MARCH 24, 2025

12 MIN.

In this article


CIA triad in the manufacturing practice: Balancing IT and OT security

As IT experts know, in information technology, CIA refers not to the American intelligence agency, but to the three pillars of the CIA triad – Confidentiality, Integrity, Availability. The importance of these principles is becoming more apparent in the OT sector. This is why we are taking a closer look at this foundational model of IT security, and how it applies to today’s production environment. In this post, you’ll learn the specific challenges companies face in upholding the CIA triad, and the appropriate strategies to overcome them.

The three pillars of the CIA triad

The CIA triad provides a basic framework for guiding thinking on organizational security. This data-centered model recognizes the importance of data collection and analysis in organizations, and in particular, in a networked Industrial Internet of Things (IIoT). But what exactly do we mean by the three pillars of confidentiality, integrity, and availability?

Confidentiality


Confidentiality refers to protecting data from unauthorized access to ensure that sensitive information remains private. In production environments, data confidentiality is traditionally lower in the prioritization than the other two principles, but it should not be overlooked. Proprietary production data crucial to the company’s success, such as confidential formulas like the Coca-Cola recipe, must be safeguarded against espionage.

Integrity


Integrity means protecting unauthorized alteration of specific data sets, whether at their storage location, or during transfer. In addition, any changes that are made should be detected and reported. In production, data integrity is often critical. Consider, for example, the formula of a drug in pharmaceutical production – if a machine parameter deviates undetected, the impact could be devastating.

Availability


For data to be usable, it must be available when the user or service needs it. The principle of availability means ensuring the highest possible system uptime, and providing resources for the retrieval and transport of data. This is also a key challenge in the operation of a production line. Production downtime, for example, caused by the non-availability of a new machine parameterization, can be so expensive that it endangers the company’s survival.

Strategies to strengthen the complete CIA triad in the Industry 4.0 environment

Ideally, the three principles of data security intertwine, strengthening cyber resilience in the organization, and making data available – laying the foundation for future business success. In practice, however, the complex dependencies and diverse requirements of the digitalized production components can lead to conflicts in the CIA triad implementation. Here are some strategies for industrial companies to help eliminate these conflicts, and optimize confidentiality, integrity, and availability holistically.

1. Resolve IT/OT convergence with full network segmentation and data transformation

While IT and OT are increasingly converging in industry, they have different requirements that may cause friction. Production typically prioritizes stable processes and uninterrupted system availability, which doesn’t always align with IT’s focus on measures to increase confidentiality and integrity. An example is the need for short security update cycles and advanced encryption procedures.

The result is interrupted communication between networks due to compatibility issues. In addition, there is a risk that malware can spread from one of the two areas throughout the entire corporate network.

Network Edge software solutions can resolve these conflicts. Similar to the Software Air Gap Principle, individual products, such as edge.SHIELDOR, fully separate OT and IT networks without compromising communication. Data packets are routed through a multi-layered container system, where they are scanned for malware before they enter the target network.

Moreover, secure modern protocols used in IT can be converted into older versions, for example, SMBv3 to SMBv1, before being sent to the production plant. The reverse is also possible, ensuring that output from the plant can be received in IT.

2. Extend centralized user management to the OT network

Traditionally, a core strategy for maintaining confidentiality in IT networks is comprehensive user and role management. Following the principle of least privilege, each employee is assigned only the access rights they need to perform their tasks. When users log on to the network, they are authenticated to establish their identity, and then authorized according to the permissions for each directory they access.

Implementing such user management in OT environments can be challenging. The administration of such rights is often not available in older machines and software, let alone the implementation of modern security techniques, such as multi-factor authentication.

When OT security solutions like edge.SHIELDOR are implemented on the production line, it is possible to securely integrate the OT network into the rest of the organization. Protection mechanisms, such as token-based two-factor authentication, or central active directory integration, allow services like remote maintenance tools to be assigned to specific users. This ensures strict data confidentiality standards are implemented, even in the production environment.

