ISA Ireland Section OT Cybersecurity Conference, in partnership with Cyber Ireland, November 19th, 2024, Mullingar

By Brian Hennessy, Radiflow & ISA Ireland Section Committee

The second rendition of the annual ISA Ireland Section OT Cybersecurity Conference in Mullingar comes to a close once again, following and building on last year’s success and in the midst of a cold snap. The NIS2 Directive is pre-eminent in our speakers, sponsors and attendees minds and this year’s conference was put together with a focus on the directive; specifically how our attendees may learn from both our speakers and sponsors as to how they can craft their approach to alignment with the directive, and frameworks which can assist them in this effort, such as the ISA/IEC-62443 standard. 

In the evening before the conference, the team of Paul McEvoy, Lee Stephens and Erik Derr from BT (along with help from both Paul Gaynor and Anthony Smyth (Armis)) ran a tabletop threat exercise, a role-playing activity with a simulated scenario and including some of our conference attendees. This workshop progressed through 4 stages of a cyber incident, with participants breaking into discussion groups for each stage and how they may respond. It led to some great conversations between entrants on the particular nuances of their own environments and what the requirements for restoring these environments may be in such cases.

Following the workshop and including all other available attendees, a welcome reception was held in the Mullingar Park Hotel lounge, sponsored by Armis. Here our attendees were able to relax ahead of the busy conference. 

Our conference chair, Donal Óg Cusack (Cyber Ireland’s OTSec SIG Chair), led the presentations from the stage throughout the day, introducing our speakers and handling the panels for each of our sessions with his usual humour and grace, and facilitating excellent discussions on each of their chosen topics. 

Starting the presentations was our keynote from Paul Stanley (NCSC) on the perspective of the competent authority, the NCSC, responsible for enforcement of compliance to the NIS2 Directive once it has been transposed into Irish law. Paul led the audience through the profile of companies to which the directive applies, how those companies may achieve compliance, how they may report incidents, and what to expect in 2025 and beyond. 

Raphael Barreto (ISA European Office) then led the audience through his presentation on how the ISA/IEC-62443 standard can be used as a framework to achieve compliance to the NIS2 Directive, a most relevant topic for our attendees – the standard provides a structured approach to securing industrial automation and control systems across their entire lifecycle. 

Our next speaker Paul Lavery (McCann Fitzgerald) gave us a lawyers view of the NIS2 Directive and the legal ramifications of the directive, taking us through managing cybersecurity risk as it pertains to network and information systems as well as supply chains, the reporting requirements for incident notifications, and the potential for assessments and audits for compliance to be carried out by the competent authority. 

David Prendergast (Deloitte) then gave us an excellent breakdown of corporate reporting responsibilities around NIS2 and the necessary information the boards of these corporations, SMEs and end users require for successful incident reporting. 

How to approach an OT cybersecurity program is often the initial stumbling block for those starting their journey, and Hugh McGauran (Armis) deftly relayed an approach that prioritises using existing frameworks and the current guidance from the NCSC to 

provide the initial outline, with a focus on specific challenges such as remediation fatigue and how communication between stakeholders is paramount.

Our next topic came from Howard Shortt, Neil Margolius and Andrew McConnon (PWC) about sustaining and maturing OT security and how this relates to NIS2 Directive compliance, outlining the steps involved and providing an example of a comprehensive phased OT cybersecurity enhancement program. 

We then had our brilliant panel discussion including luminaries from the Irish OT cybersecurity landscape Barry O’Brien (Armis), Wayne Bursey (Siemens), Liam O’Connor (Accenture) and Barry Long (Rockwell), who led the audience through asset management for OT environments and each providing their unique perspective – as Barry mentioned after the panel, they could have spoken on the topic all day. 

Following our break, Thomas Vasen (HMS Industrial Networks) led the audience through segmenting an OT environment while maintaining uptime as paramount, focusing on following the ISA/IEC-62443 SRs 5.1 and 5.2 as guidelines to segment this environment in a logical and secure manner. 

Romain Doumenc (Trout Software) spoke to the audience on how digitalization is inevitable, and how best to secure OT networks to keep pace with advancements in technology. The five pillars of the NIST CSF (Identify, Protect, Detect, Respond and Recover) leading to Governance codified his approach and how it pertains to NIS2. 

Our last break for coffee then led to our final session, for which attendance remained high – a ringing endorsement of the quality of our speakers. Ciaran Murphy (NeoDyne) homed in on specifics for implementing some of the more difficult parts of the ISA/IEC-62443 standard, and how remediating risk needs to be nuanced and balanced. 

Throughout the day, speakers, sponsors and attendees discussed the current state of our industry and their own experiences. The topics which were presented spoke to the importance of achieving the common level of security dictated by the NIS2 Directive, and how our attendees could implement this. The work we do protects critical aspects of our society, and I hope that all who attended left with more knowledge and understanding of how best to do this.

To close out the conference, we had Paul Gaynor challenging assumptions related to OT cyber resilience and how to build defense in depth.

Special thanks to all involved in the organisation and operation of the conference this year, which could not have happened without their support: the conference committee (Anastasia Tarutina, Barry O’Brien, Declan Lordan, Finbar Jackson, Miguel Sanchez, and chaired by myself) along with the ISA Ireland Section committee, notably Patrick Bonner, Billy Walsh and David O’Brien; our conference partners Cyber Ireland, who were invaluable in getting the conference off the ground, with thanks to Donal Óg Cusack, Eoin Byrne, Sinead Rodgers and Zarah Rios; our platinum sponsor Armis and their regional director Hugh McGauran, who provided their expertise and assistance throughout each stage of the build-up to the conference; and those involved with running the conference on the day, Premier Publishing, Snap Printing, Kevin Matthews Audio Visual, John McCauley Photography and of course, the team at Mullingar Park Hotel itself. 

Photo Gallery