REGULATORY COMPLIANCE

We support asset owner’s design, install and maintain cyber resilient and regulatory compliant operations using a risk-based and outcome-focused approach.

Ensuring Compliance in Today’s OT Environments

In modern Operational Technology (OT) settings, cybersecurity is vital for the safe, secure, and reliable operation of industrial systems. Legislators and regulators mandate that companies implement preventive measures and demonstrate that robust governance controls are in place to manage risk and mitigate the likelihood of cyber incidents. Compliance helps avoid potential financial penalties and reputational damage associated with non-compliance.

CNB provides comprehensive services to help organizations identify, understand, comply with, and maintain adherence to applicable regulatory requirements. We offer an extensive gap assessment service that identifies areas of both compliance and non-compliance with regulatory standards. Our assessments include recommendations for addressing non-compliances and areas for improvement. Following the initial gap assessment, we support the implementation of remedial controls and guide you on your journey to compliance.

Recognizing that each organization and its operations are unique, we offer highly customizable services. Our Regulatory Compliance services can be tailored to your specific needs by considering the relevant regulatory requirements and any other standards your business must comply with.

Cybersecurity regulations for critical infrastructure vary by country. Here are a few examples:

  • United States: The Department of Homeland Security (DHS) oversees cybersecurity for critical infrastructure and has published the National Infrastructure Protection Plan (NIPP), outlining a risk management framework. The DHS collaborates with sector-specific agencies to develop and implement plans and standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework for the energy sector. Additionally, the NERC-CIP standards are legally binding for all applicable entities.
  • European Union: The Network and Information Systems (NIS) Directive sets minimum security requirements for critical infrastructure operators and digital service providers. Member States must designate a national competent authority to oversee the Directive’s implementation and cooperate on cross-border incidents. NIS2 enforcement requires compliance by September 2024.
  • United Kingdom: The Centre for the Protection of National Infrastructure (CPNI) offers advice and guidance on protecting national infrastructure from cyber threats. The CPNI works with organizations to manage cybersecurity risks and develop security strategies. The UK HSE OG86 operational guidance is used by HSE inspectors for cybersecurity audits of critical infrastructure and COMAH-rated sites.
  • Spain: The National Cybersecurity Institute (INCIBE) serves as the National Coordination Centre in Spain (NCC-ES) for the European Cybersecurity Competence Centre (ECCC). Appointed by the National Cybersecurity Council, INCIBE meets EU regulation requirements and is a leading entity for developing cybersecurity and digital confidence.
  • Australia: The Australian Cyber Security Centre (ACSC) oversees cybersecurity for critical infrastructure, providing advice and guidance, and working with government agencies, industry, and international partners to enhance the nation’s cybersecurity capabilities.
  • Saudi Arabia: The National Cybersecurity Authority (NCA) oversees the protection of critical infrastructure from cyber-attacks, setting national cybersecurity policies and standards, and offering guidance to organizations.
  • Qatar: The National Cybersecurity Committee (NCC) is responsible for protecting critical infrastructure from cyber-attacks, setting national cybersecurity policies and standards, and providing guidance to organizations.
  • United Arab Emirates: The National Electronic Security Authority (NESA) oversees the protection of critical infrastructure from cyber-attacks, setting national cybersecurity policies and standards, and offering guidance and support to organizations.

These examples highlight the diverse regulatory landscapes for critical infrastructure cybersecurity. Regulations are constantly evolving, so regular updates are essential.

Why Conduct a Regulatory Compliance Gap Assessment?

A regulatory compliance gap assessment provides a structured understanding of your OT environment’s compliance status in relation to applicable regulatory requirements. It identifies both compliance and non-compliance areas, enabling informed decision-making.

Through detailed discovery and analysis, the assessment evaluates the effectiveness of existing controls for each regulatory requirement. It may reveal that current controls are sufficient to meet the requirements to an acceptable level, or it may indicate acceptable gaps that require no further action. Conversely, it might highlight non-compliances (i.e., gaps) where enhancements or additional controls are necessary to achieve regulatory compliance.

The gap assessment process also considers “risk vs. benefits vs. cost and complexity,” allowing for pragmatic prioritization of remedial efforts. This ensures focus on items that offer the most risk reduction both tactically (short-term mitigations often referred to as “low-hanging fruit”) and strategically (medium to long-term mitigations that require more effort to plan, design, and implement).

Key Benefits of Conducting a Regulatory Compliance Gap Assessment

  • Establishes an accurate baseline understanding of how your current control framework aligns with applicable regulatory requirements.
  • Identifies potential gaps that could lead to non-compliance, financial penalties, and/or reputational damage.
  • Offers assurance to all stakeholders that the organization is well-prepared to demonstrate compliance during regulatory audits or inspections.

Deliverables from a Regulatory Compliance Gap Assessment

As part of this service offering, CNB provides:

  • A formal report detailing the assessment outcomes
  • Description of the systems, processes, and third parties within the scope of the regulatory requirements
  • Mapping of the regulatory requirements against your existing control framework
  • Gap analysis report comparing the current “As-Is” state to regulatory requirements
  • Checklist for audit or inspection preparation and an overview of relevant documentation to have on hand

Additionally, the following items will also be provided:

  • High-level presentation for executive-level stakeholders
  • Any supporting materials produced during the gap assessment (e.g., worksheets, etc.)