Bluemation
Bluemation
Home
Services
PLC & HMI Programming SCADA Programming Electrical Design OPC-UA Integration Collaborative Robotics Control Cabinets BMS Programming Systems Maintenance Consulting All services →
Sectors
Energy Logistics Aerospace Food & Beverage Pharmaceutical Brewing Water Cycle Plastics All sectors →
Projects
Blog
Contact
en es
info@bluemation.com +34 614 01 06 43

Industrial OT/IT Cybersecurity: IEC 62443 and NIS2 Explained

Why industrial security is fundamentally different from office IT, what IEC 62443 and the NIS2 directive require, and which concrete measures actually protect a production plant.

Back to Blog

Reference standard

IEC 62443 (series 1-4)

EU regulation

NIS2 Directive (EU 2022/2555)

Applies to

PLC, SCADA, HMI, OT networks, remote access

The incident nobody wants on their watch

In February 2021, an operator at the Oldsmar, Florida water treatment plant watched the cursor on his screen move by itself. Someone had remotely accessed the SCADA system and was raising the concentration of sodium hydroxide in the water to dangerous levels. The operator reversed the change in time, but the incident made clear what many automation engineers already knew: industrial control systems are real targets for cyberattacks, and most of them are not ready to withstand them.

The Colonial Pipeline attack in 2021, which halted fuel supply along the US East Coast for several days, or the ransomware that knocked out several European food processing plants in 2022, are examples of a trend that keeps growing. The convergence of operational technology (OT) and information technology (IT) systems, driven by Industry 4.0, industrial IoT and cloud connectivity, is opening up the attack surface of factories in ways that were unthinkable ten years ago.

OT vs IT: why they cannot be secured the same way

The first trap many companies fall into is assuming that industrial cybersecurity is simply putting antivirus on the plant computers. It is not, and understanding why is essential before designing any protection measures.

Dimension IT (office / ERP) OT (plant / control)
Top priorityData confidentialityAvailability and physical safety
Tolerance to downtimeMinutes / restart acceptableZero: a restart can cause physical damage
System lifecycle3-5 years15-30 years (legacy systems common)
Updates and patchesAutomatic / frequentRequire planned downtime, sometimes impossible
Network protocolsStandard TCP/IP, HTTPSModbus, Profinet, EtherNet/IP, DNP3, OPC-UA
Consequence of failureData loss, business disruptionPhysical damage, accidents, production stoppage
Antivirus / EDRStandard and recommendedOften incompatible with legacy or real-time systems

The industrial threat landscape

The most common attack vectors in OT environments are not the most sophisticated. Most incidents originate from one of these points:

  • Poorly configured remote access: RDP exposed directly to the internet, VPNs without multi-factor authentication, or third-party remote access software installed without a usage policy. This is the most frequent and most avoidable vector.
  • USB drives: the maintenance technician's laptop connected to the plant network without any screening. Stuxnet, the most famous industrial attack in history, entered via a USB stick.
  • Lateral movement from IT: ransomware entering through an office employee's email can spread to the plant network if no segmentation exists between IT and OT.
  • Default credentials: PLCs, HMIs and industrial routers with factory passwords unchanged. Still extraordinarily common even in new installations.
  • Unpatched software: Windows XP or 7 on SCADA workstations that have not received security patches for years because it works and nobody touches it.
  • Suppliers and supply chain: accesses granted to maintenance providers or integrators with no expiry date or monitoring.

IEC 62443: the industrial cybersecurity standard

IEC 62443 is the international reference framework for cybersecurity in industrial automation and control systems (IACS). It is structured in four series:

  • Series 1 (General): terminology, reference models and metrics. Defines key concepts such as security zones and conduits.
  • Series 2 (Policies and procedures): requirements for the asset owner. Patch management, access management, incident response planning.
  • Series 3 (System requirements): secure design of IACS. Defines Security Levels (SL 1 to 4) and requirements for each.
  • Series 4 (Component requirements): aimed at manufacturers of PLCs, HMIs and other components.

The most practical concept IEC 62443 introduces is zones and conduits. A zone is a group of assets with similar security requirements. A conduit is the communication channel between zones. The standard requires that communications between zones of different security levels always pass through controls that validate and filter traffic, which in practice means industrial firewalls, OT DMZs and protocol proxies.

