NIS 2, IEC-62443, and Their Impact on Cybersecurity in Industrial Automation

Cybersecurity in industrial automation has shifted from a technical detail to a strategic priority. With increasing connectivity, smart factories, and Industry 4.0 adoption, production systems face growing cyber threats. The EU’s NIS 2 Directive and the IEC-62443 standards, particularly IEC-62443-4-2 and IEC-62443-2-4, are shaping how manufacturers, integrators, and suppliers secure industrial control systems (ICS).

NIS 2: A Robust Legal Framework

The Network and Information Security Directive 2 (NIS 2) imposes strict rules on “essential” entities (such as critical infrastructure like energy) and “important” entities (such as medium-sized manufacturers) in sectors including manufacturing, energy, and food. It requires:

• Rapid incident reporting, with initial notifications within 24 hours, detailed reports within 72 hours, and final reports within a month.

  
  

• Comprehensive risk management frameworks and regular vulnerability testing.

  
  

• Demonstrable security measures across the supply chain, ensuring third-party suppliers meet standards.

  
  

• Senior management accountability, with fines up to €10 million or 2% of global annual turnover for non-compliance.

  
  

For automation, cyber resilience is now a compliance necessity. A malware incident halting a packaging line causes operational losses, regulatory scrutiny, fines, and reputational damage. As some EU member states delayed transposing NIS 2 beyond October 2024, manufacturers must monitor national regulations to ensure compliance.

IEC-62443: Technical Standards for OT Security

The IEC-62443 standards are the global benchmark for industrial automation cybersecurity, tailored to operational technology (OT) environments like PLCs, HMIs, SCADA systems, and field devices, unlike IT-focused frameworks such as ISO 27001. They prioritise availability and safety for OT’s unique needs.

IEC-62443-4-2: Secure Products

Part 4-2 sets technical security requirements for ICS components, including authentication, encrypted communications, audit logs, and integrity checks. It ensures devices are built with security by design, a critical shift for product suppliers. Certifications like ISASecure validate compliance, giving suppliers a market advantage.

IEC-62443-2-4: Secure Service Providers

Part 2-4 focuses on system integrators and service providers, requiring secure commissioning, patch management, remote access controls, and documented risk assessments. This ensures consistent, auditable methods during system installation and maintenance. Other parts, such as IEC-62443-3-3 (system security levels) and IEC-62443-2-1 (asset owner programmes), complement these requirements.

Legacy OT systems, such as decades-old PLCs lacking encryption, pose challenges to compliance, often requiring retrofitting or replacement to meet IEC-62443 standards.

Real-World Example: Packaging Line Attack

Consider a food and beverage manufacturer relying on a packaging line controlled by PLCs and monitored via an HMI.

• The Threat: A phishing attack introduces ransomware, spreading to the factory network and forcing PLCs into a stop condition. Production halts for days, costing £80,000 per hour in downtime, lost output, and wasted materials (based on industry estimates). Under NIS 2, the incident must be reported within 24 hours, risking fines and scrutiny.

  
  

• With IEC-62443 Controls:

  
  

  • IEC-62443-4-2-compliant PLCs require authentication, rejecting unauthorised commands.

  • Network segmentation isolates the packaging line from corporate IT, limiting malware spread.

  • Audit logs capture access attempts, aiding forensic analysis and NIS 2 reporting.

  • IEC-62443-2-4-compliant integrators ensure up-to-date patches and firewall rules, addressing vulnerabilities like weak remote access.

  • Predefined recovery procedures restore operations within hours, ensuring compliance with NIS 2 timelines.

This scenario shows how NIS 2 enforces accountability, while IEC-62443 provides the technical framework to achieve it.

Impact on Industrial Automation

NIS 2 and IEC-62443 are transforming the sector:

• Suppliers must certify PLCs, drives, and sensors to IEC-62443-4-2, often via programmes like ISASecure or TÜV SÜD.

  
  

• Integrators must demonstrate IEC-62443-2-4 compliance in project delivery, meeting client demands in regulated industries.

  
  

• Asset owners must align production systems with NIS 2, investing in network monitoring and incident response.

  
  

• Management must prioritise cybersecurity budgets and upskill OT staff, as automation teams often lack cybersecurity expertise.

Competitive Advantage Through Compliance

Compliance is mandatory but also offers opportunities. Companies embedding NIS 2 and IEC-62443 practices can reduce downtime, protect intellectual property, and secure contracts in regulated sectors like pharmaceuticals and defence. For example, Siemens’ IEC-62443-certified PLCs have won contracts in pharmaceutical manufacturing. Compliant firms can save 20-30% on breach costs (per IBM’s 2023 report), and emerging OT security services, such as managed security operation centres, drive innovation. Security is not just protection but a competitive differentiator.

Conclusion

NIS 2 and IEC-62443 are more than regulatory requirements; they are a roadmap for securing industrial automation in a digital era. By combining legal accountability with secure-by-design engineering, the industry can shift from reactive crisis management to proactive resilience. As Industry 4.0 integrates AI and IoT, these frameworks will be vital for securing expanding attack surfaces. Manufacturers should assess OT environments now to meet NIS 2 deadlines and leverage IEC-62443 certifications, ensuring safer, more reliable, and competitive automation systems.