OT Cyber Security in Manufacturing: What NIS2 Requires and How to Protect PLC, SCADA and Industrial Control Systems

Executive Summary

Operational technology (OT) cyber security is the most rapidly escalating compliance and operational risk in manufacturing. Ransomware targeting PLC, SCADA and industrial control systems is now the primary threat vector for manufacturing disruption globally. Most manufacturing cyber security programmes are built for IT environments — the controls, monitoring approaches and recovery timelines are fundamentally different. NIS2 now mandates that manufacturers address both.

71%of ransomware attacks targeting manufacturing in 2024–2025 specifically included OT/ICS components — up from 32% in 2021 (IBM X-Force 2025)

NIS2EU NIS2 Directive (effective October 2024) significantly expands the scope of entities required to implement cyber security measures — including medium and large manufacturers

21 daysAverage production recovery time after OT ransomware attack without OT-specific DR capability — versus 5 days with tested OT recovery procedures

Why OT Cyber Security Is Not an IT Problem

An IT system breach compromises data — damaging and disruptive. An OT system breach — a compromised PLC, a manipulated SCADA network, a modified process control parameter — can stop production lines, damage equipment, trigger safety events, or affect product quality in ways only apparent downstream.

The controls that work in IT environments cannot be directly applied in OT. You cannot patch a PLC with the same cadence you patch an enterprise server — the downtime and validation requirements are different. You cannot run an endpoint detection agent on a 20-year-old distributed control system. You cannot implement network segmentation between OT zones without understanding the real-time communication requirements that keep your production process running.

OT cyber security requires controls implemented by people who understand both cyber security and industrial process environments. Most IT security teams lack OT process knowledge. Most OT engineering teams lack IT security knowledge. The gap between these groups — the Purdue model boundary — is where most OT security failures begin.

NIS2 — What Manufacturing Organisations Must Now Do

Who NIS2 applies to in manufacturing

The NIS2 Directive (Directive 2022/2555/EU), required in national law by October 2024, applies to medium (50+ employees or €10M+ turnover) and large manufacturers in sectors including: machinery and equipment manufacture, motor vehicle manufacture, medical device manufacture, computer and electronics manufacture, and electrical equipment manufacture. Food manufacturing of sufficient scale is also included.

What NIS2 requires

NIS2 requires: risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, network and information system security, cryptography policies, human resources security and access control, asset management, and multi-factor authentication. Critically, NIS2 makes senior management personally accountable — executives can face personal liability for significant non-compliance.

OT-specific implications

NIS2 does not distinguish between IT and OT systems — both are in scope. For manufacturers with significant OT infrastructure, SCADA systems, DCS environments, PLCs, industrial IoT devices, and their network infrastructure are all subject to NIS2 security requirements. Implementation requires OT-specific methodology, not IT security methodology applied to OT systems.

The most dangerous assumption in manufacturing OT security is that your OT network is air-gapped. Most OT networks designed as air-gapped have accumulated IT-OT connectivity points over years — remote vendor access, ERP integration, quality data collection. These connections are often unmanaged, undocumented, and are the primary attack vectors ransomware uses to reach OT systems.

AjaCertX Cyber & Digital Security Practice

OT Cyber Security — Six Priority Workstreams

OT asset inventory and network visibility. Complete inventory of all OT assets: PLCs, HMIs, SCADA servers, historians, engineering workstations, industrial IoT devices, and connecting network infrastructure. Use passive network monitoring tools designed for OT environments — not IT network scanners, which can disrupt OT communications.
Network segmentation and IT-OT boundary control. Implement ISA-99/IEC 62443 zone and conduit model. Enforce all IT-OT communications through controlled, monitored connection points — typically a DMZ with application-layer inspection. Identify and document every remote access connection to OT systems. Implement jump servers for all remote OT access.
OT-specific vulnerability management. Many OT systems run OS or firmware versions that cannot be patched without vendor engagement and process downtime. OT vulnerability management must account for compensating controls where patching is not possible, vendor-informed prioritisation, and the risk calculation of patching versus not patching in OT contexts.
OT-specific incident detection. Standard IT SIEM tools are not appropriate for OT network monitoring. OT-specific platforms — Claroty, Dragos, Nozomi Networks — understand industrial protocols (Modbus, DNP3, EtherNet/IP, PROFINET) and identify anomalous behaviour without disrupting communications.
OT incident response and DR planning. IT incident response plans are insufficient for OT incidents. Develop OT-specific procedures accounting for: safety implications of OT disruption, vendor engagement requirements for recovery, validation requirements before returning systems to service, and the longer recovery timelines OT complexity creates.
OT security governance and NIS2 alignment. Implement documented OT security policy, risk assessment covering OT assets, incident reporting procedures meeting NIS2 notification timelines (24-hour early warning, 72-hour initial report, one-month final report), and supply chain security assessment for OT vendors.