3. Product and process development according to established standards such as IEC 62443

Existing standards act as gold standards for implementing the CIA triad in industrial environments, e.g., with the IEC 62443 for Industrial Automation Control Systems (IACS). This framework contains policies and procedures broad enough to cover a wide range of systems and equipment in the manufacturing industry.

Applying these guidelines in the development of software components – from the production process through to the final product – provides the perfect balance between confidentiality, integrity, and availability. Ideally, the entire product lifecycle is included in the development process, including Vulnerability Management with Security Information & Event Management (SIEM).

At TRIOVEGA, our processes are certified according to IEC 62443-4-1, ensuring that our Custom Software Solutions and industrial products are designed and developed according to the highest safety standards.

The future: From data-centric security model to data-driven production

If these strategies are taken into account, the data made available can be used with intelligent data science methods, such as those provided by service.factoryINSIGHTS, to create in-depth analyses. Rather than just reacting, organizations can use this software to proactively identify patterns and act before production risks even arise.

Get personalized advice from our experts on how to strengthen the CIA triad in your company. We would be delighted to present our solutions in a one-on-one meeting.

Author: Mareike Redder

Mareike Redder has been working as an IT engineer at TRIOVEGA GmbH since 2018, and has been responsible for product management since 2022.

Book your individual consultation!

You want to know more about our products
and solutions?

edge.SHIELDOR

Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs

READ MORE

service.factoryINSIGHTS

Discover potential and optimize production processes effectively with our data science expertise

READ MORES

This might also interest you:

MARCH 11, 2025

12 MIN.

In this article

The NIS 2 Directive: The measures industrial companies must take to comply

In the first part of our series on the NIS 2 Directive of the European Union, we explained the timeline of the NIS 2 introduction, and clarified which companies will be affected. Now, we want to address the actual content of the regulation. What measures must you take, and what are the consequences of non-compliance?

In many EU member states, the requirements have already been transposed into law, while in some countries, such as Germany and France, the process has been delayed by several months. However, this doesn’t mean you can sit back and relax. On the contrary. For manufacturing companies with multi-layered production environments and complex operating procedures, introducing new security measures will take time – more than the time left until the new national law is put into place. Read on to find out how to prepare for the new directive.

NIS 2 Directive: An overview of the requirements

The NIS Directive provides a framework that each country must transpose into concrete national information security and cybersecurity requirements for the affected companies. Using an All-Hazards Approach, the directive aims to cover the broadest possible spectrum of risks, not limited to IT or cyberattacks.

Although we are still waiting for the final legal text in Germany, the core content of the EU legal framework, e.g., for critical infrastructure KRITIS, provides excellent insight into the measures that affected companies will have to address. The following is not an exhaustive list of the directive’s measures, but they are the ones most pertinent.

1. Risk management

Every company is exposed to a number of risks that extend beyond cyber risks to include all assets, persons, and business units, including intangible assets such as intellectual property and reputation. In risk management, we identify these risks, taking individual factors into account, assess the threat potential, and ultimately contain them.

The established standard is an Information Security Management System (ISMS), which covers all risk management and mitigation steps. As the international ISO 27001 standard has similar requirements for dealing with risks to the NIS 2 Directive, organizations such as TRIOVEGA with an ISO 27001-compliant ISMS are well-prepared for the new regulations. Most of the requirements for dealing with risks are designed similarly in the two frameworks.

Companies should not underestimate the continuous effort of updating the ISMS due to changing threat requirements and the adjustments required after security incidents. It is also necessary to review and accept unavoidable residual risks, in consultation with management.

Furthermore, the OT environments in production play a significant role in risk management. In many cases, potential risks for production lines have never been systematically recorded, so remain unknown. Yet it is precisely the long service life of systems, with software that cannot be updated, that makes OT particularly susceptible to cyberattacks. Affected industrial companies should therefore carefully identify all assets and risks in the production area and initiate special mitigation measures in order to best prepare for NIS-2.

2. Incident Handling

Should security incidents occur despite careful risk mitigation, they must be quickly identified, rectified, and ultimately reported. The industrial sector should pay particular attention to the detection of cyberattacks: According to the IBM Data Breach Report 2024, it takes 199 days to identify an attacker in the systems of the industrial companies, significantly longer than in other sectors.

