NIS2 for utilities: a practical connectivity checklist

NIS2 raises the bar on how you protect and prove control over connected assets. Rather than wade through legal text, use this as a field-ready to-do list. It focuses on what you can enforce in the connectivity layer and what you should align with elsewhere in the organisation.

ALL_Blog_utilities_remote grid

Identity (people and devices)

 

What to do with connectivity

  • Bind each device to a SIM/eUICC-based identity and your asset inventory.

  • Require named user identities with MFA for engineers and contractors.

  • Grant least-privilege: one person, one device, one job, time-boxed.

 

Also line up

  • Your IAM/JML process (joiners/movers/leavers) so accounts appear, change and disappear on time.

 

Evidence to keep

  • Device↔SIM/eUICC map, decommission records, access reviews.

 

Segmentation and access control

 

What to do with connectivity

  • Replace flat site-to-site VPNs with thin, per-session paths.

  • Enforce allow-lists per device type:

    • IEC-104/DNP3 → named SCADA masters (TCP 2404/20000)

    • DLMS/COSEM → MDM FQDNs (no wildcards)

    • MQTT → broker FQDN (TLS/mTLS)

  • Keep OT traffic off the public internet (private APN or private routes to SCADA/MDM/cloud).

 

Evidence to keep

  • Current policy set, port/protocol matrix, change log.

 

Logging, monitoring and audit

 

What to do with connectivity

  • Capture session-level records: who, what, when, which policy.

  • Alert on policy breaches (unexpected protocol, host, volume).

  • Use time-boxed change windows that auto-revert.

 

Also line up

  • SIEM/SOC run-books so someone owns the alert and the response.

 

Evidence to keep

  • Logs streamed to SIEM, retention policy, MTTR metrics.

 

Supply chain and provisioning

 

What to do with connectivity

  • Factory provision identity: bind SIM/eUICC to the device before it ships; apply a baseline policy.

  • Use eUICC + multi-IMSI for resilience and local profile requirements; swap profiles with guardrails and rollback.

  • Ask vendors to support protocol/FQDN allow-lists, signed firmware, and per-session access for maintenance.

 

Also line up

  • Supplier security clauses and a simple acceptance checklist at goods-in.

 

Evidence to keep

  • Provisioning logs, profile library, vendor attestations.

 

Incident response and continuity

 

What to do with connectivity

  • Contain by default: default-deny limits lateral movement; be able to revoke device or user identity fast.

  • Health-based failover: steer to healthy networks (latency/loss/attach) and trigger profile swaps during outages.

  • Keep forensics-ready logs for the legal retention window.

 

Also line up

  • Your wider IR plan (roles, comms, legal hold) and tabletop exercises.

 

Evidence to keep

  • Revoke tests, failover drill results, incident timelines.