Industry 4.0 and OT Cybersecurity: NIS2 Protection for Manufacturing 2026

Industry 4.0 connects traditional manufacturing plants with the corporate IT ecosystem, cloud platforms, industrial IoT sensors and advanced analytics engines. That convergence enables production line optimisation, predictive maintenance and operational cost reduction, but it also amplifies the attack surface and exposes critical physical processes to vectors that until recently belonged strictly to office environments. The NIS2 Directive acknowledges this new landscape and includes critical manufacturing as an essential or important entity, depending on sector and size, placing hundreds of Spanish manufacturers under formal obligations for risk management, incident notification and supervision.

This article walks through the key concepts every industrial leader needs to internalise to address OT cybersecurity with judgement: IT/OT convergence, sectors in scope, the Purdue Model, common industrial protocols, historical attacks of reference, sector-specific risks, priority technical controls and a NIS2 compliance roadmap tailored to manufacturing.

The essentials. Industry 4.0 has dissolved the old air-gap between plant and office. PLCs, HMIs and SCADA engines are now reachable from the corporate environment, frequently through protocols without native authentication. NIS2 requires critical manufacturers to demonstrate risk management and notify incidents within tight deadlines. The recommended combination is the Purdue Model for segmentation, IEC 62443 as the technical reference standard and passive monitoring with OT-aware tools that do not interfere with production.

IT/OT convergence in one sentence

A real air-gap no longer exists in most plants. PLCs are reachable from the corporate domain through intermediate hops, MES systems exchange data with the ERP continuously and process sensors send telemetry to cloud platforms for predictive maintenance. Each of those legitimate bridges is also a potential path for an attacker who has gained a foothold in IT and is looking to pivot into the operational environment. The separations documented in network diagrams rarely survive an honest technical review: overly permissive firewall rules show up, forgotten maintenance connections persist and dual-homed devices act as an unintended bridge between zones that should remain isolated.

NIS2 applied to manufacturing

The Spanish transposition of NIS2 places several critical manufacturing subsectors directly within the scope of the regulation. Among the most relevant for the national industrial fabric are:

• Manufacture of chemicals, including derivatives, fertilisers and industrial chemical products.
• Production, processing and distribution of food when the organisation exceeds size thresholds.
• Manufacture of medical devices and in vitro diagnostics, as well as medical equipment.
• Manufacture of electrical and electronic equipment for industrial and professional use.
• Manufacture of motor vehicles, trailers and semi-trailers.
• Manufacture of other transport equipment: aircraft, spacecraft and related machinery.
• Manufacture of machinery and equipment not previously classified, a broad segment that captures much of the mid-tier industrial base.

Thresholds are applied using size criteria from Recommendation 2003/361/EC: large companies (more than 250 employees or turnover above 50 million euros) are classified as essential in the subsectors defined as such, while medium-sized companies are generally categorised as important. Exceptions exist for entities providing unique services in a territory whose disruption would generate significant impact. The difference between essential and important affects the sanctions regime and supervisory intensity, but not the minimum catalogue of mandatory measures, which remains in Article 21 regardless of category.

The Purdue Model as a mental map

The Purdue Enterprise Reference Architecture, later integrated into ISA-95 and IEC 62443, remains the mental map most commonly used to reason about industrial segmentation. Its usual levels are:

• Level 0: the physical process, with sensors and actuators.
• Level 1: basic control, with PLCs and controllers reading sensors and driving actuators.
• Level 2: area supervision and control, with HMIs, local SCADA systems and process historians.
• Level 3: production operations management, with MES, batch management, quality and shift planning.
• Industrial DMZ (3.5): demilitarised zone between operations and corporate, with intermediate servers, jump hosts, historian replicas and patch servers.
• Level 4: site corporate systems, such as local ERP, mail and file servers.
• Level 5: global corporate systems, cloud and external services.

The technical translation of Purdue into IEC 62443 happens through zones and conduits. A zone groups assets with the same required security level and a conduit defines the authorised communications between zones. The recommended logical segmentation blocks traffic between non-adjacent levels by default and forces any flow between IT and OT to cross the industrial DMZ, where inspection, authentication and logging controls are concentrated.

