Cybersecurity

How Secomea can help you achieve NIS2 compliance

April 2024

At Secomea, we’ve been engaging with customers and users since the onset of the NIS2 Directive to support them as they embark on their compliance journey.

The implementation of Secomea’s secure remote access solution on your factory floors can be qualified as one of the technical measures that you are required to take under Article 21 of the NIS2 Directive to manage the risks posed to the security of network and information systems and prevent or minimize the impact of incidents.

Besides, using Secomea will address additional elements mandated by the legislation, as illustrated by this blog post.

 

Concrete examples of how Secomea can help you in your NIS2 journey

NIS2 requires you to implement access control policies and asset management:

Managing and controlling access to your assets is precisely what Secomea is for.

With Secomea, you can:
✔ provide access to defined assets
✔ handle role-based access permissions for each of your users and each of your assets
✔ provide access to users after they have requested it
✔ provide access to users for a defined timespan

NIS2 requires you to implement Multi-Factor Authentication:

With Secomea, you can:

✔ enable Multi-Factor Authentication using

      • SMS Authentication
      • Single-Sign-On (SSO)
        • Microsoft Azure Active Directory (Azure AD)
        • Okta

NIS2 requires you to have a plan in place to handle incidents and ensure business continuity (crisis management and disaster recovery):

Secomea enables you to connect (and disconnect) machines to your network. This means that should a problem arise—e.g., a cyber-attack infecting one or more of your devices—you can use Secomea to cut that machine’s access to your network, thereby preventing viruses or malware from spreading to other machines.

Therefore, Secomea is an essential tool for handling incidents and a crucial component in your organization’s business continuity, crisis management, and disaster recovery plan.

With Secomea, you can:
✔ access audit logs to review remote access sessions. Should an incident occur during a remote access session, you will be able to access an audit log detailing who accessed the affected device, when, and for how long. This will help you identify the cause of the incident and mitigate it.
✔ set-up up alerts, events, SMS/email alarms, and automated actions to get notifications of specific events related to your machines’ status
✔ prevent risks when downloading files on your machines by using the “secure file transfer” feature; the feature ensures all files transferred to and from an engineering station are scanned for viruses or malware before they are accessible to the user.
✔ access the Vulnerability Hub to assess your overall vulnerability score based on the risks you run due to outdated firmware on SiteManagers and identify the necessary actions to prevent downtime. For each SiteManager in every one of your sites, get notified if you need to update its firmware to the latest version or replace hardware that has reached End of Support.

Let’s not forget: NIS2 requires you to ensure supply chain security – and Secomea can support you in doing that

The NIS2 Directive requires you to gather details regarding the security measures of every supplier and service provider you work with. This involves identifying the crucial third-party assets supporting your essential services, evaluating their cybersecurity protocols, and assessing how they handle vulnerabilities – considering the specific weaknesses associated with their products and services.

The more complex your OT setup, the more demanding such a task is.

A typical manufacturing organization might have 10 to 1000 different machine suppliers whose risk profiles need to be investigated and included in its risk assessment.

This represents a quite complicated and laborious assignment, albeit necessary to prepare the company’s risk management strategies (and to comply with the Directive).

Secomea’s contribution in helping you assess the risks posed by your suppliers is two-fold:

As a secure supplier:
In providing you with our secure remote access solution, Secomea represents one of your suppliers whose risks and vulnerabilities you need to assess under the NIS2 Directive.

At Secomea, security is our top priority. Below you will find an overview of our risk management and cybersecurity practices, demonstrated by our third-party certifications.

As a guarantee of security of the other suppliers you rely on who use Secomea:
As the leading provider of secure remote access solutions for OT networks and appliances, Secomea is widely used worldwide by over 9,500 manufacturing organizations and machine suppliers. Therefore, standardizing remote access for all stakeholders in this ecosystem is integral to our company mission.

This also means that, when assessing the risks posed by your suppliers, you will likely find that many of them use Secomea as well, which gives you assurance on the security of their remote access processes – and, in turn, saves you time in rating their risk level.

 

Building trust: Secomea’s commitment to ensure security every step of the way

At Secomea, cybersecurity takes up a pivotal role.

Everything we do follows internationally recognized industry best practices, and each stage of product development meets rigorous cybersecurity standards.

