Ondřej Hubálek from GreyCortex presented NIS2 from a technical perspective. He showed how network traffic analysis helps meet key requirements – from asset inventory to incident detection. He paid special attention to issues in OT networks.
Asset overview and network segmentation
If you don't know your assets, it's hard to carry out a risk analysis or a business continuity plan. Tools based on network traffic analysis can quickly reveal which devices are actually on the network and how they communicate with each other. You can see protocols, frequency, and data volumes, so the relationships between systems can be mapped precisely. Based on that, you can update documentation and identify unexpected critical elements of the infrastructure.
Similarly, you can verify whether segmentation and internal security policies work in practice. The tool will reveal undesired connections from protected segments to other parts of the network or to the internet, or intrusions from the outside into isolated zones. Exceptions are thus quickly controllable and visually visible as well.
Modern protocols and access control
NIS2 emphasizes the use of modern cryptographic means and the avoidance of authentication in plaintext. Traffic analysis can show where outdated or risky protocols are used and where encryption can be strengthened. If operations are tied to an older system, it's important at least to understand the risk and decide whether to accept it or remediate it.
In access management, you can compare whether actual connections match employees' assigned privileges. You can check whether a subcontractor accesses only the systems they are authorized for, and uncover residual access after the contract ends. These checks help maintain order amid dynamic organizational changes.
Incident detection and OT specifics
NIS2 requires having tools for detecting and evaluating cyber events. One option is NDR (Network Detection and Response), which identifies malicious communications, known campaigns, or exploitation of vulnerabilities from traffic and also flags anomalies. Events can then be further analyzed, their chaining tracked, and correlated with data from other systems. Information can be exported to a SIEM and processed in a broader context.
In OT networks, the problem is especially pressing: encryption and authentication are often missing, and any new device can change PLC or RTU settings. Although newer protocols allow authentication, applications often do not use it due to the focus on production speed and stability. NIS2 therefore pushes for security in OT as well – through segmentation, clear communication rules (for example according to the principles of the Purdue levels) and anomaly detection. The goal is to see what is happening on the network in time and act before an outage occurs.
