Cybersecurity for Manufacturing & Industry

Industrial production has undergone a profound digitalisation in recent years. Industry 4.0, predictive maintenance, digital twins, and cloud-based production planning are connecting systems that historically operated in complete isolation: programmable logic controllers (PLCs), SCADA systems, DCS platforms, and field devices now communicate with ERP systems, supplier portals, and cloud services.

This connectivity creates real attack surfaces. An attacker who compromises an employee through phishing can — in the absence of segmentation — move from the office IT into production control systems. Ransomware launched in the IT environment can propagate into OT networks and compromise control systems. NotPetya in 2017 showed how such an attack can cause a worldwide production halt within hours — with damage in the billions.

OT systems are also structurally vulnerable: long lifecycles (15–30 years), vendor-specific protocols, restricted patching capability, and the absolute priority of availability make classical IT security measures non-transferable. Approaching OT security with IT tools and IT thinking risks production outages caused by the security measures themselves.

IEC 62443 is the international standard series for cybersecurity in industrial automation and control systems (IACS). It defines security requirements for operators, system integrators, and component manufacturers across four security levels (SL 1–4) and mandates zone-based network segmentation grounded in a risk assessment of the production environment.

The zone concept under IEC 62443 divides production infrastructure into zones with different protection requirements and defines conduits — transition points between zones — which are selectively monitored and filtered. This model is far more effective than a simple IT/OT firewall: it limits the blast radius of a successful attack to one zone and prevents uncontrolled malware propagation.

For industrial companies subject to NIS2 or supplying to KRITIS operators, IEC 62443 is increasingly the de-facto proof standard. We implement IEC 62443 pragmatically: asset discovery and zone mapping, gap analysis against the relevant standard parts, a prioritised measure plan that respects production constraints, and — where required — support for certification.

NIS2 affects industrial companies in two roles: as potentially directly impacted entities (particularly in the manufacture of critical products, mechanical engineering, and transport sectors) and as suppliers to essential entities. The latter is often the more immediate pressure point for mid-sized companies: customers subject to NIS2 will increasingly audit their suppliers for cybersecurity maturity and include it in contracts.

Supply chain security is an explicit NIS2 requirement: affected companies must assess the cybersecurity measures of their direct suppliers. This creates cascading pressure throughout the supply chain. Industrial companies unable to respond to security maturity inquiries today will lose contracts — regardless of the technical quality of their products.

We support industrial companies in being prepared for these inquiries: security documentation, ISO 27001 preparation, NIS2 applicability analysis, and — where full certification is premature — at minimum a substantive self-declaration with evidence of essential measures in place. This buys time and protects business relationships.