Industrial protocols and their risks

OT protocols were designed in an era when the industrial network lived in physical isolation. Their structural vulnerabilities are not point defects that a patch can fix, but inherited architectural traits:

• Modbus TCP/RTU: lacks native authentication and encryption. Any node with network visibility can read registers and write setpoints without credentials. Modbus Security proposals (2018 specification) have barely landed in real deployments.
• DNP3: widely used in utilities. The DNP3 Secure Authentication variant adds integrity and authentication, but field deployment is uneven and many devices still accept unauthenticated traffic.
• BACnet: standard for building automation. Its optional security mechanisms are rarely activated, leaving HVAC, lighting and access control systems exposed in networks integrated with corporate.
• Profinet: developed by Siemens and very common in Europe. The PROFIsafe variant protects functional integrity but does not defend against deliberate network attacks.
• EtherNet/IP: common across North American manufacturers, based on CIP. No authentication in its base form.
• S7Comm and S7Comm-Plus: Siemens proprietary protocol for S7 PLCs. S7Comm lacks effective authentication; S7Comm-Plus introduced improvements, but documented techniques exist to bypass them.
• HART: field protocol that connects instrumentation to controllers. WirelessHART variants add encryption, but the original wired version carries data in clear text.

Knowing which protocols the plant assets speak and where their communications are routed is the first requirement for designing realistic segmentation.

Historical attacks against OT

Public incidents against industrial environments are scarce compared with those in the IT world, but the confirmed cases carry enormous weight as technical and political references. They deserve review without glamorising the actors or turning the narrative into a how-to guide.

• Stuxnet (2010): worm targeting uranium enrichment centrifuges at Natanz, Iran. It combined multiple zero-days, signed certificates and specific manipulation of Siemens S7-300/400 PLCs to alter variable frequency drive speeds. It marked a turning point by demonstrating that malware can damage physical equipment.
• Industroyer / CrashOverride (2016) and Industroyer2 (2022): malware family attributed to Sandworm, deployed against the Ukrainian power grid. It spoke IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OPC DA protocols directly to open circuit breakers and trigger supply outages.
• TRITON / TRISIS (Saudi Aramco, 2017): malware targeting Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant. Its goal was to reprogram the SIS to inhibit emergency shutdowns, with potential for severe physical impact. A deployment error triggered the shutdowns and revealed the attack.
• Colonial Pipeline (2021): DarkSide ransomware against the IT systems of a US pipeline operator. Although the encryption hit IT, the operational decision to halt the OT network as a precaution caused fuel shortages on the east coast for several days. It illustrates how an IT incident impacts operations even without directly touching controllers.

Each of these cases offers specific lessons on initial vectors, persistence, process manipulation and response. They form part of the minimum technical culture any OT team should master.

Sector-specific risks

Manufacturing presents a combination of factors that make it a singular target:

• Legacy devices 15 to 30 years old with no patch path. PLCs in production since the early 2000s still sit at the heart of many lines. Replacing them implies planned shutdowns, requalification and full functional validation.
• Vendor remote access without MFA. Integrators and manufacturers maintain support access that was frequently implemented through open VPN tunnels, shared credentials and no second factor. It is one of the most common initial vectors in documented incidents.
• HMIs running Windows XP or Windows 7 with no upgrade path. Operator stations depend on drivers and control system vendor software that often does not support modern operating systems. Upgrading means renegotiating maintenance contracts or switching platforms.
• Accidental IT to OT convergence. ERP update rollouts, identity management tools or EDR agents designed for IT end up reaching plant equipment and break critical communications. The reverse also happens: a maintenance technician plugs a laptop into the industrial switch without measuring consequences.
• Compromised engineering workstations. The engineering stations that program PLCs are high-value targets. An attacker controlling them can modify control logic, download new programs and manipulate the process from within.
• Supply chain of external integrators. Integrators access multiple clients with shared tools. A compromise of an integrator or its work laptop can propagate to several plants simultaneously.

Priority technical controls

The recommended priority order for a plant starting from a low maturity baseline is:

• OT asset inventory. Without knowing what is connected, nothing can be protected. Platforms such as Claroty, Nozomi Networks or Dragos perform passive discovery from network traffic without sending packets that could disturb sensitive devices.
• IEC 62443 zones and conduits segmentation. Define clear zones, document authorised conduits and materialise the separation with industrial firewalls or managed switches. The industrial DMZ is non-negotiable.
• Passive monitoring. Dragos, Nozomi or Claroty sensors capture traffic via port mirroring or TAPs and detect anomalies without injecting active traffic.
• Engineering workstation hardening. Strict allowlisting policy, full disk encryption, domain MFA, USB lockdown except for justified cases and periodic review of installed software.
• Verified PLC and HMI backups. Periodic copies of project files, control logic and configuration, with restoration tested at least annually on a bench.
• OT-aware incident response runbooks. Any containment action that involves shutting down or isolating part of the plant must be coordinated with production and maintenance. Powering off a PLC without a proper sequence can damage in-process product or equipment.
• Vendor remote access through jump host with MFA. Centralise access through a single bastion, with session recording, ticket-based authorisation and mandatory second factor.

