NIS2 and Manufacturing: Asset Management in Industrial Environments

In June 2017, NotPetya malware spread through the networks of Maersk, Mondelez, Merck, and dozens of multinationals. Maersk lost $300 million and had to reinstall 45,000 PCs and 4,000 servers. Mondelez estimated $188 million in losses. The attack entered through a compromised update of Ukrainian accounting software installed on an unmonitored workstation.

Manufacturing is the most ransomware-attacked sector in Europe. And NIS2 now requires action.

Why NIS2 applies to manufacturing

NIS2 classifies manufacturing of critical products as an important entity (Annex II). This includes manufacturers of medical devices, electronics, transport equipment, machinery, and chemicals.

• Mandatory asset management: identify and classify all connected IT and OT assets
• Incident management: linked directly to affected assets
• Supply chain security: control over third-party components and software integrated into production
• Fines up to 7 million euros or 1.4% of turnover for important entities

Real incidents in manufacturing

• Norsk Hydro (Norway), 2019: The aluminum giant suffered a LockerGoga attack that halted production across 40 countries. Estimated cost: $71 million. Plants operated manually for weeks because control systems were encrypted.
• Toyota (Japan), 2022: An attack on a plastic components supplier forced Toyota to halt production at 14 factories for a full day, affecting 13,000 vehicles. One supply chain link paralyzed the entire operation.
• Semiconductor industry, 2018-2023: Multiple chip manufacturers (TSMC, Applied Materials) suffered attacks interrupting production lines. In cleanroom environments, an unplanned shutdown can destroy entire production batches worth millions.

Why exhaustive asset control is essential

• IT/OT convergence is already reality. PLCs and SCADA systems are connected to the corporate network for production data. Every connection point is a potential attack vector that must be inventoried.
• Industrial environments have heterogeneous assets. PLCs from different manufacturers coexist with IoT sensors, Windows workstations, operator tablets, and industrial robots. Without a unified inventory, visibility is partial.
• OT devices don’t tolerate update downtime. A 24/7 production line can’t stop to patch a PLC. You need to know exactly what firmware versions you have to plan maintenance windows.
• The supply chain multiplies assets. Vendor devices connected for remote maintenance, embedded third-party software, components with proprietary firmware — all need documentation.

What you need to control

• PLCs and industrial controllers: Siemens, Allen-Bradley, Schneider — each with its firmware version and configuration
• SCADA/HMI systems: Operator displays, supervisory servers, data historians
• IoT sensors and actuators: Temperature, vibration, pressure sensors, inspection cameras
• Engineering workstations: PCs with PLC programming software, OT network access
• Robots and automated systems: Robotic arms, AGVs, machine vision systems
• Industrial network infrastructure: Managed switches, zone firewalls, industrial wireless access points

Metrica Control unifies IT and OT inventory in a single platform. Register every PLC, sensor, and workstation with its plant location, firmware version, owner, and incident history. All ready for NIS2 audit.