Vanguard SystemsVanguard Systems
Back to blog

OT cybersecurity in Switzerland: IEC 62443 and NIS2

May 1, 2026Tai Van
cybersécurité OTIEC 62443NIS2audit cyberPLCsegmentation réseauSuisseindustrie 4.0

Industrial OT Cybersecurity in Switzerland: IEC 62443 and NIS2 Guide for 2026

In 2025, a Swiss watch component manufacturer saw its CNC machining shop halted for 11 days following a ransomware attack that propagated from the IT network to Siemens control cabinets via a poorly segmented on-call VPN. Direct cost, CHF 2.4 million. No data leak, no media scandal, just 11 days of lost production and a German customer who switched to a competitor. This case is not isolated. In the field, we see three out of four sites with an OT cyber posture that would not survive a serious audit.

This guide synthesizes what a Swiss industrial company needs to know and do in 2026 to avoid being the next one. It covers the regulatory framework (NIS2 and its Swiss transposition, IEC 62443), the real attack surface of an OT site, and the 5-day flash audit methodology we apply. It is an operational guide, not a white paper.

The 2026 Regulatory Context in Switzerland

The European NIS2 directive came into force in October 2024 in the EU. Switzerland is not an EU member, but three mechanisms catch up with it nonetheless.

First, the revision of the Information Security Act (LSI) which transposes into Swiss law an incident notification obligation for critical infrastructure operators (energy, water, health, transport, finance, telecoms). The notification deadline to NCSC (National Cybersecurity Centre) is 24 hours for significant incidents since April 2025.

Then, the contractual domino effect. A Swiss subcontractor of a large German or French pharma group sees NIS2 imposed by contract. Cyber risk questionnaires in contract annexes have grown from 30 to 200 questions in 2 years, and non-conformities trigger contractual penalties.

Finally, cyber insurance. Insurers (Zurich, AXA, Helvetia) now require concrete evidence of OT cyber maturity to cover production risks. Without this evidence, either the premium explodes or coverage is refused. On a medium industrial site, we are talking CHF 30,000 to 120,000 in annual premium.

NIS2 does not apply directly in Switzerland in the strict sense, but it is de facto the market standard. Ignoring this movement means being shut out of tenders within 18 months.

IEC 62443, The Reference Technical Framework

If NIS2 is the what, IEC 62443 is the how. This series of ISA/IEC standards, developed since 2007, structures the cybersecurity of industrial automation and control systems (IACS). Three sub-standards concern us daily.

IEC 62443-2-1 describes the cybersecurity management system (CSMS), equivalent to ISO 27001 but for OT. It defines policies, roles, patch management procedures, access management, business continuity plans. It is the organizational foundation.

IEC 62443-3-3 specifies system security requirements, structured into seven Foundational Requirements (FR1 to FR7), themselves broken down into 51 System Requirements. Each requirement is associated with a security level (SL-1 to SL-4). A site targeting SL-2 (protection against simple intentional attack) must satisfy a precise and auditable subset.

IEC 62443-4-2 concerns the components themselves (PLC, HMI, industrial switch, gateway). It defines what a supplier must deliver to be compliant. Siemens, Rockwell, Schneider, Beckhoff now publish 62443-4-2 conformity sheets per product, and it has become a selection criterion.

Concretely, on a site, we target SL-2 on the process zone and SL-3 on critical zones (functional safety, proprietary recipes). Reaching SL-2 typically requires 6 to 12 months of work and an investment of CHF 80,000 to 250,000. SL-3 doubles these figures.

Our [system architecture](/services/architecture) services natively integrate IEC 62443 principles from the design stage.

Typical OT Attack Surface in 2026

Before defending, you must know what you are defending and where it comes in. On the sites we audit, entry vectors concentrate on five families.

Exposed legacy PLCs. S7-300, S7-400, ControlLogix 1756 series A, Modicon Quantum still in production with original firmware, default passwords, programming ports permanently open. A simple authenticated Nessus probe surfaces 30 to 80 critical vulnerabilities per medium site.

SCADA exposed to IT network. WinCC, FactoryTalk View SE, Wonderware InTouch on unpatched Windows servers, sometimes in IT domain directly, without a worthy OT/IT firewall. Ransomware does not even need effort.

