Understanding NIS2 Requirements for ICS Networks

Introduction

Critical infrastructure operators and industrial organizations across the EU are confronting the advent of the NIS2 Directive, a major update to the original EU Directive on Security of Network and Information Systems (NIS). For CISOs, IT Directors, Network Engineers, and Operators in industrial control system (ICS) environments, NIS2 is not just another compliance burden—it compels a reassessment of network architectures, technology choices, and the collaboration between IT and OT stakeholders.

The NIS2 Directive: Historical Context and Scope

Adopted in 2016, the initial NIS Directive marked the EU’s first concerted attempt to standardize cybersecurity requirements for critical sectors, including energy, water, transport, and health. However, the growing convergence of IT and OT systems, rising ransomware incidents targeting industrial domains, and digital transformation led to significant shortcomings. In response, NIS2 entered into force on January 16, 2023, and member states must transpose it into national law by October 17, 2024.

Key differences from the original NIS:

• Expanded Scope: NIS2 encompasses a wider range of “essential” and “important” entities, including more manufacturing sectors and digital infrastructure providers.

• Prescriptive Security Measures: NIS2 details specific technical and organizational controls, moving beyond vague requirements.

• Increased Accountability: NIS2 mandates executive accountability, introduces stricter supervision, and increases penalties for non-compliance.

Core Security Requirements: From Policy to Industrial Network Practice

For ICS environments, NIS2 sets out a structured collection of responsibilities—including risk management, incident handling, supply chain security, and business continuity. Let’s examine how these map to the realities of legacy ICS networks and modern industrial enterprises.

1. Risk Management and Asset Visibility

Context: NIS2 Article 21 requires “appropriate and proportionate technical and organizational measures” based on risk assessment.
ICS Implications: The classic Purdue Model, foundational for industrial networks, emerged in the 1990s to segment OT systems from IT. However, increased digitization is blurring these boundaries, expanding the attack surface.
Practical Considerations:

• Precise asset inventories across both IT and OT (often still a pain point in legacy industrial sites).

• Network segmentation using modern firewalls and industrial DMZs.

• Real-time network monitoring to detect anomalous communications between IT and OT zones.

2. Incident Response and Business Continuity

Context: NIS2 imposes stringent incident notification deadlines (within 24 hours for early warnings, detailed reporting within 72 hours).
ICS Implications: Traditional OT systems often lack integrated incident detection or response tooling, and outages can have direct safety or operational impacts.
Practical Considerations:

• Automation of incident detection using specialized OT security sensors and SIEM integration.

• Clear incident response playbooks with defined roles bridging IT/OT silos. These must factor in operational realities (such as production cannot be halted at will).

• Resilience measures: regular system backups, failover procedures, and tested disaster recovery protocols.

3. Supply Chain Security

Supply chain attacks—most infamously the 2017 NotPetya outbreak—have shown how ICS networks are vulnerable not only through direct exploits, but also through third-party software, hardware, and even maintenance personnel.

NIS2 requires organizations to “address security risks in the supply chain”—a sophisticated challenge in ICS, where proprietary protocols and vendor-specific systems are prevalent.

Practical Considerations:

• Rigorous vetting and contractual requirements for ICS vendors—including security controls, patch management, and remote access restrictions.

• Network access controls to monitor and limit third-party connections (e.g., jump hosts, session recording).

• Up-to-date documentation of all software and firmware in use—moving beyond the classic “set and forget” philosophy of industrial installations.

4. Zero Trust and Secure Connectivity

Whereas air-gapping was once considered adequate OT security, operational and business demands (remote monitoring, predictive maintenance, cloud integration) have rendered physical isolation largely impractical.

NIS2 does not explicitly mandate zero trust, but its requirements push organizations toward infectious defense-in-depth architectures:

• “Least privilege” access policies and extensive network segmentation (not just traditional firewalls, but micro-segmentation down to the protocol/service level).

• Full auditability of all access between IT and OT.

• Encryption and authentication for all remote and local access—even for legacy protocols (using compensating controls like jump servers).

IT/OT Collaboration: Organizational and Technical Integration

Effective NIS2 compliance surfacing in ICS environments requires more than deploying new controls. It necessitates:

• Establishing cross-functional teams (security, engineering, and operations) to harmonize policies and incident response.

• Investment in staff training—specifically, cybersecurity awareness in OT operators and OT fluency in IT/infosec personnel.

• Regular exercises and red teaming to discover blind spots in both technology and policy.

This organizational alignment is especially critical given NIS2’s focus on “top management accountability.”

Deployment Blueprint: Toward a NIS2-Compliant Industrial Network

Drawing from the above, a NIS2-aligned deployment for ICS networks must include:

1. Asset Management: Automated tools for OT asset discovery, with periodic manual verification.

2. Network Architecture: Zone-based segmentation, strict control pathways between ICS/IT, and industrial DMZs modeled after—but improving upon—the Purdue Model.

3. Vulnerability Management: Continuous scanning, patch governance in close coordination with vendors, and risk-based prioritization (given patching windows may be rare in production environments).

4. Monitoring: Consolidated SIEM visibility with OT-aware analytics, plus incident response plans endorsed by both IT and operational leads.

5. Secure Remote Access: Multi-factor authentication, jump hosts, session recording, and time-limited privileges.

6. Supply Chain Governance: Contracts with explicit security clauses and regular third-party audits.

Conclusion: Technical Diligence, Not Box-Ticking

The technical and organizational demands of NIS2 represent both a challenge and an opportunity for critical infrastructure operators. The historical inertia of “air-gapped” or legacy ICS environments is no longer tenable against modern cyber threats or regulatory scrutiny. Proactive alignment—across technologies, teams, and policies—not only meets NIS2 requirements, but also yields tangible operational resilience.

As October 2024 approaches, security and operations teams must have honest, technically rigorous conversations to design architectures that fulfill both the spirit and the letter of the law. In a world where the realities of OT, IT, and compliance now fully intersect, “good enough” is no longer sufficiently safe or legal.