NIS2 and Cybersecurity in Industrial Environment

In today's industrial environment, cybersecurity is one part of process safety, which makes risk management framework more multileyered. The essence of the NIS2 directive is clear: risks must be managed comprehensively as part of a business. Companies need to understand how cyber threats can affect their core business operations. In industrial plants, this means including the operational technology (OT) environment with process safety risk management and functional safety.
While in traditional cybersecurity risk assessment, the consequences focus mainly on reputation and financial loss, in industrial plants, the consequences extend to personal injury and environmental damage. Traditionally, these are the result of a mechanical or electrical failure of the equipment, and the likelihood can be reduced to an acceptable level by engineering and a safety automation system. Now, the possibility of cyber threats must also be added to OT systems, automation, and instruments.
Beyond firewalls: Why cybersecurity is now a core part of industrial safety
The life cycle of automation systems is much longer than modern information systems. Industrial process can be controlled by an automation system that does not have almost any security controls or cannot be updated. When these systems are connected to the company's network, for example, to enable remote maintenance, they also become vulnerable to cyberattacks. This combination of long lifecycles, upgrade challenges, and growing networking makes OT environments particularly interesting for risk management.
When recovery isn’t just a reboot: The unique challenges of industrial continuity
Another significant difference in the process industry is the recovery plan and business continuity. While many businesses recover when the information systems are back up and running and the latest data is restored from backups, the industrial process is not just run up. The ramp-up of the process can take up to weeks, even if the information systems are already in place. Similarly, an uncontrolled shutdown can lead to personal injury and environmental damage as a result of increased pressure in the system, chemical leakage or fire.
In industrial plants, a cybersecurity expert must understand the process and process safety, as well as collaborate with production. Requirements from NIS2 directive are putting pressure towards industrial actors to enhance cybersecurity, and it is necessary to understand the role of process safety.
