Your production network protected as it deserves. Without stopping the line.
We secure PLCs, SCADAs, HMIs, and MES of industrial plants according to IEC 62443 and the NIS2 directive. We know the OT protocols and their operational context: hardening happens without interrupting production.
Six interventions that cover the full cycle.
From the initial assessment to continuous monitoring. Every intervention is designed to be IEC 62443-compliant and compatible with the technical requirements of the NIS2 directive.
Passive OT assessment
Mapping of the production network without interfering with the process: discovery of PLCs, HMIs, SCADAs, IPCs; identification of protocols (Profinet, OPC UA, Modbus, S7…); up-to-date inventory and per-asset risk.
Industrial network segmentation
Zones and conduits per IEC 62443: separation between layers (field, control, supervision, IT), industrial firewalls, minimal traffic rules. No more flat networks where anyone, from any point, can reach every PLC.
PLC, SCADA, HMI hardening
Disabling unused services, robust passwords and credential management, firmware updates, role-based access control, logging of PLC program changes. Compliant with IEC 62443-3-3 and 4-2 technical requirements.
OT anomaly monitoring
Dedicated probes that learn the "normal" behavior of the network and flag deviations (new device, traffic toward unexpected destinations, scans, suspicious PLC commands). Integration with the IT SOC where one exists.
Secure teleservice
Dedicated industrial VPN, multi-factor authentication, session recording, per-customer and per-plant isolation. Remote support stays feasible without becoming an open back door.
Backup & restore
Automatic backups of PLC programs, SCADA projects, and MES recipes. Periodically tested restore procedures. When a device fails, it's back online in hours — not days.
Why OT and IT are not protected the same way.
A firewall placed in-line without understanding Profinet traffic can take down half a plant. An active scan can stop an old PLC. OT security requires different skills — it's what we do every day.
Inverted priorities
In OT, availability is the primary asset: a stopped line burns in minutes whatever you thought you were protecting.
Legacy protocols
Profinet, S7, Modbus: born without authentication. Security is built at the network and architecture layer, not at the single node.
Long-lifecycle assets
PLCs live 15-20 years. Updating the firmware often isn't an option: you compensate with segmentation and monitoring.
NIS2, IEC 62443, OT vs IT: what to know first.
What does the NIS2 directive change for a manufacturing company?
The NIS2 directive, transposed in Italy as D.Lgs. 138/2024, extends cybersecurity obligations to much wider categories than NIS1, including a large share of manufacturing. Companies classified as "essential" or "important" must adopt technical and organizational measures on risk management, incident response, business continuity, and supply chain. Penalties are significant, and responsibility extends to the board. IOMA helps on the technical and operational side: legal scoping stays with a dedicated NIS2 consultant.
What is the difference between IT and OT cybersecurity?
IT cybersecurity protects data, applications, and users (confidentiality > integrity > availability). OT cybersecurity protects physical production processes: the priority flips (availability > integrity > confidentiality). A stopped PLC stops a line; an unplanned restart can cause mechanical or safety damage. Patches, traditional antivirus, and segmentation applied without judgment can do more harm than good. That's why specific OT skills are needed.
What is IEC 62443 and who needs it?
IEC 62443 is the family of international standards for the security of industrial automation and control systems. It defines security levels (Security Level 1-4), organizational processes, and technical requirements for products, integrators, and asset owners. For Italian industry it's the de facto reference to demonstrate technical compliance — including within the NIS2 perimeter and for supplying regulated sectors (energy, automotive, pharma, food).
Where should we start if the OT network has never been mapped?
From a passive assessment. Active scans on a production network are risky — an old PLC can stop if queried in a non-standard way. We deploy passive probes that listen to the traffic, map devices, identify protocols, and flag anomalies — without generating their own packets. The output is a real inventory, from which we design segmentation and hardening.
A guide that goes deeper on this topic.
Got a project in mind?
Tell us about your idea or your operational challenge. Our team is ready to listen and propose the right technology fit.