This was a large undertaking with more than 1000 assets (heat, wind and solar) to be assessed in several business units. Our first step was to translate the existing security framework, based on IEC62443, ISO27001 and NIS2, into an assessment approach.

We then selected a representative part of the asset portfolio to gain first insights quickly and to start implementing the first measures immediately.

The assessment included creating a detailed asset inventory, to enhance capabilities in incident management, change management and continuous control.

Asset characteristics were compared against the baseline to identify gaps, which were then ranked based on likelihood of occurrence of an issue and potential business impact in case of an incident.

Subsequently, we translated all relevant measures into remediation advice per asset category. This made implementation much more efficient, as repeat visits were avoided, and activities could be combined.

The main measure categories were:

1. Patch process improvements
2. Network segmentation
3. Access management for 3rd parties
4. Security monitoring and alerting
5. ISMS governance
6. Temporary waiver process

We recorded all steps of the inventory phase, to ensure that our actions would be fully auditable. This provides full transparency and allows for verification of the methodology we used.

A major challenge we encountered was that some suppliers and service providers were reluctant to share information on their own measures. Since we all operate in supply chains it is important to connect with your key vendors in advance – to explain the intention of your NIS2 project and request their cooperation. Emphasize that security and NIS2 compliance are supply chain challenges that require the collaboration from all relevant parties. Have your business representatives lead these discussions, rather than your legal or procurement teams. Sharing information is about trust and cooperation, not just about contracts.

The primary success factor of our approach was uniting stakeholders around cybersecurity awareness. This fostered collaboration and led to the adoption of pragmatic measures that balance cybersecurity needs with operational impact. We acted as the link between the business and the corporate security office. Both perspectives are essential to improving a security posture. Bringing the right people together ensures that measures are pragmatic and nuanced, supporting ongoing compliance.

On one hand, NIS2 is an important guideline that requires strict compliance to protect against serious cyber threats. On the other hand, NIS2 is not a set of rigid requirements to be adopted blindly. The right combination of measures should lead to compliance, even if individual measures meet only 80% of specific requirements.

Additionally, not all assets need every measure. For example, if lateral movement to other assets is impossible, the remaining risk might be limited to someone shutting down one single wind turbine. Which may not constitute enough potential impact to justify expensive measures.

To summarize, we advise starting your assessment early, and continuously rank measures based on business risk. This allows you to combine existing security frameworks and cooperate with all relevant entities in your supply chain.