Skip to main content

Protecting Industrial Infrastructure with NIS2

Published Date
Author Alistair Winning

EU Regulations Aim to Secure Operational Technology

Image Source: Bashirlrshad/stock.adobe.com; generated with AI

By Alistair Winning for Mouser Electronics

Published Setpember 5, 2025

Innovation never stands still. Industry 4.0 barely had time to settle in before we started racing toward Industry 5.0. However, the move to Industry 5.0 is more of a philosophical advance than an engineering-based one. Industry 4.0 was based around technological advances in connectivity, digitization, big data, and automation, which were used to optimize processes, reduce costs, and improve quality.

The philosophy behind Industry 5.0 realizes that successful industrial operation requires more than just increased productivity and efficiency. Three key pillars—human-centered design, sustainability, and resilience—are the missing links to make companies more agile and adaptable to change. Implementing these pillars is likely to offer significant benefits, including the ability to address employees’ skills and training needs, attract a more talented workforce, help fight climate change by using natural resources more efficiently, and rework supply chains and energy consumption practices to make industries more resilient against external disruptions.

This article examines the importance of resilience in Industry 5.0 through the lens of operational technology (OT). Specifically, it explores protection and resilience against cyberattacks from an OT—rather than information technology (IT)—perspective.

Resilience

Industry 4.0 gathered all the data necessary to provide the central computing facility with the information required to make informed decisions on individual processes. That meant connecting billions of devices, many of which were not designed or intended to offer access to the outside world. These devices made up the backbone of the OT side of the business, which oversees physical processes and industrial equipment. Before, OT systems were usually isolated from the outside world. At the advent of Industry 4.0, they needed external connectivity to supply real-time data to the company’s enterprise networks and cloud services (Figure 1). Extended connectivity offers exciting new possibilities but simultaneously opens the door to increased vulnerabilities in ways the original designers had never intended, as OT systems were initially developed to provide reliability and safety, not cybersecurity.

Figure 1: Connected industrial environments offer efficiency gains and open new pathways for cyberattacks. (Source: Premreuthai/stock.adobe.com; generated with AI)

Cyberattacks have posed a threat to businesses for almost as long as the internet has existed. Over that time, the IT industry has developed tools that make unauthorized access difficult, even for experienced hackers. The addition of billions of devices from OT systems opened new attack vectors, and hackers quickly noticed this. Recent research by cybersecurity provider Semperis shows that 62 percent of water and electricity operators across the US and UK were targeted by cyberattacks in 2024, and 80 percent of those companies were targeted multiple times. The researchers also pointed out that the companies that said they were not targeted may have actually been breached, but the organizations did not have the technology or expertise in place to detect the malicious activity.[1]

Cyberattacks can come from a variety of places. In one notable incident, a hacker gained entry to the IT systems of a casino by hacking into the smart thermometer in a fish tank and stole 10GB of data.[2] One big difference between OT and IT systems is that OT cyberattacks can jeopardize more than just data. OT attacks can endanger public health and safety, destroy machinery and the environment, and interrupt production. For example, a person hacked the supervisory control and data acquisition (SCADA) system of a water treatment plant in Oldsmar, Florida, and tried to add a significant amount of lye to the treated water supply to the town.[3] Fortunately, staff at the plant quickly thwarted the unsophisticated attack, but it highlighted the danger of unsecured OT systems and the potential threats to the public.

More sophisticated attacks can pose even more danger while being much harder to stop. In 2022, a group called Gonjeshke Darande was responsible for a cyberattack on an Iranian steel production facility, causing a large fire.[4] An attack of such complexity was previously thought to come only from a hostile nation-state actor. Cyberattacks like this demonstrate how OT systems are now being targeted as an aspect of hybrid warfare against the industrial capabilities of rival nations and performed by groups with nation-states’ resources behind them.

Attacks such as these have prompted countries and trade groups to investigate securing OT systems similarly to how IT systems are governed. The EU Network and Information Security Directive (NIS) (Directive (EU) 2016/1148) was initially adopted by the European Parliament in July 2016 and came into force a month later. It applied to essential services operators and digital service providers, such as energy, transport, healthcare, finance, water management, and digital infrastructure, and aimed to achieve a high standard level of network and information system security across the EU’s critical infrastructure. The directive required organizations in scope to secure IT systems and measure and report incidents that affected the continuity or availability of their services. In 2020, the European Commission started to revise the NIS Directive, resulting in the NIS2 (Directive 2022/2555) legislation, which took effect in January 2023.[5] Each member state had until October 2024 to enact the NIS2 Directive into law, which then replaced NIS1.

