printer software can be a gateway for hackers to infiltrate the company’s network.” For experienced programmers, the route is a piece of cake: “The hackers start from the printer, find an Active Directory, run a query with an account on the printer and, in the worst case, end up at the heart of the company’s IT.”
Software BOMs Required for NIS2 and CRA
Firmware, as the embedded software in devices, machines and systems is known in technical jargon, is seen by many experts as a “critical gap” in the security strategy of companies and authorities. The recommendation: “Companies affected by NIS2, as soon as possible, should obtain a software bill of materials from the suppliers of all networked devices in the broadest sense that are in operational use.” This list, known in the security industry as a Software Bill of Materials (SBOM), contains a complete list of all the programmes used in the company. As it is usually difficult to access the firmware of older devices, such as a printer that has been in use for ten years, Jan Wendenburg recommends using SBOM tools to automatically record all software components and generate a corresponding software bill of materials. “This is not only important for NIS2 compliance, but also for the upcoming EU Cyber Resilience Act (CRA).”
The technical basis is critical: Accurate component information is essential for an effective comparison with the “Common Vulnerabilities and Exposures” (CVE) database, maintained by the US National Cybersecurity Federally Funded Research and Development Center. This database centralises all identified software vulnerabilities, including those in firmware. By comparing them, you can find out if your device has any long-standing security gaps – also known to hackers – that could serve as entry points for cybercriminals.
“A complete and up-to-date inventory of the software in all devices, machines and systems that are connected to the IT network is the prerequisite for cyber security and compliance with legal regulations from NIS2 to CRA,” summarised ONEKEY CEO Jan Wendenburg. He emphasised: “A security chain is only as strong as its weakest link. A single device with outdated software can be enough to make an entire company a target for cyber criminals.” With thousands of attacks occurring every day, the question for him is “not whether a company will be attacked by hackers, but when and how well it is protected against them.”
The German Federal Criminal Police Office has reported nearly 135,000 officially reported cases of cybercrime for 2023 and assumes that 90 per cent of cases are unreported. This corresponds to around 1.5 million attacks per year.
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH,
Kaiserswerther Str. 45, 40477 Duesseldorf, Germany,
Sara Fortmann, e-mail: sara.fortmann@onekey.com,
website: https://onekey.com
