From Policy to PLC: Mapping NIS2 Controls to the Factory

NIS2 requirements often land as policy PDFs—but auditors will follow the thread down to PLCs, drives, and HMIs. This article provides a practical mapping from NIS2 obligations to factory-floor controls you can deploy, test, and evidence.

Network & Asset Visibility

• Policy: Maintain asset inventory and detect anomalies.
• Factory control: Passive OT monitoring (SPAN/TAP) + CMDB synced with PLC/HMI models and firmware. Export periodic signed inventory for audit.

Access Control & Least Privilege

• Policy: Enforce strong authentication and authorization.
• Factory control: Unique technician accounts on engineering workstations, MFA for remote vendor VPN, read-only roles on HMIs where supported, jump servers with session recording.

Segmentation & Secure Remote Access

• Policy: Limit lateral movement.
• Factory control: Purdue-based zoning (L3.5 firewall), OT allow-lists, separate VLANs per cell, brokered remote access (no direct IPs), time-boxed access tickets.

Patch & Vulnerability Management

• Policy: Address vulnerabilities in a timely manner.
• Factory control: Quarterly maintenance windows, digital-twin validation for firmware, compensating controls where patching is impossible (DPI firewalls, service disable, account lockout).

Logging, Detection, and Response

• Policy: Detect incidents and report within mandated times.
• Factory control: OT IDS with protocol parsers (Modbus, Profinet, OPC UA), syslog export from firewalls and historians, playbooks with 24h/72h templates (see OT Incident Reporting).

Backup, Recovery, and Testing

• Policy: Ensure business continuity.
• Factory control: Versioned PLC program backups, offline golden images of engineering laptops, quarterly restore drills, offline copies to prevent ransomware impact.

Evidence Package for Auditors

Prepare artifacts mapped to each control:

• Network diagrams with zones and conduits (signed and dated).
• Access review logs and ticket samples for vendor sessions.
• Patch calendar with approvals and validation results.
• Incident drill records and SOC runbooks.

Case Example: Pharma Blending Suite

A pharma site aligned NIS2 policies to PLC practice by introducing jump hosts, read-only HMI roles, and TAP-based monitoring. An internal audit found 35 findings reduced to 4 within two quarters, with zero impact on batch throughput.

Related Articles

• NIS2 for Plant Managers: What You Must Do Before Your Next Audit
• Incident Reporting in OT: Playbooks That Meet NIS2 Deadlines
• Supplier Risk in the OT World: Contracts, SBOMs, and Patching

Conclusion

NIS2 is auditable at the cabinet door. Convert policies into controls that technicians can operate, that pass fail-safe principles, and that produce verifiable evidence—without jeopardizing uptime.