A comprehensive NIS2 compliance roadmap for OT operators

The ongoing digital transformation efforts being run by OT operators has expanded the attack surface for cyber threats, putting critical infrastructure at unprecedented risk. In response to this escalating regional and global security threat landscape, the European Union has enacted the NIS2 Directive (Directive (EU) 2022/2555), a robust legislative framework designed to significantly enhance cybersecurity resilience across the Union.

For Operational Technology (OT) operators, NIS2 represents a fundamental shift in how cybersecurity is approached, managed, and enforced. Moving beyond its predecessor, NIS1, NIS2 broadens the scope, deepens accountability, and introduces more prescriptive security measures, particularly impacting sectors vital to our societal and economic fabric.

Through this blog post we hope to share a comprehensive roadmap to NIS2 compliance, offering a detailed understanding of its implications for OT environments and providing a practical checklist for operators to navigate this critical journey. Underpinning this article is our diverse experiences with NIS2 compliance across all types of OT operators and asset owners.

Why OT security matters

The original NIS Directive, while a pioneering step, exhibited limitations, particularly in its scope and the varying levels of transposition across Member States. NIS2 addresses these shortcomings head-on:

· Expanded Scope: NIS2 significantly widens the net, bringing in many more entities under its purview. This includes a broader range of "essential" and "important" entities, encompassing not just traditional critical infrastructure but also areas like manufacturing, digital providers, waste management, and even certain public administrations. For OT operators, this means a higher likelihood of being directly impacted, even if they weren't explicitly covered by NIS1.

· Sector-Agnostic Approach: The directive moves away from a rigid distinction between "operators of essential services" and "digital service providers," adopting a more comprehensive "size-cap" rule with exceptions for critical entities, regardless of size. This ensures that smaller, yet equally vital, OT players are also brought into compliance.

· Heightened Security Requirements: NIS2 introduces more prescriptive and stringent cybersecurity risk management measures. It moves beyond "appropriate and proportionate" to mandate specific baseline security controls, forcing organizations to adopt a more proactive and holistic approach to cybersecurity.

· Enhanced Incident Reporting: The reporting obligations are more detailed and time-sensitive. OT incidents, given their potential for widespread disruption, fall squarely within this enhanced framework, demanding rapid detection and notification.

· Supply Chain Security: A significant focus of NIS2 is supply chain security, recognizing that a compromise in a third-party vendor can have cascading effects. This directly impacts OT, where a complex web of suppliers provides hardware, software, and services crucial for industrial operations.

· Increased Accountability and Penalties: NIS2 introduces more robust enforcement mechanisms, including substantial administrative fines (up to €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% for important entities) and, notably, personal liability for management in cases of gross negligence. This elevates cybersecurity from an IT issue to a boardroom imperative.

For OT operators, these changes mean a profound need to re-evaluate their current cybersecurity posture, not just for IT networks but, crucially, for their industrial control systems (ICS), SCADA systems, and other operational technology. The convergence of IT and OT, while offering benefits, also introduces new vulnerabilities that NIS2 aims to address.

The NIS2 compliance roadmap: A strategic journey for OT operators

Achieving NIS2 compliance for OT environments is a multi-faceted journey that requires strategic planning, dedicated resources, and a cultural shift towards security-by-design. Here's a comprehensive roadmap:

Phase 1: Assessment and Scoping (Now until Q4 2025 - Transposition by Member States was October 2024, but many missed. Expect enforcement to ramp up through 2025.)

The initial phase is about understanding where you stand and what needs to be done.

· Determine Applicability:

· Are you in scope? This is the foundational question. Consult legal counsel and national authorities to determine if your organization falls under the "essential" or "important" entity categories as defined by NIS2 and your national transposition laws. You need to pay close attention to Annex I (highly critical sectors) and Annex II (other critical sectors), as well as specific criteria like being the sole provider of a critical service.

· Which business units are impacted? Identify all operational areas, processes, and assets that fall under the directive's scope, especially those involving OT.

· Conduct a Comprehensive IT/OT Gap Analysis:

· Current State Assessment: Evaluate your existing cybersecurity posture against the specific requirements of NIS2. This is where a detailed understanding of your IT and OT environments is crucial.