In addition, NIS 2 sets strict deadlines for reporting to the authorities. Serious incidents must be reported to the responsible body within 24 hours of becoming known. To this end, suitable processes must be proven and personnel must be trained accordingly.

edge. SHIELDOR, TRIOVEGA’s OT security software solution, minimizes the damage that a cyber incident can cause. Similar to the Air Gap principle, the plant network is completely isolated from the higher-level company IT, and the individual services are segmented, preventing the spread of malware. Unwanted communication attempts are identified and blocked. Information about attackers can also be collected and analyzed in central logging systems by logging network traffic.

3. Business continuity and recovery plans

As it is imperative for industrial companies to maintain production operations, this plays a major role in NIS 2. In the event of an emergency, the organization must have recovery plans, and all relevant data must be regularly backed up. To increase reliability, production lines must have an adequate level of redundancy.

The more production is automated, the faster operations can be resumed after an incident. With individual solutions for customers, TRIOVEGA automates, for example, machine parameterization. This allows systems to be managed effectively and restarted promptly after an emergency without data being lost.

4. Supply chain security

The NIS 2 Directive also addresses the supply chain, which is a particular concern of the manufacturing industry.

Organizations must thoroughly check suppliers of both hardware and software components for compliance with the required security standards. Every service level agreement (SLA) with business partners must define security obligations and requirements, and compliance must be monitored.

For closer partnerships, manufacturers must carry out audits of their suppliers, to identify and rectify potential weaknesses before the collaboration begins. If partners can already demonstrate a high level of security with existing certifications, the workload for this task can be minimized. TRIOVEGA, for example, can prove compliance with the IEC 62443 standard for industrial communication networks.

5. Access controls and rights management

In most companies, physical access to offices and factory buildings is already strictly controlled as part of information security. However, NIS 2 also requires the implementation of seamless access controls and rights management in the digital space to increase the security of IT systems and connected networks.

Employees should be assigned clearly defined user roles that regulate access across all of the organization’s systems and draw on established best practices, such as the principle of least privilege, i.e., the assignment of the minimum rights required to perform a task. As these rights are often granted almost automatically on many shop floors, altering this approach will require a change in the daily working practices of production staff.

What are the penalties for inadequate implementation?

The previous NIS Directive did not stipulate possible sanctions for companies at the EU level, preferring to leave this up to the member states. As this led to a confusing patchwork of different regulations, especially for international organizations, the NIS 2 Directive provides a clearer framework.

Overall, the legal consequences for non-compliance have been significantly expanded:

Company management must approve measures taken and monitor compliance. If management does not comply with this obligation, those responsible can be held personally liable.

Fines have been significantly increased and can be up to €10 million or 2% of global turnover.

If network security is compromised by widespread malware, for example, regulators can shut down business operations until the threat is contained.

Secure the future of your company – act now

For companies in the production industry, the NIS 2 Directive makes it critical to establish a safety culture. Measures to increase information security and cybersecurity should not be seen purely as an expense, but rather as an investment in company resilience, which secures future business success. Stand out from your tardy competition with effective security practices that provide a unique selling point.

With its customized products and services for industrial manufacturing, TRIOVEGA offers a balance between safety and increased efficiency. edge.SHIELDOR secures your production against cyber risks and paves the way for data-driven process optimization, implemented by our service.factoryINSIGHTS experts. In addition, our Custom Software Solutions teams develop secure individual software solutions for your entire value stream right through to the end product. Get in touch with us!

Author: René Janz

René Janz is an industrial engineer with extensive knowledge of the shop floor. He has been with TRIOVEGA GmbH since 2023, and as Director Business Development, René is responsible for the strategic expansion of OT security and digitalization in the production industry.

Book your individual consultation here!

You want to know more about our products
and solutions?

edge.SHIELDOR

Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs

READ MORE

service.factoryINSIGHTS

Discover potential and optimize production processes effectively with our data science expertise

READ MORES

This might also interest you:

FEBRUAR 17 2025

8 MIN.

In this article

Risk management for OT networks: Getting IT/OT convergence right

If you attend a cybersecurity trade fair or event with a focus on industrial production, you’ll hear the same question again and again: How can we harmonize our IT and OT systems?