NIS2 compliance roadmap for manufacturing

A realistic plan for critical manufacturing follows phases that combine regulatory obligations and technical maturity:

1. Identification of critical assets and processes. Detailed inventory of lines, control systems, communications and external dependencies. Classification by impact on continuity and safety.
2. Gap analysis against IEC 62443 and NIS2 Article 21. Evaluation of the ten minimum measure areas required: risk analysis, incident handling, business continuity, supply chain, security in acquisition and development, effectiveness evaluation, cryptography, human resources, access control and MFA.
3. Prioritised segmentation. Design of zones and conduits, reinforcement of the industrial DMZ and separation of plant networks. Phased implementation aligned with planned shutdowns.
4. Monitoring deployment. Passive sensors, integration with the corporate SOC or a managed OT-specialised service, definition of specific detection use cases.
5. Tabletop exercises and drills. Document-based exercises with executive leadership, operations and maintenance, scaling up to partial drills on non-critical lines.
6. Early operational notification. Procedures to meet NIS2 deadlines for initial notification within 24 hours and full reporting within 72 hours, with the competent authority designated by the Spanish transposition.

How IEC 62443 fits with NIS2

NIS2 establishes risk management and outcome obligations but does not impose a specific technical framework. IEC 62443 is the international reference standard for industrial control system security and has consolidated as the best way to demonstrate technical maturity before auditors and supervisors. The usual mapping associates each minimum Article 21 measure with one or several IEC 62443 requirements: risk management finds reflection in 62443-3-2 (assessment), technical measures in 62443-3-3 (system security requirements) and supply chain in 62443-2-4 (suppliers). Adopting IEC 62443 does not guarantee NIS2 compliance on its own, but it provides a proven framework that simplifies the conversation with the administration and reduces interpretative ambiguity.

Frequently asked questions

Is an industrial SME required to comply with NIS2?

It depends on subsector and size. Micro and small enterprises, under the criteria of Recommendation 2003/361/EC, are generally outside the direct scope, except for specific exceptions such as unique providers of critical services in a territory. Once the medium enterprise threshold is reached, if the subsector is included, Article 21 obligations apply. The Spanish transposition in force and the subsector annexes should be reviewed before discarding applicability.

Is IEC 62443 certifiable?

Yes. There are certification schemes for products, processes and personnel. Product certification is managed by bodies such as ISASecure and TUV under different security levels. Integrators can certify against 62443-2-4 and professionals can obtain recognised personal credentials. Certification is not mandatory for NIS2 compliance, but it provides objective evidence in audits and commercial processes.

Is an OT pentest destructive?

A properly scoped OT pentest should not be destructive. The professional methodology combines passive reconnaissance, document review, configuration analysis and, when justified, active tests on replica environments or planned shutdown windows. Intrusive tests on a live production plant are avoided unless explicitly requested by the client and under strict safety protocols. The difference with an IT pentest lies in the weight of the threat model and the coordination with operations.

How should integrator remote access be managed?

The recommended standard is a dedicated jump host, mandatory multi-factor authentication, ticket-based authorisation with a limited time window, session recording and periodic account review. Permanent open VPNs and shared credentials must be eliminated. Maintenance contracts are updated to reflect the new procedure.

Which SCADA is secure today?

No product is secure on its own. Security is built through hardened configuration, correct segmentation, active patch management, monitoring and operational procedures. The modern platforms from the main vendors offer reasonable security features, but the responsibility for configuring and maintaining them lies with the operator. A specific audit of the deployed platform is always more useful than comparing product datasheets.

What should be done with a Windows XP HMI?

The situation is common and rarely has an immediate fix. Short-term mitigation measures include isolating the HMI in a network microsegment, restricting communications to a single associated PLC, removing any outbound internet connection, disabling USB ports, applying application allowlisting and monitoring specifically. The medium-term roadmap should contemplate replacement with a supported platform, usually coordinated with the upgrade of the associated control system.

Related resources

• IoT/OT Cybersecurity: Critical Threats in 2026
• NIS2 Spain: Compliance Guide 2026
• NIS2 Audit Step by Step
• What is Zero Trust: Architecture and Implementation
• Systems and Network Hardening Explained

OT/ICS audit with Secra

Secra supports industrial manufacturers on the path to NIS2 compliance with an OT-aware approach. Our services include non-intrusive industrial pentest on replica environments or planned shutdown windows, IEC 62443 audit with identification of zones and conduits, NIS2 manufacturing gap analysis aligned with the annexes of the Spanish transposition and support for the definition of notification and response procedures. We work with operational sensitivity, understanding that any technical action must respect plant timing and constraints.

If your organisation needs to advance in industrial cybersecurity without taking risks on production continuity, contact our team for an initial conversation with no commitment.