· Identify Gaps: Pinpoint areas where your current controls, policies, and procedures do not meet NIS2 mandates, particularly focusing on the unique challenges of OT (e.g., legacy systems, real-time constraints, air-gapped networks, proprietary protocols).

· Asset Inventory and Criticality Mapping:

· Comprehensive Asset Discovery: Create a detailed, up-to-date inventory of all IT and, crucially, OT assets (PLCs, RTUs, DCS, HMIs, sensors, actuators, network devices, industrial workstations, etc.). Include details like vendor, model, firmware version, location, and connectivity.

· Criticality Assessment: Map each asset to the critical functions and services it supports. Understand the potential impact (safety, environmental, financial, reputational) if that asset or its associated service is compromised. This will directly influence your risk assessments and the required security levels.

· Establish Cybersecurity Governance:

· Define Roles and Responsibilities: Clearly articulate cybersecurity roles and responsibilities from the board level down to OT engineers. Management accountability is a cornerstone of NIS2.

· Secure Executive Buy-in: Ensure senior management understands their legal obligations and provides the necessary resources and support for compliance initiatives. Consider training for board members on cybersecurity risks.

Phase 2: Risk Management and Control Implementation (Q1 2026 - Q4 2026)

This phase focuses on addressing identified gaps and implementing the required security measures.

· Develop a Robust Risk Management Framework:

· Regular Risk Assessments: Implement a continuous process for identifying, assessing, and prioritizing cybersecurity risks in both IT and OT environments. Leverage standards like IEC 62443-3-2 for OT-specific risk assessments.

· Risk Treatment Plans: Develop and implement plans to mitigate identified risks, focusing on technical, organizational, and procedural controls.

· Implement Mandatory Security Measures (Article 21):

· Incident Handling: Establish comprehensive incident response plans tailored for OT, including detection, analysis, containment, eradication, recovery, and post-incident review. This must meet NIS2's stringent reporting timelines.

· Supply Chain Security: Implement robust processes for managing cybersecurity risks stemming from third-party suppliers and service providers. This includes contractual clauses, regular audits, and defining security requirements for procured components.

· Network and Information System Security: Implement controls like network segmentation (especially IT/OT segregation), robust firewalls, intrusion detection/prevention systems, and secure configurations.

· Access Control and Identity Management: Implement strong access controls, including multi-factor authentication (MFA) for remote access to OT, role-based access control (RBAC), and privileged access management (PAM) solutions.

· Vulnerability Management: Establish processes for identifying, assessing, and remediating vulnerabilities in both IT and OT systems, including patching (where feasible for OT), configuration management, and vulnerability scanning (passive for OT).

· Business Continuity and Crisis Management: Develop and test comprehensive business continuity and disaster recovery plans that specifically address cyber incidents affecting OT. Include backup and restoration procedures for critical OT data and configurations.

· Security by Design/Default: Integrate cybersecurity considerations into the entire lifecycle of OT systems, from design and procurement to deployment and decommissioning.

· Use of Cryptography and Encryption: Implement encryption where appropriate and feasible for data in transit and at rest, considering OT-specific constraints.

· Human Resources Security: Implement policies for employee awareness training (including social engineering, phishing specific to OT), access management (onboarding/offboarding), and a robust security culture.

· Establish Incident Reporting Mechanisms:

· Define "Significant Incident": Understand NIS2's criteria for a "significant incident" (e.g., causing severe operational disruption or financial loss, affecting other persons).

· Reporting Procedures: Develop clear, efficient procedures for reporting incidents to your national CSIRT or competent authority within the mandated timelines (24-hour early warning, 72-hour incident notification, one-month final report).

· Communication Channels: Establish secure and resilient communication channels for incident reporting, especially for cross-border or cross-sector incidents.

Phase 3: Operationalization, monitoring, and continuous improvement (Q1 2027 onwards)

Compliance is not a one-time event but an ongoing process.

· Continuous Monitoring and Detection:

· Implement security monitoring solutions for your OT networks to detect anomalies, unauthorized access, and potential cyber threats in real-time. This might involve passive monitoring tools to avoid impacting sensitive OT systems.

· Establish security operations center (SOC) capabilities (internal or external) with OT-specific expertise.

