Rotkäppchen-Mumm

NIS2 compliance sparks urgency for robust OT protection across large production environment

Gutberlet notes that while protecting the company’s production systems from external attacks has always been as important as the security of its IT networks, the NIS2 directive — which was originally supposed to be implemented in October 2024 and whose “all risks” approach clearly includes operational technology (OT) — the topic has taken on new urgency.

“Since we are affected both as a food company and as a raw alcohol producer,“ says Gutberlet. “In the fall of 2023, we decided that if we wanted to follow the risk-based approach of NIS2, we would need robust vulnerability management.”

In the search for a reliable, powerful and scalable unified solution for its OT/IT environment, supported by WBS IT-Service, the team initially spoke with the major native OT security providers that specialize in passive scanning of OT networks because they didn’t want to jeopardize production with active scans. However, during the Proof-of-Concept (PoC), all of these vendors struggled with the inventorying of Rotkäppchen-Mumm's extensive and heterogeneous machinery. The four German production facilities leverage hundreds of bottling and distillery systems, control and measurement solutions and automation and logistics tools, implemented over four decades, which requires the VM scanner to support an extremely wide range of protocols, languages and interfaces.

PoC with Tenable provides a detailed inventory

After the unsatisfactory results of the first two PoCs, Max Gutberlet, who has been using Tenable Nessus and Tenable Security Center as a key part of Rotkäppchen-Mumm’s vulnerability management strategy in the IT network for several years, asked the Tenable team to support Rotkäppchen-Mumm with a PoC for its OT environment. The test installation at the Nordhausen site, which was scheduled at short notice and implemented within just two weeks with the support of the German Tenable team, proved to be a real game changer.

Although the facility runs the most diverse machine park of all the sites, ranging from modern high-tech systems to legacy devices from the late 1980s — which is not unusual for OT environments — Tenable OT Security delivered a detailed inventory after a short period of fine-tuning. In addition to a comprehensive list of systems, it also contained extensive information about the system software, the software versions and the vulnerabilities, thus laying a robust foundation for securing the environment.

Max Gutberlet recalls: “When we received the first results of the Tenable solution in early December, we immediately saw that the analysis revealed an exponential amount of information than with the other systems tested. It was fascinating how much information we were able to extract from the system at this early stage. We therefore quickly decided to transfer the Proof of Concept to live operation at the beginning of 2024 and rolled out the system successively at all locations. As of today – at the start of 2025 – all our German sites are connected to Tenable OT Security.”

The OT inventory proved revealing in a second respect, as well. It quickly became clear that Rotkäppchen-Mumm had many more communicating OT systems than originally assumed. “Originally, we ordered 500 device licenses for Tenable OT Security and were confident that this would cover our current needs and leave a robust buffer for the future,” says Gutberlet. “In reality, we had to reorder 300 additional licenses simply because we underestimated how many network-compatible systems we have implemented.”

The final figure is likely to be even higher. In order to gain full visibility of the environments, the OT team at Rotkäppchen-Mumm is currently systematically breaking down all silos in the machine park. Proprietary gateways are each being replaced by dedicated new devices, each with their own IP address. This guarantees significantly more transparency, but it also means that there are suddenly far more visible devices to manage.

Uncovering Hidden Risks: How Tenable OT Security protects new and legacy systems at Rotkäppchen-Mumm

In the meantime, Tenable OT Security had ample opportunity to prove its value. In late fall 2024, Rotkäppchen-Mumm commissioned a new dosing system for chemicals at its Freyburg site. While the system was being set up by the service technician, Tenable OT Security raised the alarm — with critical warning messages to the CISO and the technician responsible for the OT environment. A quick check revealed that several of the machine's control systems had massive known security vulnerabilities for which patches had actually been available for years. The vulnerabilities were quickly fixed by the OT team who installed all necessary updates. But without Tenable OT Security, the production environment would inevitably have become vulnerable.

Next stop: Italy

After the all-around positive experience at the German locations, Rotkäppchen-Mumm is now looking to roll out Tenable OT Security internationally in the next step, initially at the Italian Rotkäppchen-Mumm subsidiary Ruggeri. The Veneto-based prosecco manufacturer has also been classified as a NIS2-affected company, and since Italy, unlike Germany, converted the requirements into national law on time in October 2024 (albeit with a 2-year transition period), the implementation of the measures is to be tackled promptly.

According to Max Gutberlet, Tenable OT Security is a key component: “As a medium-sized company with highly complex IT but limited personnel resources, we focus on a high degree of automation and self-sufficiency when selecting our solutions. The systems have to run reliably on their own without us having to intervene manually on a daily basis. And that is exactly what Tenable OT Security has achieved from day one.”