Poorly framed remote access. Supplier on-call VPN (TeamViewer, AnyDesk, sometimes TightVNC in clear) that stays open 24/7. On a site visited last year, 14 active VPN sessions permanently, including 4 to integrators that no longer existed.

Shared engineering stations. ES (Engineering Stations) are often shared between internal and external staff, with generic local Windows accounts, PCS7 or TIA Portal projects copied to USB sticks, and zero traceability.

Removable media. USB sticks from integrators and external auditors are the second source of infection after the IT network. Stuxnet is 15 years old, the vector still works.

This mapping is nothing theoretical. It corresponds to what we see every quarter in the audits we conduct in French-speaking Switzerland.

5-Day Flash Audit Methodology

For a starting site, a complete IEC 62443 audit takes 4 to 8 weeks and costs CHF 60,000 to 150,000. That is too long to decide. We have developed a 5-day flash audit that produces a sufficient mapping to prioritize, at an accessible cost (CHF 15,000 to 25,000).

Day 1, kick-off and collection. Meeting with production, automation, IT, security. OT asset inventory (PLC, HMI, servers, switches, gateways) with a passive network scan (Claroty, Nozomi or simply a targeted ARP scan). Mapping of IT/OT flows.

Day 2, OT vulnerability scan. Use of non-intrusive tools (Nmap safe mode, Tenable.OT in passive, or GRASSMARLIN). Identification of obsolete firmware, open ports, exposed services. On a medium site, the report comes out with 200 to 600 findings.

Day 3, architecture review. Analysis of the network diagram (the real one, not the doc one), identification of zones and conduits according to IEC 62443. Test of OT/IT firewall rules (what really passes versus what should pass). Review of active remote accesses.

Day 4, procedures and access review. Audit of user accounts on ES and SCADA, review of patch management procedures, backup management, OT incident response plan if it exists.

Day 5, debrief and action plan. Presentation to the site management committee with maturity scoring by 62443 category, top 10 critical risks costed, and 12-month roadmap prioritized by impact/effort ratio.

The deliverable is a 40 to 80 page report, executive plus technical annexes, that serves as the basis for the investment decision. On 12 flash audits conducted in 2024-2025, the average starting score was 1.8/5 on the 62443 scale. No site was above 3.2/5.

Concrete PLC Hardening, What We Actually Do

62443 theory is fine, practical hardening on a Siemens S7-1500 or a Rockwell ControlLogix is better. Here is what we systematically configure.

On Siemens S7-1500 and S7-1200. Activation of Know-how Protection on critical blocks (FB, FC, recipe DBs). Activation of Copy Protection linked to the CPU serial number to prevent wild copying. Definition of multiple access levels (HMI access, Read access, Full access) with strong passwords and rotation. Deactivation of unused services (PG/PC communication disabled if not necessary, web access disabled). Configuration of the PLC in protected mode against modifications in RUN. Modification logging activated.

On Rockwell ControlLogix and CompactLogix. Activation of FactoryTalk Security with centralized account management. Configuration of CIP Security authentication on EtherNet/IP communications. Deactivation of unused port modes on 1756-EN2T communication modules. Logging to a central syslog.

On HMIs (WinCC, PanelView, FactoryTalk View). Nominative operator accounts (never a shared "operator1"), authorization levels by function, automatic screen lock after 10 minutes, logging of critical actions (setpoint change, critical alarm acknowledgment).

On industrial switches (Scalance, Stratix). Deactivation of unused ports (yes, really, we close them physically in the config). Activation of MAC port security, VLAN by criticality, deactivation of DCP discovery protocol if possible (careful, breaks some Profinet functionality).

These actions seem obvious. On 100 PLCs audited on average per year, we find fewer than 5 PLCs with these basics in place.

Network Segmentation, The Subject That Changes Everything

If you do only one thing in OT cyber, it is segmentation. The Purdue model (level 0 to 5) remains the reference, but it must be modernized.

Level 0-1 (process and basic control). PLC, IO, instruments. Profinet/EtherNet/IP network physically isolated. No IP routable outside the zone.

Level 2 (area supervisory). HMI, local SCADA servers. Communication with level 0-1 via industrial protocols only. Industrial firewall (Scalance SC, Tofino, Stormshield SNi40) between level 2 and level 3.

