dynexo
Book a call
Back to Industries
INDUSTRIES · MANUFACTURING & IIOT

Manufacturing reality. OT-IT convergence. NIS2-essential.

TL;DR. We know manufacturing realities — even where IT and OT historically haven't spoken. NIS2-essential, ICS detection, IEC-62443-compliant segmentation. AI-native operations that don't break OT security.
NIS2-essential IEC 62443 OT-IT convergence
Request industry briefing Back to industries

What this sector typically struggles with

The NIS2 implementation deadline in October 2024 is past — since 2025, BaFin/BSI conducts supervisory audits with rigor. OT detection is no longer optional, it's mandatory. But classical EDR doesn't work on PLCs, HMIs or fieldbuses (Modbus, Profinet, S7). At the same time, ransomware is marching into manufacturing halls — Industroyer family, Pipedream, Triton attacks show: OT is populated.

Supply-chain reality intensifies pressure. One plant shutdown from ransomware doesn't just make internal headlines — OEM customers and distributors feel delivery bottlenecks immediately. Insurers demand IEC-62443 maturity as a condition for cyber policies. And staffing shortage is real: OT security skills are scarce. An average large plant has a handful of IT staff and a single automation engineer — tasking them with patch management for 200 different PLC types doesn't work.

Maintenance windows are rare and expensive. One production halt costs thousands of euros per hour. That's why patching becomes a political decision, not a technical one. You need a partner who understands that OT hardening and production run in parallel — not sequentially.

How we typically help

We build IT/OT-segmented detection with ICS protocol understanding: Modbus, Profinet, S7, OPC-UA aren't foreign to us. Endpoint agents sit on the IT side (office, engineering, MES). Network sensing monitors OT boundaries — not with classical IDS (too many false positives), but with protocol-state-machine understanding. That's the difference between real OT risk and alert fatigue.

Every OT alert is analyzed by the LLM gateway — context = OT-relevant observation (unexpected PLC reset, unusual fieldbus load, engineering-toolchain anomalies). Business agents route escalations to the right person (not the data-protection officer, but the shift lead or the BSI reporting officer). On-prem or hybrid is typical — most plant networks are offline or have strictest firewall rules.

We build IEC-62443 zone architecture with you: defense-in-depth with critical conduits encrypted and authenticated. Clone handover is mandatory — we train your OT team with a cloneable engagement.

Where it usually pays to start

Start with an OT inventory and risk categorization. Most plants don't have a current list of their PLC generations, telematics gateways, or engineering workstations. Passive discovery and active scans show what's actually running.

  • IT/OT segmentation audit: How are zone 1 and zone 2 (MES/office) separated today? Where are weak points?
  • ICS detection engineering: Understand Modbus/Profinet/S7 baselines, define anomalies without disrupting engineering.
  • NIS2 evidence collection: Audit trail for BSI, if reporting becomes necessary. Fully in EU, retention per specification.
  • IEC-62443 maturity assessment: Where are you under the SL model (Security Level 1–4)? What low-hanging fruit raises maturity without production halt?
  • Backup strategy for engineering workstations: CAD, Siemens Step7, ABB tools are often unprotected. Ransomware in engineering network = design theft + halt.
  • Cyber-insurer readiness: Gather documentation meeting your policy conditions.
Concrete offerings

What you can hand off

  • IT/OT segmentation assessment

    Audit zone architecture, find weaknesses in conduit designs.

  • ICS detection for your protocols

    Modbus, Profinet, S7, OPC-UA based. Understand protocol state, don't just log raw.

  • SOC integration with OT layer

    Categorize alerts correctly and route to right escalation paths.

  • IEC-62443 maturity assessment

    Measure current SL, create hardening plan with minimal production disruption.

  • NIS2 evidence pack

    Audit logs, detection traces, incident reports for BSI notification in prescribed form.

  • Backup & recovery for engineering

    CAD, Siemens Step7, ABB databases encrypted and versioned, restore in minutes.

Regulatory framework

Obligations we address

Manufacturing and IIoT stand in a dense regulatory stack in 2026: NIS2 with supervisory audits, IEC 62443 as technical standard, KRITIS order for affected operators, plus sector-specific obligations from TISAX to Cyber Resilience Act.

  • NIS2 §10
    NIS2 Implementation Act · §10 Risk management measures

    Mandates detection, continuity, supply-chain security and pen tests. Supervisory authority (BSI) checks maturity and implementation; fines up to €10M / 2% group turnover. We build OT detection engineering, document BCM plans and establish supplier reviews — all auditable in Nova9 audit mirror.

