TIMUR BATYRSHIN | shutterstock.com
When a ransomware group encrypted the control technology of a medium-sized European chemical producer last year, it was initially a local problem: production came to a standstill, a report was made to the authorities, and a crisis team was formed. But the real story unfolded on a global scale in the weeks that followed. Pharmaceutical companies in the USA, automotive suppliers in Japan and specialty chemical customers on three continents discovered that the attacked plant in Central Europe was at the center of their supply chains – for which there was no replacement and no plan B. Instead of pre-products that were critical to success, there was now only a gap.
This event highlights an aspect that is regularly overlooked in the European security debate: Europe is not just a region with a security problem. It forms the industrial backbone of the global economy. In many cases, however, this runs on an infrastructure that was not designed for security, was forced to open by regulation and is increasingly being targeted by state actors who understand something about leverage.
Das Industrial-Security-Paradox
The density of legacy OT is hardly higher anywhere than in Europe: pharmaceutical production, energy distribution, automotive manufacturing and chemical plants run on industrial control systems, PLCs, SCADA networks and process automation. These systems were designed primarily for reliability and durability, not connectivity. And a control component that was installed in 1998 to operate switchgear will not be retired if its manufacturer is taken over and the documentation disappears. It continues to run – also because it would be too expensive, risky and disruptive to switch it off.
At the same time, the NIS2 directive, which has come into force in Germany since December 2025 via the amended BSIG, is forcing precisely these organizations to modernize their risk management and fulfill expanded reporting obligations. In practice, this almost always means connecting previously isolated systems to company networks and central monitoring platforms. The intention behind it – to integrate industrial companies into a consistent security framework – makes sense. The unintended effect of this is that companies digitize under regulatory pressure, creating new interfaces and data flows in environments that were never designed for this. Professional cybercriminals have long been aware of this: they have learned to exploit precisely this transition phase for their own benefit.
Accordingly, state-backed cyber actors – such as hacker groups with ties to Russia, China, Iran or North Korea – have shifted their priorities accordingly. This is shown by a look at the situation reports from the EU cybersecurity agency ENISA. Accordingly, attacks on critical infrastructure in Europe have increased significantly in the past two years. The selection of goals is rarely financially motivated, but rather strategic. For example, to disrupt the energy supply and thus test geopolitical “levers”, weaken production capacities in the pharmaceutical and defense sectors or to prepare for an escalation in industrial environments. The war in Ukraine did not create this threat. He accelerated it and made it visible.
Compliance is not a defense
It is not the case that Europe’s industry fundamentally ignores security: many companies are certified according to ISO 27001, operate functioning security operations centers (SOC) and have documented incident response plans. The problem is rather structural: these frameworks were built for IT environments and cannot be easily transferred to the OT world.
In my consulting practice in the areas of energy, pharmaceuticals and manufacturing, I always encounter the same gap in new disguises. It goes something like this: A company invests in AI-supported anomaly detection from a well-known provider. The dashboards look convincing, the SOC receives alerts. But when asked who is responsible for the response, there is only silence. The security team sees the alert and the OT engineers can explain what the controller is doing. Unfortunately, no one has defined who can make the decision to take it offline – or how that decision comes about on a Saturday night while production continues.
The readiness gap is not primarily technical. It is a governance problem: OT risks, i.e. production downtimes, safety incidents or regulatory consequences of process disruptions, systematically do not make it into the company risk register. At least not in a form that supervisory bodies can evaluate and translate into decisions. Rather, they live in the minds of engineers and only reach management after an incident. So NIS2 changes the legal exposure, but not the organizational reality. Since December 2025, management has been personally liable for failures in cyber risk management in accordance with Section 38 BSIG – without a transition period. Without ownership of decisions, this becomes a problem.
The third-party dilemma
Anyone who believes that this is a matter between the company and the supervisory authority is underestimating the second front, which is their own customers. Europe’s manufacturing is deeply embedded in American and Asian supply chains. The attack on the Colonial Pipeline in 2021 showed how a single infrastructure incident can cause bottlenecks across the region. A European equivalent – a coordinated disruption of industrial production across multiple sectors – would have longer timelines, deeper supply chain effects and significantly less political visibility.
Some international corporations have understood this and are restructuring their third-party risk programs in the spirit of true operational transparency. What this means specifically for German and European suppliers is that the questions that were previously only asked by auditors will soon also be asked by customers’ purchasing departments and contract lawyers. They are already appearing in supplier audits that I accompany – still politely formulated, but increasingly with contractual consequences. Some examples:
- Do you have an OT-specific security program — or an IT program copied to OT environments?
- Do your contracts regulate reporting deadlines and division of liability in the event of cyber incidents?
- Do you know where you are your customers’ single point of failure – and has this ever been tested?
Anyone who can answer these questions has turned a compliance obligation into a sales argument. Those who don’t lose orders to those who can.
This is what matters in the next decade
The combination of legacy infrastructure, regulation-driven digitalization and government-sponsored targeting means that European industrial systems will be repeatedly and seriously tested over the next decade. Some of this is already happening – without producing any headlines. The organizations with the largest security budgets will not necessarily “get through” successfully. But above all those who have done their governance homework. These companies have:
- clarified who “owns” the OT risk
- Decision-making paths created that work across the boundaries between IT and OT, and
- made your own industrial exposure legible to management in a way that results in decisions instead of just compliance documentation.
The rest will identify their security vulnerabilities as is the case in most cases when it comes to industrial security. Not through a penetration test or an audit, but through an incident that was completely foreseeable – and that someone somewhere had long since reported. (fm)
This article was published as part of Foundry’s German-speaking expert network. Would you like to join in? Apply now!