Level 3 (site operations). MES, historian, batch server, engineering station. This is where OT servers live and where most of the work is done. Communication with level 4 (IT) only via DMZ.

Industrial DMZ. Mandatory layer between level 3 and level 4. MES to ERP flows, OPC UA to corporate data lake, supplier remote accesses go through this DMZ with application proxies (not simple NAT). On a site, setting up a real industrial DMZ takes 4 to 8 weeks and costs CHF 40,000 to 100,000 in hardware plus integration.

Level 4-5 (enterprise IT). Managed by corporate IT, out of OT scope but the DMZ firewall is our responsibility boundary.

In the field, 60 percent of the sites we see do not have a worthy industrial DMZ. It is the highest cyber ROI investment you can make.

Our team supports these deployments, see [automation services](/services/automation) and [industrial data and AI](/services/dataAi) for the data and MES layers.

OT Monitoring, What Really Works

The classic IT SIEM does not read industrial protocols. Specialized OT monitoring solutions (Claroty, Nozomi, Dragos, Tenable.OT) read Profinet, EtherNet/IP, Modbus, OPC UA, S7 and detect behavioral anomalies (a PLC that starts dialoguing with an unknown IP, a logic modification command in the middle of RUN).

A reasonable deployment on a medium site costs CHF 50,000 to 150,000 in licenses year 1, plus CHF 20,000 to 40,000 in integration. ROI comes from production incident detection (solutions also surface communication faults, which helps maintenance).

For smaller or starting sites, a more modest approach based on centralized syslog collectors and a Grafana dashboard on critical PLC metrics already offers 60 percent of the value at 5 percent of the cost.

Realistic 12-Month Roadmap for a Medium Site

For a Swiss industrial site starting from zero OT cyber maturity, here is a realistic sequencing over 12 months.

Months 1-2, flash audit and action plan. Definition of zones and conduits, 62443 scoring.

Months 3-4, quick wins. Default passwords changed, generic accounts made nominative, closure of unused remote accesses, deactivation of unused services on PLCs.

Months 5-7, segmentation. Industrial DMZ deployment, OT/IT firewall framed, centralized remote access management (jump server type CyberArk PSM, BeyondTrust or simply an OPNsense Bastion).

Months 8-10, PLC and HMI hardening. Know-how protection configuration, HMI user management, centralized logging.

Months 11-12, monitoring and procedures. OT monitoring solution deployment, incident response plan writing, simulation exercise.

Total budget order of magnitude, CHF 200,000 to 500,000 over 12 months for a medium site, hardware and licenses included. On an average ransomware event at CHF 1.5 million, ROI is immediate.

If you want an evaluation of your maturity, contact us for a flash audit. See also our [pharma sector](/secteurs/pharma), [microtechnology](/secteurs/microtechnique) and [chemistry](/secteurs/chimie) pages for sector specifics.

Frequently Asked Questions

Does NIS2 really apply to Swiss companies?

Not directly, since Switzerland is not in the EU. But via the revision of the Information Security Act, the requirements of European group subcontractors, and the demands of cyber insurers, NIS2 has become the de facto standard. A Swiss industrial SME supplying German or French clients must comply contractually, under penalty of losing contracts.

What is the first OT cyber investment to make if you have nothing?

Network segmentation and the industrial DMZ. It is the action that reduces the most risks for a reasonable investment (CHF 40,000 to 100,000). Without DMZ, an IT ransomware reaches OT in minutes. With a real DMZ, you have several hours of possible detection and propagation is broken.

How much does an OT cyber audit cost for a medium industrial site?

A 5-day flash audit costs CHF 15,000 to 25,000 and gives sufficient mapping to decide. A complete IEC 62443 certification-level audit costs CHF 60,000 to 150,000 over 4-8 weeks. To start, the flash audit is the right entry point. The complete audit comes next if the stake (site size, customer requirements) justifies it.

Should you have a dedicated in-house OT cyber team or outsource?

For a site of less than 200 employees, outsourcing is almost always more cost-effective. The senior OT cyber profile costs CHF 140,000 to 180,000 per year and you do not have the workload to keep them busy. A partnership with a specialized integrator over 30 to 60 days per year covers 80 percent of the need. Beyond 500 employees or for critical infrastructure operators, an internal OT cyber referent becomes indispensable.