In the face of ever-increasing cyber crime threats, companies must raise awareness of cyber risks throughout their organization, and prioritize their elimination. Sufficient space should be created for the important exchange between IT and OT specialists in the company.

In this article, we want to examine the fundamental challenges that arise when integrating shop floor assets into the Information Security Management System (ISMS), and highlight strategies that organizations can put in place to overcome them.

The fundamental differences between OT and IT

1. Operational priorities

In the IT environment, the top priority is confidentiality and data integrity, while in OT networks, organizations are more concerned with availability and process stability. Production downtimes have a direct impact on the business, and cannot be compared with a quick system restart in IT.

2. Life cycle of the systems

Production systems are planned over decades due to the high acquisition costs. As a result, many systems that are still in use today have outdated hardware and software, and were never designed for networking. In contrast, IT systems have much shorter life cycles, and receive continuous manufacturer updates for their entire service life.

3. Network communication

Industrial systems often communicate using specialized network protocols and standards, for example, to enable real-time connections with the lowest possible latency. Due to the high workload and expense, these protocols are rarely updated during the runtime of the machines, making them incompatible with the IT networks. For example, many older OT systems still require the Server Message Block (SMB) protocol in the insecure version SMBv1, while most IT systems work with the updated SMBv3.

However, software tools such as the edge.SHIELDOR from TRIOVEGA can be used to enable monitoring of network traffic and bidirectional communication between the networks. This patented solution for OT security can, for example, convert files in the IT network in SMBv3 to the outdated SMBv1, and synchronize them with an OT network directory. The software also supports synchronization in the other direction. The files are continuously checked for malware signatures, and any threats are isolated, which enables communication with the system while reducing security risks.

Key elements of successful IT/OT convergence

1. Uniform risk management

Companies must take the unique features of both system landscapes into account when assessing corporate risks. Successful risk management combines the operational and security-related effects of all IT and OT components in a common strategy for the ISMS, and also includes communication across network boundaries

Existing ISMS guidelines should be expanded to include OT-specific aspects:

Special patch and update processes that take production times into account

Customized backup strategies for control systems

OT-specific incident response plans

Special access controls for maintenance personnel and external service providers

New cyber security regulations, such as the EU NIS 2 Directive, which affects most industrial companies, require the integration of OT systems into the cross-organizational security concept. If you include the above points in your ISMS, you will be well-prepared to meet the new legal requirements.

2. Training and raising awareness

This joint approach requires a mutual understanding of the specific challenges in the IT and OT departments within the company. In the past, OT and IT work was siloed. Nowadays, employees in production need to be sensitized to IT security risks, while IT staff need to understand the unique requirements of the production side of the business. It is essential that companies provide regular training and liaison opportunities between the two business areas.

3. Network segmentation and monitoring

Companies must preserve a strict separation between IT and OT networks to prevent malware from spreading through the entire organization. A traditional approach to network segmentation enables the necessary connection via open ports, but this provides a gateway for cyberattacks.

Software solutions such as edge.SHIELDOR can help. Using the air gap concept, we can achieve a complete separation between the networks. Data traffic between production facilities and company IT is selectively permitted via positive or negative filter rules. Intrusion detection and intrusion prevention systems identify and block unwanted communication attempts. The network ports can remain closed.

These basic strategies help companies efficiently manage the convergence of IT and OT. Naturally, each company has individual factors and issues that must be addressed carefully.

More questions? Book your consultation appointment

With these basic strategies, companies can efficiently shape the convergence of IT and OT. Of course, many aspects need to be considered in greater detail, depending on individual factors. Our experts will be happy to advise you online on our product portfolio.

Author: René Janz

René Janz is an industrial engineer with extensive knowledge of the shop floor. He has been with TRIOVEGA GmbH since 2023, and as Director Business Development, René is responsible for the strategic expansion of OT security and digitalization in the production industry.

Book your individual consultation here!

