How ServiceNow Meets the NIS2 OT Challenge

Imagine this: A cybercriminal exploits a single vulnerability in a piece of manufacturing equipment, affecting multiple companies, halting production, and shaking an entire industry. That’s not science fiction. That’s the OT security challenge NIS2 aims to prevent.

Operational technology has typically lagged behind IT in vulnerability management, said Andrew Wortham, Head of Security Operations, CoreX. “But the risk is just as serious, and if you have a vulnerability that is exposed on anything that's connected to the Internet, that vulnerability can be exploited.”

The European Union addressed this issue with its NIS2 Directive, which expanded coverage from NIS into a broader range of business sectors, including companies implementing OT.

Luckily, just having ServiceNow OT, ServiceNow OTVR (operational technology vulnerability response), and ServiceNow OTIR (operational technology incident response) satisfies many of the visibility and risk requirements of NIS2, said Wortham.

Let’s dive into NIS2 and discuss how ServiceNow comes into play.

Understanding the NIS2 Directive

The NIS2 Directive (Network and Information Security Directive) is European Union legislation introduced in 2020 that became law in late 2024. The cybersecurity directive supplanted NIS and expanded both security requirements and the scope of impacted organizations and business sectors. NIS2 also simplified reporting obligations while beefing up enforcement and sanctions.

NIS2 applies to “all entities that provide essential or important services to the European economy and society, including companies and suppliers” in 15 categories (increased from NIS’s seven categories), and notably now applies to manufacturing.

Why does this matter? NIS2 is an EU law with repercussions including a dramatic increase in the requirements for enforcing cybersecurity over NIS, heavy fines, and legal exposure for non-compliant management teams.

NIS2 and OT

A key change from NIS to NIS2 is the new regulation that now impacts OT, explained Wortham. What this means in practice is that manufacturing companies now need visibility into OT assets, and for businesses needing this capability, ServiceNow is the solution for discovering OT assets.

“We have some customers who come to us and are still on manual spreadsheets for tracking all of their manufacturing assets,” said Wortham. “When the auditors come, they look at these spreadsheets and say, ‘Wow, you have no visibility.’”

Wortham likened what OT will be dealing with to a similar process familiar to IT where discovery gets turned on and their “skeletons in the closet” – meaning their vulnerable servers – are found by surprise.

This is now happening in OT to comply with NIS2 through vulnerability management. The process is something of a necessary evil and involves the vulnerability management team working with all the groups managing OT assets and finding vulnerabilities needing patching to meet audit compliance standards.

Dealing with patch maintenance isn’t exciting and takes away from the core business activity at a plant, which can put vulnerability management at odds with organization management.  ServiceNow comes in by providing value in increased visibility.

This visibility gives executives management dashboards into all the vulnerabilities organization-wide and groups those vulnerabilities, said Wortham.

“We can group all of those together in ServiceNow, and instead of presenting a team with, ‘Here are your thousand vulnerable devices,' we can now say, 'Here are your 30 remediation tasks sorted by risk,’” said Wortham.

Instead of needing to look at every device to determine which vulnerabilities are important and which are internal or external, vulnerability response in ServiceNow automatically calculates a risk score, sorts vulnerabilities into risk groups, and allows you to begin patching more quickly and prioritizing the most critical patches first.

What ServiceNow does is put all your assets in one spot, said Wortham. “Your teams can manage those assets. They can see where they are, and they can hook into everything that ServiceNow has to offer, such as the full workflow engine spinning up change orders. And there is a tie-in to the GRC (governance, risk and compliance) application as well.”

Everything becomes connected in ServiceNow, from OT, vulnerability, and GRC to combining with HR and CSM (customer service management). ServiceNow stores OT assets in the CMDB (configuration management database), which creates a single source of truth database, making incident management much easier.

Visibility Enables Operational Planning

ServiceNow and NIS2 intersect in OTVR, driving OT compliance, said Dean Stavrou, Global Head of Industrials Engineering, CoreX. But the value goes beyond security compliance and meeting NIS2, it also comes in through operational efficiency and mitigating unplanned downtime.

“You have to plan changes or vulnerability remediations on operational equipment because when you take a controller or an OT device offline to flash the firmware to patch it, you're essentially saying the process that the OT device is driving -- whether it's creating toilet paper or building a car generating electricity – it stops production of that good or that service stops because that device is not functioning,” said Stavrou, likening the process to a red light stopping traffic.

Having visibility into assets means you can create maintenance windows and detect conflicts with changes to be applied, added Wortham.

“If you patch, if you stop traffic in one area, that traffic needs to go somewhere else. And if you stop traffic in two areas, then your service shuts down,” said Wortham.

Setting up ServiceNow OT delivers dual benefits via streamlined asset management and NIS2 compliance. There’s the value of just implementing OT, said Wortham, and through OTVR, NIS2 requirements get satisfied through the scanning and configuration process.

NIS2 Indicators to Track

The key metric in NIS2 compliance is visibility. Auditors will ask questions like:

• Do you have a list of all your OT assets?
• Do you have a list of all your OT vulnerabilities?
• Are those vulnerabilities categorized by risk to your company?
• Are you addressing the highest-risk vulnerabilities first?

The next metric is time to remediate. As an organization, it might take four months to resolve a medium vulnerability and two months to resolve a critical issue. Wortham stated that implementing ServiceNow increases the visibility and the efficiency of patching schedules. This meets both of NIS2’s main requirements and knocks down the time to remediate figure.

He added that once VR has been in place for a while in a ServiceNow environment, critical vulnerabilities essentially disappear because they are addressed almost immediately. The result is an efficient patching schedule based on risk countered with operational planning and a much safer facility with fewer security incidents.

Real-World Security Breach Consequences

NIS2 compliance comes with the benefit of increased security and lowered risk, both valuable positions when a breach of another cybersecurity incident can be devastating.

Stavrou mentioned Smile Direct Club as a cautionary tale on the importance of OT security. In 2021, the company was still trying to recover from the COVID-19 pandemic and suffered a cyberattack that caused a system outage that affected its manufacturing systems. Smile Direct Club was facing headwinds, but the security breach played a role in its eventual Chapter 11 bankruptcy filing at the end of 2023.

If visibility had been in place—automated, real-time, and risk-prioritized—Smile Direct Club’s leadership may have had the opportunity to detect and respond to the breach before it escalated. More importantly, had vulnerability been carefully tracked, the issue that caused this breach would likely have been caught before anything was affected by cybercriminals. 

Looking Beyond NIS2

NIS2 is critical for any business with a footprint in the European market, but the benefits of NIS2 compliance are just as real for companies not currently under the NIS2 standard between the value of increased operational security and the efficiency gains from a coordinated vulnerability response designed to minimize plant downtime.

And it’s important to know NIS2 isn’t the only standard out there today. For example, in North America, NERC CIP outlines mandatory security regulations for cybersecurity and physical threat protection.

Organizations, whether bound by NIS2 or not, should be thinking now about OT security maturity. ServiceNow not only helps meet compliance but enables a proactive posture that reduces risk, improves uptime, and supports long-term resilience.