· Regular Testing and Auditing:

· Conduct regular internal and, eventually, external audits to verify compliance with NIS2 requirements.

· Perform penetration testing (carefully, in isolated OT environments or replicas) and vulnerability assessments to identify weaknesses.

· Conduct tabletop exercises and simulated incident response drills involving IT, OT, and management teams.

· Training and Awareness:

· Provide ongoing, tailored cybersecurity training for all employees, especially those involved in OT operations, covering basic cyber hygiene, social engineering, and incident reporting.

· Ensure management receives specific training on their cybersecurity responsibilities under NIS2.

· Documentation and Record Keeping:

· Maintain meticulous documentation of all cybersecurity policies, procedures, risk assessments, incident reports, training records, and implemented controls. This will be critical for demonstrating compliance during audits.

· Stay Informed and Adapt:

· Continuously monitor updates to NIS2 guidance, national transpositions, and the evolving threat landscape.

· Regularly review and update your cybersecurity strategy to adapt to new threats, technologies, and business requirements.

Now lets look at the NIS2 checklist for OT operators.

Checklist for OT Operators for NIS2 Compliance

This checklist provides a granular view of the technical and organizational measures OT operators should consider.

A. Governance and risk management

· NIS2 Scope Assessment: Have you formally determined if your organization is an "essential" or "important" entity under NIS2 (and national law)?

· Board/Management Accountability: Is the board/senior management formally aware of and accountable for cybersecurity risks and measures? Have they received appropriate training?

· Cybersecurity Governance Framework: Is there a defined governance structure for IT and OT cybersecurity, including clear roles, responsibilities, and reporting lines?

· Risk Management Process: Is a formal, documented cybersecurity risk management process in place for OT, aligning with standards like IEC 62443-3-2?

· Regular Risk Assessments: Are periodic (e.g., annual) and ad-hoc (e.g., after significant changes) risk assessments conducted for OT environments?

· Risk Treatment Plans: Are identified risks documented with corresponding mitigation or remediation plans, assigned ownership, and tracked?

· Business Continuity and Disaster Recovery Plans (BCDR): Are BCDR plans in place and regularly tested for OT systems, specifically addressing cyber incidents?

· Crisis Management Team: Is a dedicated crisis management team established with clear roles for OT cybersecurity incidents?

B. Asset management and configuration security

· Comprehensive Asset Inventory (IT and OT): Do you have a detailed, up-to-date inventory of all hardware, software, and firmware components in your OT environment? This should be a solution-based inventory and not something collated on a spreadsheet

· Criticality Mapping: Are all OT assets and their associated services formally classified by criticality and potential impact?

· Configuration Management: Are baseline secure configurations defined and enforced for all OT devices and systems?

· Unauthorized Changes Detection: Are mechanisms in place to detect unauthorized changes to OT configurations?

· Vulnerability Management (OT-specific): Is there a process for identifying, assessing, and (where safe and feasible) remediating vulnerabilities in OT systems?

· Patch Management (OT-aware): Is there a controlled process for applying patches to OT systems, with thorough testing in non-production environments first? (Recognizing OT constraints on patching).

· Software and Hardware Integrity: Are measures in place to ensure the integrity of software and hardware used in OT (e.g., using trusted sources, verifying hashes)?

C. Network and system security

· Network Segmentation: Is the OT network logically and/or physically separated from the IT network (e.g., using a demilitarized zone (DMZ) or industrial firewall)?

· Zone and Conduit Security (IEC 62443): Are security zones and conduits defined and protected in accordance with industrial cybersecurity best practices?

· Secure Network Devices: Are network devices in the OT environment securely configured (e.g., strong passwords, secure protocols, unnecessary services disabled)?

· Perimeter Security: Are firewalls and other perimeter defenses properly configured to restrict unauthorized traffic between networks and to the internet?

· Intrusion Detection/Prevention Systems (IDPS): Have IDPS solutions such as Shieldworkz been deployed to monitor for malicious activity within the OT network (preferably passive for sensitive systems)?

· Malware Protection: Are appropriate anti-malware solutions deployed where feasible and safe on OT endpoints?

· Logging and Monitoring: Is comprehensive logging enabled on critical OT devices and systems, with logs centralized and monitored for suspicious activity?