You want to know more about our products
and solutions?

edge.SHIELDOR

Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs

READ MORE

service.factoryINSIGHTS

Discover potential and optimize production processes effectively with our data science expertise

READ MORES

This might also interest you:

FEBRUARY 14, 2025

12 MIN.

In this article

Industry 4.0 and OT security: The 4 most common cyber attacks and how to protect your company

It is every cybersecurity manager’s worst nightmare. You grab a cup of coffee, boot up your computer, connect to the intranet, and … nothing happens. You are locked out. There is no access to internal files, systems are encrypted. You gradually realize that the company has been the victim of a ransomware attack. Relevant staff members are informed, the production facilities are shut down, and everything comes to a standstill.

This scenario has played out in many industrial companies in recent years. Cyber attacks aren’t just happening more often, they are becoming more technically sophisticated. It is becoming an increasingly important and challenging task to protect modern, networked production plants against this kind of attack.

The most common risks for OT security

In this article, we will highlight the most common cyber attacks facing industrial companies with networked production.  We will also cover the most effective strategies for eliminating vulnerabilities.

1. Insider threats

When a company’s employees—or external partners with access to parts of the organization—cause damage, this is known as an insider threat. These include both malicious and unintentional actions by the insider.

When an employee falls for a phishing link in an email and allows malware to sneak into the company network, this is classified as an insider threat, just as when a production manager deliberately manipulates the industrial control system (ICS).

Here are the basic principles of good cybersecurity practice that are recommended to mitigate unintentional insider threats:

Regular employee training courses
that include current risks and practical training

Access controls and file permissions
according to the Principle of Least Privilege (PoLP) assigned, so that only the lowest privilege possible is granted

Network segmentation and firewalls
to prevent the spread of malware across multiple business units

When it comes to insider malicious attacks and industrial espionage, the defense options are naturally limited. Basically, you can’t run a business without giving employees the necessary authorizations to do their jobs. Cybersecurity managers around the world are aware of this. According to a report by Cybersecurity Insiders 2023, 74% of respondents saw their companies as moderately or severely at risk from insider threats.

The focus should be on the rapid detection of security incidents through continuous monitoring. Machine learning also promises progress in data-based behavioral analysis, which automatically detects and reports deviations from normal user behavior. However, there is a risk of false positives here, for example, when the production process is interrupted.

At the end of the day, the most important currency in dealing with insider threats is trust: Select partners who can prove their credibility through long-term experience, references, and certifications such as IEC 62443. Foster a respectful and friendly working atmosphere for your employees.

2. Ransomware

Everyone is talking about ransomware attacks, as we described above. And rightly so. According to a report by Sophos, in 2024, the recovery costs alone in manufacturing increased by 55% to 1.67 million dollars compared to the previous year. And that’s without taking into account any possible ransom payments. In addition, a staggering 65% of all industrial companies surveyed reported an incident involving ransomware.

Meanwhile, professional criminal organizations that deal in ransomware are now active around the world, targeting specific weaknesses in vulnerable ICS with customized malware.

Many security managers in the industry are focused on strengthening OT security. This means patching vulnerabilities in outdated control systems and replacing components—a lengthy and time-consuming process.

If this is no longer entirely or partially possible, it is imperative to  separate the OT and IT networks in the company completely. A frequently used gateway for ransomware is a click on a phishing link on a PC in the company administration offices. With effective network segmentation, the attack can be contained and does not spread from the corporate IT to the OT. However, for this approach, network ports must be opened manually to ensure communication with the plant equipment. As these ports are often not closed again afterward, the network soon resembles a block of Swiss cheese with lots of holes—which is vulnerable to intruders.

TRIOVEGA developed edge.SHIELDOR, a safety solution for production facilities that works precisely at this network edge to shield the systems while still allowing communication to and from the machine. Read more here..

3. Manipulation of production via remote maintenance tools

Remote maintenance software has become an integral part of modern industrial production sites. Being able to control systems from a central location remotely can bring enormous efficiency increases in production management.

