How to Meet NIS2 Requirements: Secure Remote Access with Ewon Routers and W&T Firewalls

The European NIS2 directive introduces new obligations for companies in protecting against cyber threats. Below, we compare these requirements with the technical measures in IEC 62443 and show how to meet them easily using Ewon industrial routers, the secure Talk2M cloud service, and firewalls from the German manufacturer W&T.

Comparing NIS2 Security Measures with the Corresponding Requirements in IEC 62443

1. Access Control: Who Connects, When, and How?

NIS2 emphasizes that every access must be controlled, authenticated, and documented.

User Authentication by Risk Level

• NIS2 requirement: Ensure the strength of authentication is appropriate
• IEC 62443-2-4 defines password requirements: 1. Minimum length of eight characters, 2. A combination of at least three of the following four character sets: lowercase letters, uppercase letters, digits, and special characters (e.g., % and #)
  
• Remote access with an Ewon router: Configurable in Talk2M (the access platform for Ewon devices)
  

In Talk2M you can set the authentication level according to the required protection level. For example, an administrator needs stronger verification than a technician who only reads PLC values. This flexibility protects critical devices without unnecessary complications.

Multi-Factor Authentication (MFA)

• NIS2 requirement: Use multi-factor authentication
• IEC 62443-2-4: Use multi-factor authentication as required by the asset owner
• Remote access with an Ewon router: Can be enabled in Talk2M

You can enable MFA in eCatcher with a single click. It ensures that, in addition to a password, the user enters a one-time code (e.g., from an SMS). This significantly reduces the risk of account compromise if the password is leaked.

Principle of Least Privilege

• NIS2 requirement: Implement authentication procedures based on least privilege principle
  
• IEC 62443-2-4: Ensure that least privilege is used for the administration of network devices for which the service provider is responsible
• Remote access with an Ewon router: Configurable in Talk2M using “Pools” and “Groups”

In Talk2M Pro you can sort users into groups and define access via Pools and Groups. Each user has only the rights they truly need. There are no universal administrator accounts for everyone.

Authorizing Service Provider Access

• NIS2 requirement: Allow connections of service providers only after an authorization request
• IEC 62443-2-4: The service provider shall have the capability to ensure that it obtains approval from the asset owner prior to using each and every remote access connection
• Remote access with an Ewon router: Configurable on the Ewon device or in Talk2M

The Ewon device can be secured with a key switch without which the device cannot be made accessible. This eliminates the risk of an unauthorized connection by a provider or technician without prior approval.

2. Incident Handling: Full Visibility into What’s Happening

It is essential to have complete visibility into who connected and when. NIS2 stresses active monitoring and documentation of all traffic.

Automatic Access Logging

• NIS2 requirement: Use tools to monitor and log activities
• IEC 62443-2-4: The service provider shall ensure that the automation solution is configured to write all security-related events, including user activities and account management activities, to an audit log that is kept for the number of days specified by the asset owner.
• Remote access with an Ewon router: Enabled by default in Talk2M

Talk2M stores a detailed log of all connections—who, when, from where, and to which device. This makes it easy to trace unauthorized access or erroneous interventions. Logs can also be archived and used during audits or incident investigations.

3. Network Security: Proper Segmentation Is Fundamental

NIS2 requires networks to be divided into security zones, with only controlled communication between them. You can achieve this with a combination of an Ewon router and W&T firewalls.

Ewon as a Protective Shield Between Worlds

• NIS2 requirement: Restrict access and communications between zones to those necessary for the operation of the relevant entities or for safety; Allow access to the network only to authorized devices
• IEC 62443-2-4 – SR 5.2 RE 1: Deny by default, allow by exception. The control system must allow a default configuration that denies network traffic, permitting it only by exception (“deny by default, allow by exception”)
• Remote access with an Ewon router: Deny by default requires firewalls with rules configured on From IP, Destination IP & Port. Can sometimes be complemented with Mac-address filters and Deep Protocol Inspection to differentiate on different operations (e.g. write/read, start & stop vs. re-program)

Ewon naturally separates:

• The machine’s internal network (e.g., PLC, HMI)
• The corporate network
• The internet/remote connection

This protects the machine from direct access from less-trusted zones and enables precise control of communications.

Network Segmentation — Practical Scenarios

• NIS2 requirement: The relevant entities shall segment systems into networks or zones in accordance with the results of the risk assessment. They shall segment their systems and networks from third parties' systems and networks.
• IEC 62443-2-4: SR 5.1 RE 1 — physical network segmentation. The control system shall provide the capability to physically segment control system networks from non-control system networks and to physically segment critical control system networks from non-critical control system networks
• Remote access with an Ewon router: Recommended settings depend on scenarios:
  #1: Ewon connected via modem
  #2: Ewon connected via the corporate network
  #3: Ewon connected via modem, with the need to maintain corporate-network communication for data 

Scenario 1: Ewon Connected via Modem — Separating the Machine’s Internal Network from an Untrusted Remote Connection

The machine’s internal network communicates only with the Ewon router—any remote access is mediated through it and governed by firewall rules. With the firewall set to Ultra, the “deny by default, allow by exception” requirement is met (all communication is blocked until explicitly permitted).

Scenario 2: Ewon Connected via the Corporate Network — Separating the Machine’s Internal Network from an Untrusted Corporate Network (for the Machine) and an Untrusted Remote Connection

Here too, the machine remains separated. The Ewon protects the machine from a potentially compromised corporate network. Specific ports can be opened on the Ewon device so that a customer device on the local network can access services on the machine (using NAT). Remote access is mediated through the Ewon and controlled by firewall rules.

Scenario 3: Ewon Connected via Modem While Maintaining Communication from the Corporate Network for Data Collection/SCADA — Separating the Machine’s Internal Network, an Untrusted Corporate Network (for the Machine)  where Data Collection/SCADA Runs, And an Untrusted Remote Connection

All remote access is mediated by the Ewon and controlled by firewall rules. To properly separate the internal machine network from the untrusted corporate network used for data collection—while still allowing the necessary data flow—we use a firewall, since communication between the networks must occur for data collection.

Segregating Networks with W&T Firewalls

W&T Unidirectional Ethernet Firewall

• One-way communication only (e.g., data upload outward only)
• No operating system, no open-source components → minimal risk of compromise
• Ideal where message acknowledgements are not required

W&T Microwall Bridge (Whitelist-Based)

• Operates on the whitelist principle (“deny by default, allow by exception”) — default state: everything blocked; only required IP addresses and ports are permitted
• Suitable where communication between zones is necessary but traffic must be fully controlled

You can learn more about W&T security features, for example, in this real-world case study.

4. Policies and Company Procedures

Technical measures make sense only when supported by clear rules. 

We recommend introducing:

• An internal manual for working with Ewons and remote access (including account settings, key-switch management, and connection rules)
• Rules for external suppliers’ access — including the requirement for written approval and confirmation of security rules
• Policies for sharing access between departments — who may access which device and under what conditions
  

By combining Ewon products, the Talk2M platform, and W&T firewalls, you can meet NIS2 requirements easily and efficiently while keeping access management simple. 

Browse the products and order them directly from our online shop, or contact us at foxon@foxon.cz. We’ll be happy to help design the right security for your infrastructure.