  • NIS2 §11
    NIS2 Implementation Act · §11 Reporting obligations

    Significant security incidents must be reported within 24 hours initially, 72 hours in detail, and 1 month finally to BSI. We deliver the workflow: detection trigger, auto-populated BSI form, documented escalation path with executive sign-off.

  • NIS2 §12
    NIS2 Implementation Act · §12 Management duties

    Management is personally liable for compliance — proof of knowledge and regular training are mandatory. We deliver training plan, document attendance and conduct annual tabletop exercises with leadership. Reporting format is audit-ready.

  • IEC 62443-2-1
    IEC 62443-2-1 · Cybersecurity management system for OT

    Requires documented cybersecurity management system specifically for OT environments — separate from classical ISO 27001 ISMS, because OT risk profiles differently. We build the CSMS on Nova9 basis with OT-specific detections and maintenance-window-compliant patch processes.

  • IEC 62443-3-3
    IEC 62443-3-3 · System security requirements and security levels

    Defines security levels (SL 1–4) for OT systems per damage potential. Maturity assessment happens per zone and conduit. We conduct the maturity assessment, plan hardening per zone and document alignment with target SL for each area.

  • IEC 62443-4-1
    IEC 62443-4-1 · Secure product development lifecycle

    For OEMs and equipment builders: products must follow secure development lifecycle — threat modeling, secure code reviews, pen tests, vulnerability management with disclosure policy. We build process documentation and integrate security gates in CI/CD pipelines.

  • KRITIS §8a
    BSI Act §8a · KRITIS sector specifics

    If KRITIS threshold exceeded (power generation, water, etc.): state-of-the-art proof every two years, permanently established ISMS, BCM, 24h BSI reporting obligation. We deliver evidence pack in BSI-accepted format and manage ongoing maintenance.

  • TISAX
    TISAX · VDA-ISA maturity audit for automotive suppliers

    OEM requirement for direct and indirect suppliers. Maturity level (AL1/AL2/AL3) depends on data sensitivity and prototype access. We prepare TISAX self-audit, close identified gaps and accompany external auditor — typical lead time 60–90 days.

  • CRA
    EU Cyber Resilience Act · 2024/2847 (effective 2027)

    Products with digital elements need security-by-design, vulnerability management and patch-notice obligation. We build the CE process including SBOM maintenance, vulnerability disclosure policy and patch distribution. Early setup is more economical than CRA last-minute.

  • ISO 27001
    ISO/IEC 27001:2022 · Information security management system

    Cross-sector gold standard and prerequisite for many NIS2 audits. We build the ISMS per Annex A controls, document risk register and improvement plan, prepare external audit — typical 12–18 months to certification.

Sector facts

As of 2026-05-27 · Source: dynexo Operations + BSI/NIS2 data
Typical engagement size200–2,000 employees · 1–10 sites (mostly plant clusters)
Most common triggersNIS2 supervisory audit, OT incident/ransomware, cyber-insurer requirement
Typical deployment modelOn-prem or hybrid: OT layer offline, IT layer EU cloud · Reason: network boundaries, maintenance windows, air-gap scenarios
Core regulationNIS2, IEC 62443, KRITIS (if relevant), GDPR
Nova9 modules in useEndpoint agents, knowledge base (protocol understanding), observability (OT metrics), message bus (zone routing)
Typical onboarding60–90 days (inventory, baseline, hardening, training)
Audit mirrorFully in EU · Retention: 7 years (NIS2)
Clone handoverAvailable · Critical for knowledge transfer to OT team
Asked often

Asked before the briefing

  • Can you detect directly at PLC level?
    Not on the PLC itself — memory and compute are too constrained. We detect at network layer (fieldbus traffic) and at engineering workstations (Step7, TIA). PLC-native anomaly detection isn't yet maturity standard in 2026. Instead: fieldbus state-machine understanding + upstream alerts.
  • How do you patch OT without production halt?
    With you, in your maintenance windows. We bring patch plan and structured test procedures (staging, rollback plan, checkpoint management). You decide timing and sequence. One patch per PLC generation per window is standard — no surprises.
  • Do we need air-gapped networks?
    Rarely. Hybrid with strict firewall rules or diode concepts (one-way data flow for logging) is standard. True air-gap is expensive and impractical — we show alternatives.
  • What if we don't have an OT inventory yet?
    We start there — passive discovery from network telemetry, then active scans in coordinated maintenance windows. 30–60 days to a reliable list. We can start building first detection in parallel.
Next step

How does OT security look concretely for your plant?

The industry briefing analyzes your zone architecture, shows NIS2 compliance gaps and delivers a hardening plan for the next 12 months — with timelines that don't interrupt your production.

Request industry briefing Book a security briefing