However, benefiting from the added efficiency offered by an internet connection also provides cyber criminals an additional entry point. Usually, remote access tools rely on open network ports for communication—which is where the problems with network segmentation begin. Hackers can gain access to the network via the open ports. They then either manipulate the production parameters directly or use the gateway to explore the company network and gain access to other devices and endpoints. This is a common cyber attack scenario on industrial companies, as malware sneaks in via a vulnerability in the production, and spreads throughout the IT systems.

Multi-factor authentication and secure administration of remote access sessions with connection timeouts are indispensable elements of OT security. However, to achieve the highest security level, we recommend completely eliminating open ports in remote maintenance. Screen transmissions should only be available to authenticated users operating via encrypted VPN connections in the company network. An integrated solution such as edge.SHIELDOR can then be used to manage and monitor user rights and access from a central location.

4. Supply chain attacks

The introduction of the NIS 2 Directive in the EU wasn’t the first time that supply chains have been a focus of cyber security efforts. Increasingly complex supplier networks and production lines, with numerous software and hardware components from different manufacturers, result in increased cyber risks.

Attackers can infiltrate the supply chain at various points, place manipulated equipment in deliveries, or install malware.

That’s why it is so important to choose suppliers carefully and assess the individual risk factors for each candidate. Conduct regular audits of your key suppliers‘ safety measures and promote common standards.

For individual software solutions, it is best to work with partners who prioritize security-oriented development and have experience in your specialist area. TRIOVEGA’s development processes for industrial control systems, for example, are certified to the highest safety standard IEC 62443. Our experts from Custom Software Solutions develop cyber-resilient applications with continuous security updates, even after integration. This provides your software components with the best possible protection against cyber attacks.

Secure the future of your company

In a forward-looking industry, investing in cyber security is now more critical than ever. With a plan to mitigate the biggest cyber risks in your company, you can set the course for sustainable business success. Our cybersecurity experts at TRIOVEGA will be happy to answer your questions about the software products and services we offer to accompany you on this journey.

Author: Mareike Redder

Mareike Redder has been working as an IT engineer at TRIOVEGA GmbH since 2018, and has been responsible for product management since 2022.

Book your individual consultation!

You want to know more about our products
and solutions?

edge.SHIELDOR

Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs

READ MORE

service.factory.INSIGHTS

Discover potential and optimize production processes effectively with our data science expertise

READ MORES

This might also interest you:

FEBRUARY 10, 2025

12 MIN.

In this article

The NIS 2 Directive is coming. How industrial companies can get ready.

Cybersecurity in Europe is being strengthened. In December 2022, the European Union adopted the NIS 2 Directive, which builds on the first Network and Information Security (NIS) Directive from 2016.

The new regulations expand the sectors affected by the directive, and significantly increase the cybersecurity standards that affected companies must meet.

Particularly in the manufacturing industry, the requirements are immense. Highly complex production systems, with many components, often run for decades on outdated software, if the manufacturer does not provide updates. Hackers are aware of these problems and frequently target the manufacturing industry in their attacks.

In this environment, swift and decisive action is required. In our two-part series, we provide the information you need to optimally prepare your manufacturing company for the NIS 2 Directive.

Let’s start with the when and the who. Will your company be affected by the NIS 2 Directive, and when are the deadlines you must meet. We will also cover the initial steps you can take to prepare for the directive.

NIS 2 Directive – When does it start?

Originally, the EU directive should have been transposed into the national laws of the member states by October 18, 2024. However, many countries have not completed this step, including Germany, France, and Poland.

In Germany, the Federal Ministry of the Interior and Community, which is responsible for the NIS 2 Directive, expects the NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) to go into force by March 2025. Hearings are currently taking place in the national parliament (Bundestag), after which the law still has to go through the federal state chamber (Bundesrat). However, the general election in February could postpone the introduction further.

This delay gives you valuable time to implement the measures. The delay may prove to be particularly important, as the NIS2UmsuCG does not currently provide for a transition period.

This means that the cybersecurity adjustments must be completed from the day they come into force, otherwise there is a risk of severe penalties.

A good starting point is the establishment of an information security management system (ISMS), which is critical for ISO 27001 certification. Depending on the situation in your company, this process can take anywhere from a couple of months to over a year. If you have not already done so, it is advisable to address this issue as soon as possible. If you reach the required security level before the directive becomes legally binding, you will be optimally prepared and won’t be liable for high penalties.