OT Cyber Security Readiness Checklist

Complete inventory of OT assets across all production facilities — including PLCs, HMIs, SCADA, historians and industrial IoT

IT and OT networks are segmented with all IT-OT communications passing through controlled, monitored connection points

All remote access to OT systems is through managed, authenticated jump servers — no direct vendor remote access

OT-specific network monitoring is implemented with baseline OT communications documented

OT-specific vulnerability management process exists accounting for patch constraints

NIS2 applicability has been assessed and incident reporting obligations are understood

OT incident response procedures exist separately from IT incident response procedures

OT DR scenarios have been tested in tabletop exercises within the last 12 months

Senior management has been briefed on NIS2 personal accountability and has accepted formal responsibility for OT cyber security

Frequently Asked Questions

Our OT network was designed as air-gapped. Do we still need these controls?

In almost all cases, yes. Operational necessity has created IT-OT connectivity in the vast majority of manufacturing environments — remote vendor access, ERP integration, quality system connectivity, industrial IoT deployment. Many connections were established informally, are poorly documented, and not monitored. The first step is to verify your actual network architecture, not rely on your designed one. Passive OT monitoring will typically reveal connectivity that both IT and OT teams were unaware existed.

We are a Tier 2 supplier with relatively simple OT. Does NIS2 still apply?

NIS2 applicability is determined by sector and size thresholds — not OT complexity. A medium-sized manufacturer (50+ employees, €10M+ turnover) in a covered sector is in scope regardless of OT complexity. If you are genuinely below size thresholds you may be out of scope — but your customers who are in scope may flow NIS2 supply chain security requirements down to you contractually.

We have ISO 27001 certification. Does that cover our NIS2 obligations?

ISO 27001 significantly enables NIS2 compliance — particularly risk assessment, information security policy, asset management and incident management requirements. However, ISO 27001 was designed for information security management with controls primarily oriented to IT environments. Manufacturers with significant OT infrastructure must supplement ISO 27001 with OT-specific controls. IEC 62443 provides the OT-specific framework that complements ISO 27001 in manufacturing environments.

How AjaCertX Helps

AjaCertX delivers OT cyber security assessment, NIS2 compliance programmes, and IEC 62443 implementation for manufacturing, energy and critical infrastructure organisations.

OT asset inventory and network discovery — using passive, production-safe methodology
IT-OT boundary assessment and network segmentation design
NIS2 scope assessment and compliance gap analysis
OT-specific vulnerability assessment and risk-prioritised remediation planning
IEC 62443 zone and conduit model implementation
OT incident response procedure development and tabletop exercise facilitation
ISO 27001 implementation extended to cover OT environments

Assessing your OT cyber security posture?

OT security specialists with manufacturing process expertise. Assessment and proposal within 48 hours.

Get a Proposal →WhatsApp Us

Conclusion

OT cyber security in manufacturing is no longer a niche technical discipline — it is a mainstream operational and regulatory requirement. NIS2 has created legal obligations. Ransomware targeting OT has made inaction commercially significant. The manufacturers that manage this well build OT security programmes starting with visibility — what assets they have, how they are connected — and layer controls appropriate to OT environments on that foundation.

About AjaCertX

AjaCertX is a specialist compliance, certification and assurance partner serving manufacturing, energy, and critical infrastructure organisations globally. Our Cyber and Digital Security practice delivers OT security assessment, NIS2 compliance programmes, ISO 27001 and IEC 62443 implementation for manufacturers operating complex industrial environments.