Cyber Security is heating up across Europe and the UK, and if you’re managing a Data Historian, such as the AVEVA PI System, it’s time to tune in. Whether you’re knee-deep in OT networks or steering governance from the IT side, the new regulations could reshape how you secure, monitor, and report on your infrastructure.
In this article, James Lewis, Principal Systems Engineer at ITI Group, gives the key points about what is involved in the NIS2 Directive, and its UK counterpart, and then lists what you need to do to get your AVEVA PI System in shape for the new Cyber Security standards.
What’s NIS2 All About?
NIS2 is the EU’s latest push to strengthen cybersecurity across critical sectors. It builds on the original NIS Directive but goes further – more industries, tougher rules, and real accountability.
Who’s in scope?
Manufacturing, chemicals, food production, and more. If your PI System supports any of these, you’re in the spotlight.
What’s required?
- Risk analysis and incident handling
- Secure networks and encryption
- Multi-stage incident reporting:
- Early warning (within 24h)
- Full report (within 72h)
- Final wrap-up (within 1 month)
- Clear governance – yes, that includes personal liability for management!
OT vs IT: Know Your Zones
Your PI System spans both Operational Technology (OT) and Information Technology (IT). Understanding the split is key to compliance.
OT Zone (Interfaces, Connectors, Adapters):
-
-
- Closest to physical processes = highest risk
- Needs tight controls: secure protocols, segmentation, anomaly detection
-
IT Zone (Data Archive, AF, Vision):
-
-
- Focused on data governance and continuity
- Requires authentication, backups, audit trails, and SIEM integration
-
What About the UK?
NIS2 doesn’t apply directly post-Brexit, but don’t relax just yet. If you’re operating in the EU or serving EU clients, you still need to comply. Plus, the UK is rolling out its own Cyber Security and Resilience Bill – and it’s singing a similar tune.
Similarities:
Broader scope (including MSPs and supply chains)
Faster incident reporting
Stronger enforcement
Differences:
Sector coverage varies (NIS2 includes food, chemicals, space)
NIS2 spells out governance accountability more clearly
Your PI System Cyber Checklist
Here’s how to get your PI System in shape for NIS2 and UK standards:
1. Map Your OT/IT Data Flows
Know your Interfaces, Connectors, Adapters, and Servers. Document how data moves and where your security boundaries lie
2. Segment by Impact Level
Classify components into high-impact (AF, Vision) and critical-impact (Interfaces, Connectors). Use firewalls or unidirectional gateways to isolate OT.
3. Integrate with SIEM
Forward PI logs to your SIEM for centralized monitoring. Use syslog, Windows Event Forwarding, or custom connectors.
4. Align with CAF or ISO27001
Apply the five pillars:
- Identify: Keep an asset inventory
- Protect: Secure configs, access, encryption
- Detect: Watch for anomalies
- Respond: Have incident plans
- Recover: Test backups and restores
5. Review Governance
Assign owners for PI components. Define escalation paths. Make sure risks reach board-level visibility.
6. Prep for Incident Reporting
Know what counts as an incident (e.g., data loss, unauthorized access). Be ready to report within 24h, 72h, and 1 month – with documentation to back it up.
Need a Hand?
If you’re unsure where to start or want a second pair of eyes, our expert team offers PI System Audits tailored to NIS2 and UK cybersecurity standards.
Or, simply drop us a message using the form below.
Let’s make sure your system is secure, compliant, and resilient.