· Secure Remote Access: Is remote access to OT systems strictly controlled, monitored, and secured with strong authentication (e.g., MFA) and secure protocols (e.g., VPN)?

D. Access control and Identity Management

· Identity and Access Management (IAM): Is a robust IAM system in place for both IT and OT users?

· Role-Based Access Control (RBAC): Are access permissions for OT systems based on job role and least privilege principles?

· Privileged Access Management (PAM): Are privileged accounts (e.g., administrator, root) managed securely, with credentials rotated and access monitored?

· Multi-Factor Authentication (MFA): Is MFA implemented for all remote access to OT systems and for privileged access on-site?

· Strong Passwords: Is a strong password policy enforced for all OT accounts?

· User Account Management: Are processes for creating, modifying, and deactivating user accounts (including third-party vendors) in OT systems clearly defined and followed?

E. NIS2 focused OT security Incident Response and reporting

· Incident Response Plan (OT-specific): Is a detailed incident response plan tailored for OT cybersecurity incidents developed and regularly tested?

· Incident Detection and Analysis: Are tools and processes in place for timely detection and analysis of OT incidents?

· Containment and Eradication: Are procedures defined for containing and eradicating OT incidents safely?

· Recovery Procedures: Are robust recovery procedures in place, including backups of OT configurations and data, and validated restoration processes?

· Reporting Obligations: Are clear internal procedures established for reporting "significant incidents" to the national CSIRT/competent authority within NIS2's 24/72-hour and one-month deadlines?

· Internal Communication Plan: Is there a plan for communicating incident status to internal stakeholders, including management and affected departments?

· External Communication Plan: Is there a plan for communicating with external stakeholders (e.g., customers, public, regulators) if required by the incident's impact?

F. Supply chain security

· Supplier Risk Assessment: Do you have a process for assessing the cybersecurity risks posed by your direct suppliers and service providers for OT components and services?

· Contractual Security Requirements: Do your contracts with suppliers include specific cybersecurity clauses and requirements aligned with NIS2?

· Supplier Monitoring: Are processes in place to continuously monitor the cybersecurity posture and compliance of critical suppliers?

· Security for Procurement: Are cybersecurity considerations integrated into the procurement process for all new OT systems and components?

G. Human resources and awareness

· Cybersecurity Awareness Training: Is mandatory, regular cybersecurity awareness training provided to all employees, with specific modules for OT personnel?

· OT SIMEX: Have simulation exercises been conducted? 

· Social Engineering Training: Does training include specific modules on identifying and resisting social engineering attacks (e.g., phishing, spear-phishing)?

· Role-Specific Training: Do OT engineers and operators receive specialized training on secure operational practices, incident handling in OT, and secure configuration?

· Security Culture: Are efforts made to foster a strong cybersecurity culture throughout the organization, from top management to shop floor personnel?

H. Documentation and continuous improvement

· Comprehensive Documentation: Is all cybersecurity-related documentation (policies, procedures, risk assessments, incident reports, training records, architectural diagrams) up-to-date and accessible?

· Internal Audits: Are regular internal audits conducted to assess NIS2 compliance within OT?

· External Audits/Assessments: Are you prepared for potential external audits or assessments by national authorities?

· Lessons Learned: Is a process in place to review incidents, audits, and changes to derive "lessons learned" and continuously improve cybersecurity posture?

· Threat Intelligence Integration: Is relevant cyber threat intelligence actively consumed and integrated into your risk management and security operations for OT?

· Continuous OT security risk assessment: Continue assessing risks at regular intervals to ensure security risks are managed in a proactive manner

By working through this roadmap and checklist with dilligence, OT operators can not only achieve NIS2 compliance but also significantly enhance their overall cybersecurity resilience, protecting their critical operations from the ever-growing array of cyber threats. The deadline for transposition into national law may have passed, but the actual enforcement and compliance journey is just beginning. Proactive engagement now is key to safeguarding your operations and avoiding significant penalties.

Reach out to Shieldworkz’ NIS2 team to learn more about NIS2 compliance through a comprehensive risk assessment exercise or through OT security solution and a security operations center.

Learn more about our OT security services for OT operators.