Hard2bit delivers industrial cybersecurity services to companies operating OT, ICS, SCADA, DCS and PLC assets in Spain and the European Union: audits against IEC 62443, IT/OT segmentation based on the Purdue Reference Model, NIS2 compliance for essential and important entities, vulnerability management in control environments and incident response for critical infrastructure.
Spanish cybersecurity company founded in 2013, headquartered in the Community of Madrid. The security audit service is part of Hard2bit's own certified scope under ENS High category (Royal Decree 311/2022) and ISO/IEC 27001:2022, audited by an ENAC-accredited body. We pair that base with real industrial frameworks: IEC 62443, NIST SP 800-82, MITRE ATT&CK for ICS, ISO 27019 for energy and guidance from CCI-ES, ENISA, INCIBE-CERT and CCN-CERT.
Scope
Companies looking for OT cybersecurity usually arrive for one of three reasons: NIS2 asking them for a demonstrable security program, a recent incident that exposed the IT-OT gap, or a customer or vendor audit requiring IEC 62443. These are the scenarios we cover in depth.
Technical and documentary assessment of OT environments against the ISA/IEC 62443 family (62443-2-1 for the security program, 62443-3-2 for risk assessment, 62443-3-3 for system requirements, 62443-4-1/4-2 for product lifecycle and components). Report with evidence, target and achieved Security Levels (SL-T and SL-A) per zone, and a prioritized remediation plan.
Applicability analysis of Directive (EU) 2022/2555 and its Spanish transposition for energy, water, transport, manufacturing and food. Coverage of the required technical and organizational measures, supply-chain risk management and incident notification obligations to INCIBE-CERT and the sectoral competent authority.
Architecture design based on the Purdue Reference Model (levels 0-5) and the zones-and-conduits concept from IEC 62443. Isolation of the plant from the corporate network, control of legitimate flows, deployment of an industrial DMZ and validation of a single gateway to the internet.
Identification of PLC, RTU, HMI, SCADA and DCS assets; prioritization with real exploitability criteria (CISA KEV, EPSS, CVSS-OT where applicable); validation of production impact; and patching windows aligned with availability. When a patch is not feasible, documented compensating controls.
OT-specific response plans with containment runbooks that do not compromise plant safety. Coordination with the corporate CSIRT, the control system vendor, INCIBE-CERT and CCN-CERT. Industrial forensics preserving operational traceability.
Scope adapts to each plant's reality. A pharmaceutical site under CSV validation, an electrical substation under sectoral regulation and a wastewater plant with legacy telecontrol don't start from the same baseline. The methodology stays the same; prioritization and controls don't.
Why Hard2bit
The security audit service is part of Hard2bit's own certified scope under ENS High category (Royal Decree 311/2022) and ISO/IEC 27001:2022, audited by an ENAC-accredited body. The methodology we apply to clients is the one we are audited against every year.
The reality of NIS2 is that IT and OT share the cybersecurity owner. Hard2bit integrates audit, pentesting, incident response and compliance under one team, removing the inter-vendor handovers that in OT typically end up as coverage gaps.
ISA/IEC 62443 (full family), NIST SP 800-82 Rev. 3, MITRE ATT&CK for ICS, NERC CIP as an international reference, ISO 27019 for energy, IEC 62351 and IEC 61850 when applicable to the electrical sector. We don't reference frameworks we don't actually apply.
Headquartered in Leganés with an office in Las Rozas. We routinely operate on industrial sites across mainland Spain and the islands, including on-site interventions when incident severity or audit scope require it.
Methodology
Passive asset discovery to avoid disturbing the plant: PLCs, RTUs, HMIs, engineering stations, historians, industrial gateways, unmanaged switches, sensors. Classification by Purdue level, operational criticality and exposure.
Identification of zones and conduits, threat modeling with MITRE ATT&CK for ICS, target Security Level (SL-T) per zone and gap analysis against the achieved SL. Traceable documentation for external audit or inspection.
Target architecture design (industrial DMZ, microsegmentation, jump servers, removable-media control), hardening of PLCs and HMIs, OT-specific detection (passive captures, industrial NDR where justified) and a baseline of legitimate traffic.
Plan ordered by real risk reduction, with technical dependencies, downtime windows compatible with operations and compensating controls when patching is not feasible. Effort estimate per action.
Hands-on support during implementation, OT incident exercises with runbooks operated by the plant team, and periodic revalidation of the achieved Security Level. Integration with the existing ISO 27001 or ENS management system.
Frameworks and references
The service draws on international and national frameworks with real weight before an auditor or regulator. That methodological base is what makes the report defensible and the plan resilient to the next NIS2 inspection or external audit.
International standard for cybersecurity of industrial automation and control systems (IACS). 62443-2-1 for the security program, 62443-3-2 for zones-and-conduits risk assessment, 62443-3-3 for system requirements, 62443-4-1 and 4-2 for product lifecycle and components.
European cybersecurity framework for essential and important entities. Manufacturing, energy, water, transport and food fall into scope based on size and criticality. Defines technical and organizational measures, supply-chain risk management and incident-notification obligations.
Guide from the National Institute of Standards and Technology on operational-technology security, including ICS, SCADA, DCS and PLC. Globally used methodological reference, especially for control design and monitoring.
Matrix of documented adversarial tactics and techniques against industrial control systems. Foundation for threat modeling, detection assessment and realistic OT red-team exercises.
Centro de Ciberseguridad Industrial (CCI) as the Spanish industrial reference body; CCN-CERT for public administration with industrial infrastructure; and INCIBE-CERT as the national CSIRT for the private sector, including critical-infrastructure incident coordination.
