The effect of the IT/OT gap on the NIS 2 implementation

Sammanfattning: Cyber attacks are steadily increasing, and their impact is becoming more significant. To combat this, the European Union has created directives to enhance the cyber security in critical services in the Union, one example being the NIS 2 directive. The directive comes into force during the fourth industrial revolution, where the Operational Technology (OT) is connected to the Information Technology (IT). This creates new vulnerabilities in the OT environments since they can now suffer from cyber attacks. The historical ways of securing OT and IT environments differ, which has caused what is called the IT/OT gap now that they are converging. In order to implement the NIS 2 directive and to enhance the cyber security of the entire organization, the IT/OT gap needs to be minimized. The problem this study then aims to investigate is how the effects of the IT/OT gap can be reduced in the implementation of the NIS 2 directive. This was done by answering the research question: To what extent is the IT/OT gap a challenge for the implementation of the NIS 2 directive in Sweden? The sub-question: In what areas is the IT/OT gap problematic for the implementation of the NIS 2 directive in Sweden? To gain an answer to the research question semi-structured interviews were conducted with respondents with knowledge in IT and OT security as well as the NIS 2 directive. The interviews were transcribed and analyzed using a thematic analysis. The thematic analysis resulted in 6 themes, Need for technical solutions, Lacking resources, Differences in security culture, Lack of cooperation, Supervisory authority and Standards, and six subthemes. The result showed that the IT/OT gap is a challenge for the implementation of the NIS 2 directive in a varying degree depending on the company. Further, it was shown that the IT/OT gap is most likely a problem in the areas regarding the supervisory authority, lacking resources, and cooperation. To comply with the directive and, more importantly, raise the level of cyber security, organizations and companies must handle all their risk in both IT and OT environments. The OT and IT personnel will need to talk to each other and collaborate to do it, and that might be a significant first step to minimizing the IT/OT gap in the long term.