The implementation of the European NIS2 directive and the rapid convergence of IT/OT environments require critical infrastructure operators to transition immediately to standardized security architectures. Modern enterprises are attempting to integrate data from legacy operational technology (OT) and industrial internet of things (IIoT) devices into scalable cloud analytics platforms. However, directly applying traditional IT security methods to the industrial segment often leads to technological process failures, which is unacceptable in energy, water supply, and manufacturing sectors.
Why IT security models disrupt OT: Availability priorities under NIST SP 800-82
Traditional IT security approaches focus on data confidentiality. In contrast, for operational technology (OT), the NIST SP 800-82 (Guide to OT Security) establishes availability and process continuity as the absolute priority.
In an industrial environment, attempting to block unusual traffic with a standard IT firewall or running active network scanning can overload controllers and cause emergency shutdowns of critical equipment. The NIST SP 800-82 guideline adapts IT controls to the specifics of OT, emphasizing the need for passive monitoring and architectural solutions that do not interfere with control signal transmission.
The legacy equipment challenge: Why classic patching fails in industrial networks
Securing OT/IIoT requires specific strategies for legacy equipment. Industrial controllers are often operated for decades and cannot be easily updated like modern IT hardware. Classic IT patching requires system downtime, which conflicts with the requirements of continuous production.
Since direct software updates on legacy controllers are rarely the first or simplest step, engineers must rely on compensatory measures. These include deep isolation of vulnerable segments, the use of virtual patching at the network gateway level, and strict access control.
Architectural security under ISA/IEC 62443: Segmentation and the role of OPC UA
The ISA/IEC 62443 standard is a recognized framework for securing industrial automation and control systems, covering over 20 different economic sectors that utilize operational technology. The standard's fundamental engineering approach is the implementation of strict network segmentation (dividing into zones and conduits) to isolate critical control systems (e.g., SCADA) from the corporate IT network.
Data normalization is used for the secure integration of these isolated worlds. The OPC UA (OPC Unified Architecture) protocol offers a standardized, platform-independent approach for normalizing machine data. Using OPC UA gateways allows for the collection of data from legacy industrial sensors, normalizing it, and securely transmitting it to analytics or SCADA systems, preventing direct external access to low-level raw protocols.
IIoT lifecycle: Formalizing processes from edge to cloud
Scaling a fleet of IoT devices requires formalized management. According to the AWS Well-Architected IoT Lens, design must account for the entire data path—from the device to edge computing and into the cloud—rather than considering components in isolation. Scaling requires treating device provisioning, updates, and monitoring as distinct, formal disciplines.
Furthermore, the IoT Lens recommends clearly defining which data to process at the edge and which to transmit to the cloud. At the edge level, preliminary filtering and aggregation of telemetry are performed, which reduces latency and lowers the risk of sensitive technological information leakage.
To implement such solutions in critical infrastructure, the expertise of Softengi (a member of the Intecracy Group alliance) is utilized. It provides custom development of IoT/embedded systems, integration compliant with ISA/IEC 62443 requirements, and the deployment of secure edge-to-cloud architectures. If operators require secure monitoring and access control interfaces, such solutions can be built on the UnityBase platform (a joint development of Intecracy Group companies, where InBase is a key developer). UnityBase supports on-premises deployment in isolated OT segments and provides built-in access control mechanisms (RBAC, RLS) and detailed audit trails.
The path to NIS2 compliance and AI risk management
Implementing technical standards does not guarantee automatic NIS2 compliance, as the directive covers both legal and organizational requirements (e.g., incident reporting and supply chain verification). Organizational steps include conducting a full asset audit and formalizing the equipment lifecycle.
If an enterprise implements artificial intelligence elements into industrial systems (e.g., for predictive equipment wear analytics), it is important to focus on AI risk management. According to the NIST AI RMF 1.0, this management is structured around four key functions: Govern, Map, Measure, and Manage. This helps ensure the security of algorithms working with critical infrastructure data.
Architectural decision matrix: Comparing IT and OT security approaches
| Criterion | IT environment | OT/IIoT environment (per NIST SP 800-82) |
|---|---|---|
| Primary priority | Confidentiality | Availability and continuity |
| Vulnerability management | Regular automated patching | Compensatory measures, virtual patching, segment isolation |
| Data transmission protocols | Standardized (HTTP, TLS, TCP/IP) | Specialized industrial (Modbus, Profinet, OPC UA) |
| Device lifecycle | 3-5 years, rapid replacement | 15-30 years, long-term legacy system operation |
FAQ
How does ISA/IEC 62443 help meet NIS2 technical requirements?
The ISA/IEC 62443 standard provides an industry-recognized framework for the cybersecurity of automation systems, offering an architectural approach based on segmentation. This creates a robust technical foundation for fulfilling the broader risk management requirements mandated by the NIS2 directive.
Why can't OT networks be scanned with standard IT vulnerability scanners?
In OT environments, availability is the critical priority (as per NIST SP 800-82). Active scanning, which is typical for IT systems, can overload the network stacks of legacy industrial controllers, causing real-time failures and emergency equipment shutdowns.
What is the role of OPC UA in securing industrial sensor data transmission?
OPC UA acts as a standardized mechanism for normalizing machine data. It allows for the secure collection of metrics from legacy sensors and controllers, transmitting them to IT systems or cloud analytics while mitigating the risk of compromising low-level protocols.