If you are a CISO or Plant Manager at a European utility today, you are likely operating under a new kind of pressure. The Network and Information Security (NIS2) Directive has shifted the conversation from "suggested best practices" to "mandatory legal requirements," with personal liability for management now on the table. 

For many utilities, the biggest compliance hurdle isn’t the IT network-it’s the operational technology (OT) shadow. Specifically, the hundreds of Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) ticking away in substations and generation plants. Many of these devices speak legacy languages like Modbus or IEC 104, protocols designed decades before "cyberwarfare" was a word. 

You cannot protect what you cannot see, and for too long, OT asset inventories have been reliant on static Excel spreadsheets that are outdated the moment they are saved. To meet NIS2’s strict asset management and risk analysis requirements (Article 21), utilities must move to dynamic, automated inventorying. But how do you map these fragile "black box" devices without accidentally knocking the grid offline? 

This guide outlines a safe, step-by-step framework for NIS2 & PLC Risk Mapping, helping you inventory your most critical assets without disrupting operations. 

Before we move forward, don’t forget to check out our previous blog post “CISA’s advisory for critical infrastructure operators to enhance secure communications”, here.   

The NIS2 Mandate: Why "Good Enough" is Gone 

Under NIS2, entities in the energy sector are classified as "essential." This designation comes with stringent obligations. It is no longer enough to have a firewall at the IT/OT boundary. You are now required to demonstrate: 

• Deep Asset Visibility: A comprehensive, up-to-date inventory of all hardware and software. 

• Risk Analysis: A documented understanding of the vulnerabilities within those assets. 

• Supply Chain Security: Assessing the security posture of the vendors who made your PLCs. 

Failure to comply isn’t just a fine (up to €10M or 2% of global turnover); it can lead to temporary bans on executives holding management positions. The days of pleading ignorance about a rogue Modbus gateway in a remote substation are over. 

The Challenge: The "Black Box" Paradox 

Why is inventorying PLCs so difficult? It comes down to the fragility of legacy industrial protocols. 

In the IT world, you can aggressively "scan" a network. You ping a server, it pings back. You query a port, it tells you its version. Do that to a 15-year-old PLC controlling a high-voltage breaker, and you risk overwhelming its CPU. We call this the "active scanning risk." 

• Modbus TCP/RTU: A master-slave protocol with no built-in security. It trusts every command. An aggressive scan can flood the command queue, causing the PLC to freeze or reset. 

• IEC 61850 / IEC 60870-5-104: While more modern, these complex protocols often run on legacy hardware with limited processing power. 

This creates a paradox: You need to know what devices you have to secure them (NIS2), but trying to find them effectively might disrupt the very service you are trying to protect. The solution lies in passive discovery and protocol-aware analysis. 

Step-by-Step: A Safe Framework for Inventorying PLCs 

To bridge the gap between fragile hardware and strict regulation, Shieldworkz recommends a four-phase approach aligned with IEC 62443 standards. 

Phase 1: Passive Asset Identification 

Instead of "asking" devices who they are (active scanning), we listen to the conversation they are already having. By placing a passive tap or configuring a SPAN port on your industrial switches, you can ingest copies of network traffic without touching the PLCs. 

• What we capture: MAC addresses, IP addresses, vendor OUI (Organizationally Unique Identifier). 

• The Result: A baseline map of every device communicating on the network, including "shadow OT" devices like unauthorized maintenance laptops or rogue Wi-Fi access points. 

Phase 2: Deep Protocol Analysis (DPI) 

Once we see the devices, we need to understand their language. Deep Packet Inspection (DPI) allows us to dissect the payloads of industrial protocols. 

• For Modbus: We analyze the Function Codes. Is this device only reading data (Function Code 03/04), or is it writing coils (Function Code 05/15)? A PLC that is receiving write commands from an unknown IP is a critical risk. 

• For IEC 61850: We parse GOOSE (Generic Object Oriented Substation Event) messages to understand the real-time control commands being sent between relays. 

• Firmware Detection: Often, devices broadcast their firmware version in the header of setup packets. Passive analysis can capture this to match against CVE (Common Vulnerabilities and Exposures) databases. 