As a result, our products can be trusted to be secure from the moment they are deployed and after updates and new features are released.

Security is not only part of product development. It’s deeply rooted in our company culture.

Cyber-hygiene practices involve all aspects of our business, from R&D to sales, customer service, marketing, and operations – as well as the external partners and distributors who represent us globally.

Our security certifications

To show our formal commitment to securing our services, our system continually undergoes third-party security audits and assessments.

Through this significant investment, Secomea ensures the most advanced protection for its customers and demonstrates compliance with the following industry standards and best practices:

  • IEC 62443: IEC 62443 is an international series of standards specifying process and functional requirements for the secure development of products used in industrial automation and control systems (IACS). In particular, we have been audited for:
    • IEC 62443-4-1 on secure product development lifecycle requirements: this certification confirms that Secomea develops and maintains secure products by following a secure development lifecycle (SDL), including a secure-by-design development methodology, secure implementation, patch management, and product end-of-life.
    • IEC 62443-3-3 on system security requirements and security levels: this certification attests to Secomea’s compliance with the technical control System Requirements (SRs) associated with the seven foundational requirements (FRs): Identification and authentication control (IAC), Use control (UC), System integrity (SI), Data confidentiality (DC), Restricted data flow (RDF), Timely response to events (TRE), and Resource availability (RA).
  • ISAE 3402: Our organizational security measures are assessed and documented in a third-party ISAE 3402 report, which is the international standard providing assurance on an organization’s adequate internal controls.
    Our certification attests that our controls are consistent, complete, repeatable, and auditable and demonstrates to our customers that they are adequate to ensure the security of Secomea’s services.
    Secomea’s controls have been reviewed based on the guidelines specified in ISO 27002 for organizational information security standards and information security management practices.

 

How we ensure the security of Secomea’s products

We ensure the security of Secomea’s products using the following practices:

  • Specification of security requirements:
    Minimum security requirements for the products’ development and deployment are established.
    Threat analysis and risk assessment play important roles in identifying and classifying potential security risks. They involve defining trust boundaries for process, data, and control flow, including any communication to internal and external peripherals.
  • Secure by design
    Our products are designed to implement the security principles of dependability, trustworthiness, and resilience.
    We ensure they are secure by design through the application of best practice principles such as defense in depth and threat modeling.
  • Security verification and validation testing
    We verify the security of our products before deployment through validation testing that demonstrates the products’ defense-in-depth strategy is effective.
    We apply a requirements-based testing approach to show that functional and security requirements have been correctly implemented.

 

Secomea is an official CVE Numbering Authority (CNA)

Secomea has been formally recognized by the Cybersecurity & Infrastructure Security Agency (CISA) as a CVE Numbering Authority (CNA). This means the CVE Program has authorized us to assign CVE IDs to vulnerabilities and publish CVE Records. In other words, Secomea is one of the 364 entities worldwide that can identify and name cybersecurity vulnerabilities—the first (and, until very recently, the only) one in Denmark.

Therefore, we have a Cybersecurity Advisory Process in place through which our customers can report suspected security vulnerabilities they have discovered. Our support team will evaluate the validity of the suspicions, and – if vulnerabilities are identified – our R&D department will address them through product updates to remediate and mitigate the risks that have arisen. The reporter will be notified, and the vulnerabilities will be disclosed to the CVE list.

Our official identification as a CVE Numbering Authority (CNA) is further proof of the paramount importance we give to security. Thanks to it, we are not only able to identify and respond to vulnerabilities and work with customers to mitigate their risks. We are also enabled to be transparent and show our customers that we keep ourselves accountable for the security of our products and, in turn, their operations.

 

NIS2 compliance made easy, with Secomea

To help you understand the NIS2 legislation and achieve thorough compliance, we have compiled this whitepaper covering everything you need to know about the new cybersecurity legislation.


 

All you need to know to ensure NIS2 compliance
Grab your copy today!

NEWSLETTER SIGN-UP

Get the latest Secomea news sent straight to your inbox.

Subscribe

CONTACT

Secomea Headquarters
Copenhagen, Denmark
+45 88 70 86 50
info@secomea.com

Contact Secomea
Contact a distributor

Find addresses here

Privacy & Cookie Policy  © Secomea 2024, All rights reserved

NIS2 Compliance Roadmap. Stay secure, stay compliant.

X