React Less. Defend More.
We support asset owner’s design, install and maintain cyber resilient and regulatory compliant operations using a risk-based and outcome-focused approach.
Regulatory Compliance Overview
In today’s Operational Technology (OT) environments, cyber security plays a critical part in ensuring the safe, secure and reliable operation of industrial operations. Legislators and regulators are enforcing companies to take preventative action and provide evidence that protective measures and robust governance controls are in place to manage risk and reduce the likelihood of cyber incidents. Being in compliance avoids potential financial penalties and reputational loss that non-compliance brings.
OTIFYD offers comprehensive services to help organisations identify, understand, conform and remain compliant against applicable regulatory requirements. To achieve this, we offer a comprehensive gap assessment service that identifies areas that are both compliant and non-compliant with regulatory requirements. Also provided with the assessment are recommendations so that any non-compliances and improvements can be addressed. Following the initial gap assessment, we are also able to fully support you implement remedial controls and support your journey to compliance.
We understand that no two organisations and their business operations are the same, as such, we offer a highly customisable service. Our Regulatory Compliance services can be tailored to your exact needs by considering the regulatory requirements and any other standards your business requires to comply with.
Critical infrastructure cybersecurity regulations vary by country. Here are a few examples:
- United States: The Department of Homeland Security (DHS) is responsible for overseeing cybersecurity for critical infrastructure. The DHS has published the National Infrastructure Protection Plan (NIPP), which outlines a risk management framework for critical infrastructure cybersecurity. The DHS also works with sector-specific agencies to develop and implement sector-specific plans and standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework for critical infrastructure in the energy sector. Also of significant note are the NERC-CIP standards. Compliance with the NERC-CIP requirements are required by law for all applicable entities.
- European Union: The EU has established the Network and Information Systems (NIS) Directive, which sets out the minimum security requirements for critical infrastructure operators and digital service providers. The NIS Directive requires Member States to designate a national competent authority responsible for overseeing the implementation of the Directive and cooperating with other Member States on cross-border incidents. Also of note is the enforcement of NIS2 which requires compliance with before September 2024.
- United Kingdom: The UK has established the Centre for the Protection of National Infrastructure (CPNI), which provides advice and guidance to organisations on protecting their national infrastructure from cyber threats. The CPNI works with organisations to identify and manage cyber security risks and to develop and implement security strategies. Also of note is the UK HSE OG86 operational guidance which is used by HSE inspectors when conducting cyber security audits of critical infrastructure and COMAH (Control of Major Accident Hazards) rated sites.
- Spain: INCIBE has been designated as the National Coordination Centre in Spain (NCC-ES) of the European Cybersecurity Competence Centre (ECCC). This appointment by the National Cybersecurity Council meets the requirements of the EU regulation, has experience in the sector and expertise in technology, research and innovation and is a benchmark entity for the development of cybersecurity and the digital confidence of citizens, the academic and research network, professionals, companies and strategic sectors.
- Australia: The Australian Cyber Security Centre (ACSC) is responsible for overseeing cybersecurity for critical infrastructure in Australia. The ACSC provides advice and guidance to organisations on protecting their systems and networks and works with government agencies, industry, and international partners to build the nation’s cyber security capabilities.
Saudi Arabia: The National Cybersecurity Authority (NCA) of Saudi Arabia was established in 2018 to oversee the protection of the country’s critical infrastructure from cyber-attacks. The NCA is responsible for setting national cyber security policies and standards, and for providing guidance and support to organisations on how to protect their systems and networks.
Qatar: The National Cybersecurity Committee (NCC) of Qatar is responsible for overseeing the protection of the country’s critical infrastructure from cyber-attacks. The NCC is responsible for setting national cyber security policies and standards, and for providing guidance and support to organisations on how to protect their systems and networks.
- United Arab Emirates: The National Electronic Security Authority (NESA) is responsible for overseeing the protection of the UAE’s critical infrastructure from cyber-attacks. NESA sets national cyber security policies and standards and provides guidance and support to organisations on how to protect their systems and networks.
These are just a few examples of critical infrastructure cyber security regulations in different countries. It’s important to note that the regulations in each country are constantly evolving, so it’s a good idea to check for updates regularly.
Why Conduct a Regulatory Compliance Gap Assessment?