Phase 3: Network Topology & Segmentation Mapping 

NIS2 and IEC 62443-3-2 emphasize "Zones and Conduits." You must prove that critical control devices are segmented from business networks. 

Your inventory must visualize the logical path of traffic. 

• Are your safety instrumented systems (SIS) talking directly to the billing server? (They shouldn't be). 

• Is Modbus traffic crossing the firewall into the corporate IT zone? 

Phase 4: Criticality & Risk Evaluation 

Not all PLCs are created equal. A PLC monitoring the temperature of the breakroom AC is less critical than the PLC controlling the turbine speed. 

Risk Mapping Formula: 

$$\text{Risk Score} = (\text{Asset Criticality} \times \text{Vulnerability Severity}) \times \text{Exposure Level}$$ 

• Asset Criticality: Does this device impact safety, generation capacity, or environmental compliance? 

• Vulnerability Severity: Does it have unpatched firmware with known exploits (e.g., "Incontroller" or "Pipedream" malware targets)? 

• Exposure: Is it accessible via the internet or cellular gateways? 

Technical Deep Dive: Mapping Modbus Registers for Security 

For the technical leads and engineers, risk mapping goes deeper than just IP addresses. You need to map the memory map of the PLC to understand the physical impact of a cyberattack. 

Hackers don't just "hack a PLC"; they manipulate specific memory registers to trick the process. 

• The Attack Vector: An attacker might overwrite a "High-Temperature Alarm" setpoint (e.g., Modbus Register 40001) from 100°C to 1000°C. The system thinks it's safe while the equipment overheats. 

• The Defense: Your inventory system must identify which registers correspond to critical parameters. By baselining "normal" values for these specific registers, you can set alerts for Process Anomalies. 

• Example: "Alert me if the value in Register 40001 changes by more than 10% in 1 minute." 

This level of granularity is what transforms a simple "list of devices" into a Cyber-Physical Risk Assessment. 

Alignment with ENISA & Regulatory Standards 

Your inventory project directly supports your compliance posture. Here is how this data maps to the regulations: 

Common Pitfalls in PLC Inventory Projects 

1. Trusting the Paper Trail: We recently audited a utility that claimed to have 50 PLCs. Our passive scan found 85. The "extra" 35 were test units and vendor maintenance gateways that were never documented-perfect backdoors for attackers. 

2. Ignoring Serial Devices: Many critical PLCs connect via serial (RS-485) to a gateway. If you only scan the Ethernet side, you miss the devices behind the gateway. Solution: Use a solution that can parse nested protocols. 

3. "Set and Forget": An inventory is a snapshot. NIS2 requires continuous monitoring. A contractor plugging in a laptop next Tuesday invalidates your inventory from today. 

How Shieldworkz Helps 

At Shieldworkz, we understand that in the utility sector, availability is king. You cannot afford downtime for the sake of security. 

Our Agentic-AI Powered Infrastructure Protection platform is designed specifically for the unique constraints of OT environments: 

• 100% Passive Visibility: We use advanced network taps and span port ingestion to map your Modbus and IEC assets without sending a single packet that could disrupt operations. 

• Automated Risk Mapping: Our AI correlates asset criticality with real-time threat intelligence to give you a prioritized "fix list," not just a flood of alerts. 

• Continuous Compliance: We automatically map your security posture to NIS2 and IEC 62443 requirements, generating the reports your auditors need with a single click. 

Don't wait for the audit. Get visibility into your critical infrastructure today. 

Conclusion 

NIS2 is raising the bar for industrial cybersecurity, but it is also an opportunity to regain control of your OT networks. By moving from static spreadsheets to dynamic PLC Risk Mapping, you don't just achieve compliance-you build a more resilient, reliable, and secure utility. 

Ready to start your risk mapping journey? 

Download our " Essential NIS2 Checklist for Organizational Readiness" Here 

Access our regulatory playbooks here 

Or, take the next step and Book a free consultation with our experts: here to see your network clearly for the first time.