European Union Agency for Cybersecurity. Publishes the annual OT threat landscape and sector-specific guidance for NIS2-regulated entities.
We don't use frameworks as decoration. If an electrical-sector client doesn't need IEC 61850 or ISO 27019 (unlikely), they won't appear in their project. Standard selection is driven by sector, NIS2 scope and contractual commitments with customers and insurers.
Sectors
NIS2 and sectoral frameworks classify several OT-intensive verticals as essential or important. These are the areas where Hard2bit concentrates its industrial practice.
Plants with PLCs, DCS and historians. Typical risks: ransomware reaching OT from IT, uncontrolled vendor remote access, USB media on engineering consoles, no current asset inventory.
Substations (IEC 61850), control centers, distributed renewable generation. NIS2 essential entity by default. Sector-specific ISO 27019. Required integration with CCN-CERT for strategic operators.
Telecontrol of capture, treatment and discharge. Included as essential under NIS2 with direct public-health impact. Significant legacy footprint that is hard to patch.
Signaling, traffic supervision, onboard systems. Requires strict segmentation and sector-specific standards (TS 50701 for rail). Complex IT corporate / OT operations coexistence.
Packaging lines, process control, data integrity (Annex 11, 21 CFR Part 11 when exporting). Availability and traceability as pillars; cybersecurity as a regulatory pre-condition.
Hospitals with medical IoT, connected diagnostic equipment and life-support systems. OT medical coexists with EHR and GDPR. Special-category data and human lives at stake.
When it makes sense
Related services and sectors
FAQ
OT (Operational Technology) covers the systems that control physical processes: PLC, SCADA, DCS, HMI, RTU and the industrial network linking them. It differs from IT in three key points. First, priority: IT puts confidentiality first, OT puts availability and physical safety first because a stop or a control failure can cause property and personal damage. Second, lifecycle: a PLC may operate for 20 years versus 3-5 years for an IT server, which completely changes patching policy. Third, protocols: Modbus, OPC UA, DNP3, IEC 61850 or PROFINET instead of HTTP, SMB or RDP.
Probably yes if it operates in energy, drinking water, wastewater, transport, manufacturing (medical devices, chemicals, food, specific manufactured products), waste management, digital infrastructure or research. NIS2 distinguishes between essential and important entities by sector and size. The Spanish transposition requires registration with the competent authority, deployment of risk-management measures and incident notification on short timelines. A scoping exercise upfront avoids problems later.
The Purdue Model breaks the industrial architecture into levels 0 through 5: level 0 are the physical sensors and actuators, level 1 the controllers (PLC, RTU), level 2 supervision and HMI, level 3 plant operations, level 3.5 an industrial DMZ, level 4 plant-floor corporate systems and level 5 corporate IT. It is always cited because it provides a common map to design segmentation, decide which traffic is allowed between levels and apply IEC 62443 to something tangible.
No, unless the client explicitly asks for active testing. The standard methodology in OT environments is non-intrusive: passive asset discovery from traffic captures, documentary review, interviews with operations and maintenance, and hot configuration review with the plant owner's consent. Active testing is reserved for mirrored environments, scheduled shutdowns or windows agreed with the production owner.
IEC 62443 is the how, NIS2 is the what. NIS2 requires technical and organizational measures proportionate to risk but does not prescribe how to implement them in an industrial environment. IEC 62443 provides the concrete methodology: zones-and-conduits risk assessment, Security Levels, system requirements, supplier requirements and lifecycle. In practice, a serious industrial audit uses NIS2 as the legal driver and 62443 as the technical yardstick.
NIS2 sets an early-warning notification within 24 hours of becoming aware of a significant incident, a more detailed incident notification within 72 hours and a final report within one month. The notification goes to the designated CSIRT or competent authority, which in Spain includes INCIBE-CERT for the private sector and CCN-CERT for public administration and strategic infrastructure. An industrial incident-response retainer reduces the friction of meeting these timelines.
For three practical reasons. First, vendors often don't release patches at office-software cadence and when they do, the patch needs to be validated against the process. Second, stopping a PLC to patch it means stopping the line, with an operational cost measurable in thousands or millions of euros per hour. Third, many systems run on hardware or operating systems out of support. In serious OT environments, vulnerability management combines patching where feasible, compensating controls where not, and planning with operations.
Depends on scope. A point audit on a single plant usually takes 4-8 weeks, including fieldwork and reporting. A full NIS2 + IEC 62443 project for a mid-sized industrial group with multiple sites typically takes 4 to 9 months, depending on the number of locations, the documentary starting point and the availability of operational staff for interviews and validations.
Yes. The report documents scope, methodology (IEC 62443, NIS2, NIST SP 800-82, MITRE ATT&CK for ICS), collected evidence, prioritized findings, Security Level per zone and remediation plan. It is designed to integrate with an existing management system (ISO 27001, ENS, ISO 27019 where applicable) and serve as traceable evidence for external auditors, NIS2 competent-authority inspections and incident coordination with INCIBE-CERT and CCN-CERT.
Next step
If you need to audit a plant, prepare NIS2, segment IT/OT or design an IEC 62443 program with real technical judgment, we can review your context and propose a scope proportional to risk and to actual operations.
Antes de irte…
Te damos un diagnóstico rápido de 15 min y te decimos qué priorizar primero: M365, pentesting, vulnerabilidades, SOC y/o DORA, NIS2, ENS o ISO 27001.
Sin spam. Respuesta en 24h.
