Industrial Cyber-Resilience: How to Get Started with NIS 2 Compliance

This figure reveals a profound shift: backups, often considered the last resort, have now become prime targets for attackers. When faced with a major cyberattack, traditional continuity plans are no longer sufficient. Indeed, they fall short in industrial environments, particularly given the nature of the stakes involved: physical safety, environmental impact, continuous production, and more.

This is why the most advanced organizations are now building dedicated OT cyber-resilience programs, designed to manage crises in the face of major disruptions or incidents. That aim to ensure the continuity of essential operations and restore compromised assets.

The NIS2 Directive — and particularly ANSSI’s RECYF framework — supports this effort by introducing clear cyber-resilience obligations for essential and important entities.

Where to start, what obstacles to anticipate, and how to build OT resilience that meets NIS2 requirements?

NIS 2 and Industrial Resilience: Requirements and Current State

What NIS 2 Concretely Requires

The growing integration of IT into industrial processes — MES, ERP systems connected to production lines; the gradual shift away from paper-based processes — has profoundly changed the operational reality of manufacturing plants. Dependencies are numerous, often poorly mapped, and an IT failure can bring OT to a halt even when the physical equipment remains fully functional. In this regard, strengthening the cyber resilience of industrial environments has become a priority .

The NIS 2 directive significantly broadens the scope of entities subject to cybersecurity obligations. Two objectives are crucial in terms of resilience:

Industrial State of Play

While industrial organizations have gradually invested in securing their OT environments, maturity around continuity and recovery remains insufficient to meet NIS 2 requirements. Several gaps are observed systematically:

  •  Gaps in the knowledge of assets and their criticality
    • Asset mapping that is often not formalised or incomplete
    • BIAs are absent or only partially completed
  • Existing business BCPs are designed for physical or traditional IT scenarios, but not for OT cyber challenges
  • Continuity and recovery capabilities are not tested: organisations limit themselves to unit tests or isolated VM restorations, never covering a complete production line or end-to-end scenario. Several factors explain this situation:

Without the necessary maturity on these topics, a cyber incident can result in weeks of downtime

Building OT Resilience for NIS 2: A Practical Roadmap

Foundations and Prerequisites     

Before building a recovery, plan or testing anything, the groundwork must be laid. Including knowing what to protect, how to hold up during an incident, and what to back up.

Which stakeholders to involve from the start?

A cyber-resilience program driven solely by Cyber or IT teams risks failing to reflect operational realities and address the true business stakes: without the involvement and buy-in of operators, the initiative will struggle to move forward. This requires an evangelization phase, concretely explaining what an incident costs their operations, and identifying the right stakeholders in each department from the outset.

Which business perimeters to prioritise?

The goal of cyber-resilience is not to produce an exhaustive inventory of the industrial asset base. It is to identify the assets that underpin critical business processes. The starting point is to establish a BCP at the global level, followed by a BIA at the site level, which will define the RTO and RPO for each critical process.

Asset collection relies on a hybrid approach:

  • Operational interviews with field teams
  • Analysis of architecture documents and configurations to identify additional dependencies

Network probes may seem like an obvious choice, but they only detect assets that are actively generating traffic. Any equipment that is not communicating at a given moment will simply disappear from the mapping. In OT environments, a significant number of devices are configured once and then operate autonomously, which severely limits their network visibility. Furthermore, some systems are entirely standalone and emit no traffic at all — even though they may be critical to operations. Relying solely on probes therefore provides a partial and potentially misleading view of the environment, with a real risk of overlooking essential assets.

What data to backup and how?

Asset mapping makes it possible to catalogue and prioritise the systems that need to be protected based on their criticality, as validated with business teams. For each asset, the minimum backup content and backup frequency are then defined:Several principles then structure the backup security strategy:

  • Redundancy, encryption, and immutability of backups
  • Air-gapping for the most sensitive environments
  • Differentiated retention policies by asset type
  • Contractual clauses governing backup obligations for third parties

Backup infrastructure is not merely technical storage systems: they are themselves sensitive targets and must be treated as critical systems, with the appropriate level of protection.

How to ensure continuity during an incident?

The first step of the BCP is to identify the crisis scenarios that need to be addressed, as these determine which stakeholders to involve, which procedures to define, and which operating modes to adopt. This work is carried out jointly with the HSE, business, cybersecurity, and risk management teams.

For each critical process identified, the following must then be defined in collaboration with the production, maintenance, and quality teams:

Validation and Recovery

How to validate that recovery works?

An untested DRP is a theorical DRP.

Tests can be conducted in the following ways to limit the impact on production:

  • On a dedicated global test infrastructure, shared across sites,
  • On a test line,
  • During maintenance windows,
  • Using digital twins.

These tests should be validated at least once a year.

Progression is gradual:

Each test is documented: actual RTO and RPO measured, comparison against theoretical targets, gaps identified, and corrective actions planned.

RTO/RPO objectives may not be realistic in the context of a major cyber crisis. They should therefore not act as a blocking factor for conducting tests or for validating cyber-resilience principles under NIS2.

How to rebuild after an incident?

The DRP defines how to restart critical systems following a disaster. It covers several scenarios: hardware failure, ransomware, and OT network loss.

For each scenario, it is necessary to:

  • Define the restart sequencing based on dependencies between systems
  • Document the escalation and decision-making chain
  • Clearly define third-party involvement: intervention conditions, coordination modalities, and prerequisite security requirements (ransomware eradication, controlled environment such as a “clean room”, gradual recovery with network segmentation)

Two recovery logics must be distinguished: loss of availability (switching to backup resources) and loss of integrity (complete reconstruction from backups). The procedures are not the same and must be addressed separately.

From Asset Resilience to Crisis Management

What we have described here constitutes the minimum foundation for initiating a recovery approach in an OT environment. But NIS 2 requires going further as the entire information system is concerned, and the question is no longer purely technical; it calls for a structured program, managed over time, capable of demonstrating compliance and asset resilience.

This means deploying this approach pragmatically, taking into account cyber risks, regulatory constraints, and available resources. It also means not approaching OT resilience as a one-off project: cyber-resilience must be embedded by design, with tracked workstreams, documented evidence, and business teams engaged over the long term.

Finally, the market today offers solutions dedicated to OT resilience. Actively monitoring this space can prove valuable in identifying the right tools.

Moreover, resilience does not stop at technical recovery, it also encompasses crisis management: Enabling a paradigm shift in cyber crisis management preparedness – RiskInsight

Glossary

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top