Who is affected?

The new regulations will affect significantly more companies than the original NIS Directive. A basic distinction is made between two groups of entities, the Essential Entities and Important Entities.

Companies that fall into the Essential Entities group are subject to greater regulatory oversight, and stricter sanctions than Important Entities.

Essential Entities

The Essential Entities group include sectors that are particularly important for infrastructure, health, and public safety in the EU member states. In Germany, many of these sectors are known as critical infrastructure (KRITIS) and have been regulated for some time. However, it is important to note that the NIS 2 sectors are not identical to the KRITIS sectors. sectors.

Except for a few special cases in the area of public administration and digital infrastructure, which are designated Essential Entities regardless of their size, a company must have at least 250 employees or generate over €50 million in annual revenue in order to be assigned to this group.

Important Entities

While the essential organizations are only relevant for large companies, a company with at least 50 employees or € 10 million in turnover is considered an important facility if it is active in one of the listed sectors.

The size classification of NIS 2 follows the general definition of small and medium-sized enterprises (SMEs) as opposed to large companies, although only medium-sized and large companies are affected by the new regulation.

The manufacturing industry, including manufacturers of medical products and mechanical engineering companies, are included in the group of Important Entities.

In Germany, smaller organizations, in particular, have been inadequately informed about the NIS 2 Directive. It is not always clear if a company belongs to one of the affected sectors. Until the law comes into force, and has been applied through precedents, there is still some legal uncertainty. Our NIS-2 Quick Check can help. Find out if your company is affected by NIS 2.

Next steps

Once a company has determined that it is affected by NIS 2, it is often faced with the question of how to implement the required measures as cost-effectively as possible. Here are the first steps that organizations can take to quickly raise cyber resilience to the required level.

1. Identify gaps in the security landscape
First, it is important to get an overview of the situation by implementing company-wide asset scans. This involves recording all physical, digital, and intangible assets to obtain a comprehensive overview.

The main focus should be on the shop floor, with the inventory of all machines, and a component check to ensure they are up-to-date. This step should include all networked machines, their connections, and the software used.

At this point, the areas where action is required have been identified.

2. Prioritize risks
The risks are then assessed and prioritized. Here, too, the focus is likely to be on the production lines. Production downtimes due to cyberattacks can cause such serious damage that the company’s survival can be put at risk.

In addition, as outdated hardware and compatibility issues in production facilities often result in a lengthy update process, this should be tackled as early as possible. If an update is not possible, an OT security solution such as edge.SHIELDOR can secure the machine without having to disconnect it from the company network.

3. Develop mitigation plans
Plans to mitigate the most important risks are an essential part of any security strategy. This includes suitable measures for the rapid detection of cyber incidents and incident response processes. In accordance with the NIS 2 guidelines, serious security incidents in Germany must be reported within 24 hours to the Federal Office for Information Security (BSI)

4. Check supply chain
NIS 2 extends the security requirements to the entire supply chain. This means that an affected company is not only responsible for its own cybersecurity, but also for the security of its suppliers. Contractors must independently check whether the requirements are continuously met.

To ensure the security of your supply chain, we recommend working with your suppliers from an early stage and, ideally, demanding compliance with established standards, such as ISO 27001. In the production environment, standards such as IEC 62443, to which TRIOVEGA is also certified, provide an excellent reference point for purchasing secure solutions and components.

What happens next?

As you can see, manufacturing companies face extensive obligations in cybersecurity with the introduction of the NIS 2 Directive. In the second part of our series, we will take a detailed look at the requirements catalog to help you prepare optimally.

Author: Mareike Redder

Mareike Redder has been working as an IT engineer at TRIOVEGA GmbH since 2018, and has been responsible for product management since 2022.

Book your individual consultation!

You want to know more about our products
and solutions?

edge.SHIELDOR

Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs

READ MORE

service.factoryINSIGHTS

Discover potential and optimize production processes effectively with our data science expertise

READ MORES

This might also interest you:

Book your individual meeting here
Contact