Security Levels (SL) range from SL 1 (protection against unintentional incidents) to SL 4 (protection against nation-state-level actors). Most manufacturing industries need to reach SL 2, which already defines a clear roadmap of measures to implement.

NIS2 Directive: legal obligations in the EU

The NIS2 Directive (EU 2022/2555), in force since October 2024, significantly expands the scope of its predecessor and imposes cybersecurity obligations on a much broader range of European companies. It applies to critical sectors (energy, transport, water, digital infrastructure) and important sectors (food, manufacturing of critical products, waste management).

The main obligations include implementing proportionate technical and organisational security measures, managing supply chain security, notifying significant incidents within 24 hours (initial) and 72 hours (full report), and assigning cybersecurity responsibilities at management level. Governing bodies are personally liable for compliance.

Penalties for non-compliance can reach up to 10 million euros or 2% of global annual turnover for essential entities, and up to 7 million euros or 1.4% of turnover for important entities.

Concrete OT protection measures: where to start

1. Asset inventory and visibility

You cannot protect what you do not know exists. Start with a complete inventory of all OT devices. Tools such as Claroty, Nozomi Networks or Dragos perform passive OT network discovery without interfering with processes. Once you have the inventory, you can identify outdated firmware, default credentials and unexpected communications.

2. Network segmentation: separating IT from OT

The highest-impact measure at the lowest operational cost. The plant network (OT) must be physically or logically separated from the corporate network (IT). The recommended architecture follows the adapted Purdue Reference Model: corporate network — DMZ — supervision network (SCADA/HMI) — control network (PLCs) — field network, with firewalls between each level. Any data flowing from OT to IT must pass through the DMZ via a data diode or OPC-UA proxy.

3. Remote access management

All remote access must be channelled through a VPN with multi-factor authentication (MFA) and a privileged access management (PAM) solution that records each session. Supplier accesses must have expiry dates and permissions limited to the specific system they maintain. Whether you use the RU901 remote connection kit or similar solutions, ensure MFA is enforced and connection logs are retained for at least 90 days.

4. Credential management

Changing default passwords on all OT devices should be day one of any commissioning project. Implement a password policy and, where feasible, use role-differentiated access profiles via LDAP or Active Directory.

5. Patch and update management

Implement a formal patch management process that evaluates each update, tests it in a staging environment and applies it during planned maintenance windows. For legacy systems with no vendor updates, compensating controls such as greater segmentation and intensive monitoring are the way forward.

6. Continuous monitoring and incident response

OT anomaly detection tools learn normal network behaviour and alert on atypical communications. An OT incident response plan must define who decides to halt production, how affected systems are isolated, how the incident is communicated internally and to authorities, and how the system is recovered from a verified backup.

A practical roadmap for a mid-size industrial company

  1. Week 1: inventory all OT devices. Identify active remote accesses and who uses them.
  2. Month 1: change all default passwords. Disable unnecessary remote accesses. Document those that are necessary.
  3. Quarter 1: implement basic IT/OT segmentation. Establish VPN with MFA for all remote accesses.
  4. Year 1: formal patch management process. Verified backup of PLC and SCADA configurations. First internal OT security audit.
  5. Ongoing: network monitoring, staff training, periodic review of accesses and policies.

How Bluemation approaches OT cybersecurity

At Bluemation we integrate industrial security principles from the design stage of every automation project: segmented network architectures, remote access management with VPN and MFA, robust credential configuration and security architecture documentation delivered with the project. For existing installations that need to improve their OT security posture, we carry out industrial cybersecurity audits that identify the most critical gaps and propose a prioritised improvement plan. Tell us about your situation and we will provide an initial assessment with no obligation.

IEC 62443NIS2OT CybersecurityIndustrial SecurityIndustry 4.0Network SegmentationIndustrial VPNSecure SCADAOT/IT ConvergenceCritical Infrastructure
Let's Connect

Ready to transform your industrial processes?

Let's discuss how our automation solutions can drive efficiency and innovation in your business.

Start a Conversation Explore Services
Chat with us