NIS2 extends the scope of industries by including providers of public electronic communications, additional digital services, waste and wastewater management, critical product manufacturing, postal and courier services, public administration, and the space sector. The new legislation also encompasses both medium and large organizations. It covers both risk-management and incident-reporting obligations and mandates companies to demonstrate proactive measures that reduce the risks of cyberattacks, report any significant incidents within 24 hours, and make detailed recovery plans. It also makes senior management directly accountable for cybersecurity compliance and allows member states to impose fines and sanctions for non-compliance. To ensure that organizations have taken effective measures and to enhance cybersecurity capabilities across the EU, the directive also includes provisions for supervision, enforcement, and voluntary peer reviews.

Implementation

NIS2 is an overarching legislation intended for those managing change rather than going into detail for those implementing it. Nevertheless, many of the best practices of today’s IT cybersecurity systems can be used as a template to provide OT systems operators a head start.[6] For example, the first step in securing an OT system is usually knowing what the system contains, as there may be thousands of connected devices, many of which are changed and replaced as part of the regular maintenance routine. To achieve this audit, organizations should create a comprehensive asset inventory that includes firmware details, configuration data, and network identities. After that, implementing a zero trust architecture is essential to prevent unauthorized access. OT systems should have strict access controls, such as multi-factor authentication, and secure remote access solutions should be in place to allow external parties, like maintenance vendors, to operate. These solutions should be able to log and control all interactions.

Patching in OT can be disruptive due to the need for continuous uptime, but ignoring it exposes systems. Organizations should establish systematic patch-management programs tailored to OT, incorporating rigorous testing in offline environments before deployment and using maintenance windows strategically. Critical OT assets should then be isolated from other systems by firewalls and other tools that will reduce the threat of hackers moving from one part of the system to another.

Securing OT networks can be like hitting a moving target. New hacking techniques are developed, new devices are installed, and new people have access to networks, so the process of securing the network should always be ongoing. To stay ahead of threats, organizations can perform proactive cyber risk assessments and threat modeling to identify vulnerabilities, simulate different attack scenarios, and stress-test response capabilities. Standards, such as IEC/ISA 62443 and NIST SP 800-82, help structure these tests and help with NIS2’s documentation procedures.

Finally, the human factor can often be the first line of defense and the greatest weakness in any security system. All staff should receive training in cybersecurity best practices, including threat recognition and response protocols. The IT team could be available to pass on learning to both the OT team and the executives responsible for NIS2 implementation.

Conclusion

As Industry 5.0 gains traction, resilience has become a business imperative. OT systems that were once isolated are now deeply integrated into IT networks and the broader digital ecosystem. This integration creates new opportunities but also creates new risks. The NIS2 directive emphasizes that organizations can’t treat cybersecurity as optional or secondary in industrial environments. For engineers and decision-makers alike, now is the time to strengthen defenses, audit vulnerabilities, and implement smarter, human-aware security strategies. The technologies already exist, and the frameworks are in place. Now, a commitment to proactive, continuous improvement is needed. When it comes to OT security, the cost of inaction isn’t just downtime, but the safety, reliability, and resilience of our most critical infrastructure.

 

Sources

[1]https://www.semperis.com/press-release/cyberattacks-water-electric-utilities-threaten-public-safety-economic-stability/
[2]https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/
[3]https://www.bbc.co.uk/news/world-us-canada-55989843
[4]https://www.bbc.com/news/technology-62072480
[5]https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[6]https://www.cisco.com/c/en/us/products/collateral/security/industrial-security/network-info-security-wp.html

About the Author

Since graduating with a BSc in Electronic Systems from the University of the West of Scotland in 1997, Alistair has worked in electronics media in marketing, PR, and journalism roles. During that time, he worked as the editor of Electronics Engineering, Embedded Systems Europe, EENews Embedded, Technology First, Electronic Product Design and Test, and Panel Building and Systems Integration magazines. Alistair is currently the European Editor of Power Systems Design and a freelance writer, specializing in electronics and engineering.

Profile Photo of Alistair Winning
More Content by Alistair Winning