NIS2 and the Energy Sector: Why You Need Exhaustive Asset Control

In May 2021, the Colonial Pipeline ransomware attack shut down fuel supply across the US East Coast for six days. Gas prices surged, several states declared emergencies, and the company paid $4.4 million in ransom. The entry vector was a VPN account without multi-factor authentication — an asset nobody was monitoring.

This is exactly the type of incident that the NIS2 Directive aims to prevent in Europe. And the energy sector is squarely in the crosshairs.

Why NIS2 applies to the energy sector

The NIS2 Directive (Directive (EU) 2022/2555) classifies the energy sector as an essential entity under Annex I. This includes electricity, gas, oil, hydrogen, and district heating. The obligations are the strictest in the directive:

• Cybersecurity risk management with technical, operational, and organizational measures (Article 21)
• Incident reporting to the competent authority within 24 hours for early warning and 72 hours for the full report
• Management accountability: directors can be held personally liable if measures are not implemented
• Fines up to 10 million euros or 2% of annual global turnover

Real incidents that prove the risk

• Ukraine, 2015 and 2016: Coordinated attacks against three power distributors left 230,000 people without electricity. Attackers used BlackEnergy malware to access SCADA systems through uninventoried network devices.
• Nordex (Germany), 2022: The wind turbine manufacturer suffered a Conti ransomware attack forcing disconnection of IT systems across European wind farms. Hundreds of turbines lost remote monitoring.
• Encevo (Luxembourg), 2022: The energy operator was hit by BlackCat/ALPHV. 150 GB of data were exfiltrated. Billing and customer management were disrupted for weeks.

In every case, lack of visibility over IT and OT assets was a determining factor.

Why exhaustive asset control is essential

• You can’t protect what you don’t know about. Without a complete inventory of PLCs, RTUs, and SCADA devices, you can’t patch, detect unauthorized access, or respond to incidents effectively.
• OT assets have 15-20 year lifecycles. An industrial controller can operate for decades. Without a record of its firmware and known vulnerabilities, it’s a latent risk.
• IT/OT convergence amplifies risk. When an OT device connects to the corporate network for telemetry, it inherits all IT-world threats.
• NIS2 audits demand documentary evidence. You need to prove how many SCADA devices you have, where they are, who manages them, and what incidents they’ve had.

What you need to control

• SCADA and DCS systems: Controllers, RTUs, HMIs, historian servers
• OT network equipment: Industrial switches, segmentation firewalls, protocol gateways
• Sensors and actuators: Smart meters, temperature/pressure sensors, protection relays
• Supporting IT infrastructure: Servers, engineering workstations, maintenance laptops
• Communications equipment: Radio links, fiber optics, cellular modems at remote substations

Metrica Control lets you register every one of these assets with its location, owner, configuration, incident history, and lifecycle status. All in a centralized platform with full traceability for NIS2 audits.