At a high level, a regulatory compliance gap assessment builds a structured understanding of both compliances and non-compliances associated with your OT environment in relation to applicable regulatory requirements.
Through detailed discovery and analysis, an informed evaluation is made to determine the effectiveness of existing controls for each regulatory requirement. The evaluation may determine that existing controls sufficiently meet the requirement to an acceptable level or that the gap presented is acceptable and requires no additional controls or action. Conversely, it may highlight non-compliances (i.e. gaps) where enhancements or additional controls are required to bring the area into regulatory tolerance and compliance.
The gap assessment process also factors in “risk vs benefits vs cost and complexity” which enables the pragmatic prioritisation of remedial efforts. This enables the correct focus on items that provide the most risk reduction both tactically (short-term mitigations commonly referred to as “low hanging fruit”) and strategically (medium to long-term mitigations that require more effort to plan, design and implement).
Key Benefits of Conducting a Regulatory Compliance Gap Assessment
- Creates an accurate baseline understanding of how your current control framework meets or does not meet applicable regulatory requirements.
- Highlights potential gaps that could cause non-compliance and result in financial penalty and/or reputational loss consequences.
- Provides assurance to all stakeholders that the organisation is well prepared to demonstrate compliance during regulatory audits or inspections.
Deliverables from a Regulatory Compliance Gap Assessment
As part of this service offering, OTIFYD delivers:
- A formalised report detailing assessment outcome;
- Description of the systems, processes and third parties in the scope of the regulatory requirements;
- Mapping of the regulatory requirements required against your existing control framework;
- Gap analysis report between the current “As-Is” and regulatory requirements;
- Checklist of how to prepare for an audit or inspection and overview of relevant documentation to keep at hand.
Additionally, the following items will also be provided:
- High-level presentation for executive-level stakeholders;
- Any supporting materials produced during the gap assessment (e.g. worksheets etc).
Regulatory compliance can be broadly defined as the adherence to laws, regulations, and guidelines created by government legislations and regulatory bodies applicable to an organisation based on the industry and jurisdiction in which it operates.
Regulatory compliance is important to uphold the integrity of business operations, protecting public interest as well as stakeholder interest. It ensures that businesses operate safely, securely and that operations are resilient.
When businesses are open and transparent about their regulatory compliance mechanisms, trust and goodwill among clients and business partners increase. This can, over time, improve brand perception and increase the overall profitability of the organisation.
Non-compliance arises when the business fails to comply with applicable legal obligations. An increasing number of organisations are prioritising regulatory compliance as a key strategic requirement. Along with non-compliance, lapses in regulatory compliance can lead to several adverse consequences, such as:
Penalties: Penalties, most often monetary, can be one-off or cumulative over a period of time.
Business Disruption: Non-compliance could result in the business being suspended.
Reputation Losses: Businesses suffer a loss of reputation among clients, business partners, and the public due to negative publicity in the media.
Revenue Losses: The resulting loss of customer confidence can lead to a loss in revenues in the long term, lasting several years. The organisation may also be subjected to stricter compliance regulations subsequent to an incident, resulting in steadily increasing compliance costs.
Here are some general best practices for organisations to follow in ensuring regulatory compliance:
- Stay on top of changes in the regulatory landscape both at the concerned industry level as well as the jurisdiction level.
- Develop and maintain a compliance policy of conduct to create a culture of compliance.
- Document the compliance processes. This can be done with a clear delineation of the roles and responsibilities of staff involved in compliance management.
- Train employees in regulatory compliance by conducting workshops, training sessions, and periodically assessing them on compliance requirements.
- Periodically review the regulatory compliance policy to correct weaknesses in the policy and to ensure that compliance is up to date with the latest changes in the regulatory environment.
- Automate compliance activities depending on the size and scope of the organisation.
Regulatory compliance focuses on aligning with external legal mandates such as laws and regulations in respective jurisdictions or industries. Corporate compliance is internal in nature with processes and procedures aimed at streamlining internal business requirements. Both regulatory compliance and corporate compliance have a common goal—that is ensuring accountability of the business.
Regulatory compliance management is how an organisation systematically secures regulatory compliance by establishing a standard set of processes, procedures, and investing in appropriate technology that align and facilitate visibility into controls while eliminating inefficiencies.