The "Dual Gate" Principle: Compliance and OT Security in the Context of NIS2 and CRA
Why separating IT and OT is now a legal requirement—and how our Microwall supports this
The days when industrial OT networks were protected by "Security Through Obscurity"—or weren’t protected at all—are over. With NIS2 (security of critical and important sectors) and the Cyber Resilience Act (CRA), cybersecurity requirements for machinery and equipment are increasing significantly.
A key requirement of these regulations is that data traffic must be protected using state-of-the-art technology. In practice, this means that, in addition to strict segmentation, data traffic across networks—for example, to the company’s IT department—must be encrypted. Our Microwall VPN provides the perfect hardware foundation for this.
The Challenge: State-of-the-Art Solutions for Legacy Systems
Many valuable legacy systems and equipment in the OT environment continue to function reliably, but they communicate using protocols that lack built-in encryption. According to NIS2, companies must take "appropriate and proportionate technical measures" in this regard. If unencrypted data is transmitted over the company’s IT network or even to the cloud, incidents could result in consequences ranging up to substantial fines.
Our Microwall acts as a compliance enabler by providing two separate communication paths over a single physical uplink:
1. The NAT Path: Transparency for Modern IIoT Devices
Modern sensors or edge gateways often already include their own encryption, such as TLS.
-
Function: The Microwall functions here as a standard NAT router. It masks the IP addresses of the island network and allows encrypted traffic to travel directly to the plant network.
-
Firewall: A dedicated set of rules monitors this path and prevents unauthorized connections to the intranet and the sensitive control layer.
2. The WireGuard Path: A Solution for Unencrypted Protocols
The Microwall provides a WireGuard server endpoint for Modbus, Profinet, and proprietary protocols.
-
Function: External encryption ("Outer Encryption"). Unencrypted data is routed through a secure WireGuard tunnel.
-
Compliance benefit: This allows you to meet the encryption requirements for higher-level data exchange without having to modify the machine’s software (e.g., PLC).
Functional Diagram: The Hybrid Security Model
Here you can see how the two firewalls and interfaces work together to achieve NIS2-compliant segmentation:
NIS2 compliance
1. Strict network segmentation
NIS2 (Network and Information Security Directive 2022/2555) requires the separation of IT and OT networks, for example, to prevent the lateral spread of malware. With the two network interfaces and the two independent firewall zones (Intranet<>LAN and VPN<>LAN), you can ensure that no participant on the OT Island speaks to the outside world without explicit permission.
2. State-of-the-art encryption
WireGuard is currently considered one of the most secure and efficient VPN protocols. By "retrofitting" encryption via VPN, you can keep your legacy system in use even under NIS2.
3. Identity Protection (NAT)
"Hiding" the island network using NAT reduces the attack surface. From the outside, an attacker sees only the hardened Microwall; the potentially vulnerable users behind it remain invisible.
Application scenario
A machine builder operates plants around the world.
Before:
The system was typically integrated directly into the customer’s network or its IP range, along with all its components. Even unencrypted protocols—their content and participants were visible across the entire network.
Today with Microwall VPN:
All unsecured protocols are encrypted and authenticated and routed through the WireGuard tunnel.
The VPN firewall allows connections only between explicitly authorized users.
Protocols that are inherently secure are routed to the island via NAT using the Microwall’s IP address. Here, too, communication is strictly controlled by appropriate firewall rules.
The benefits at a glance
A machine builder operates plants around the world.
| Feature | Technical Benefits | Regulatory Benefits of NIS2 |
| Dual Firewall | Separate Rules for VPN & NAT | Verifiable segmentation |
| WireGuard Server | High-speed encryption | Compliance with the encryption requirement |
| 2 x Gigabit Ethernet (physical) | True mains isolation | Protection of critical infrastructure |
| NAT routing | Invisible island IPs | Minimizing the attack surface |
Conclusion: Future-proof retrofitting
Using our Microwall VPN is the quick and easy way to migrate existing IT infrastructures to a NIS2-compliant environment. They protect your production not only from cyberattacks, but also from legal consequences resulting from inadequate security measures.
-
Don’t just read about it!
We are happy to provide you with a Microwall at no charge for a period of four weeks.
Request test unit -
Continue reading:
-
Firewalls, segmentation and islandization
Benefits of segmenting and isolating individual network segments to protect internal company data and devices.
-
Secure communication for machines and systems
The Microwall enables protected communication with close and distant communication partners.
-
WireGuard VPN tunnel between 2 networks
This tutorial guides you through the configuration needed to connect two PCs from two different network areas with each other.