Christine Schmitt

Provided strategic and technical support for implementing the NIS2 Directive (§30 BSIG) in a classic ICS/SCADA environment with production lines, packaging machines, conveyor systems, PLC/SCADA infrastructure, historian servers, and a partially segmented OT network.

Focus areas:

• Leading and conducting the NIS2 gap analysis (alignment of the 10 measures per §30 BSIG)
• Developing an NIS2-compliant OT target architecture for 2026 (DMZ design, jump host concept, logging, user/password policy, MFA rollout, cryptography)
• Revising and preparing OT security policies for management approval
• Planning and coordinating further project phases: OT asset inventory, network mapping, criticality assessment, risk analysis, action prioritization, pilot line implementation, and rollout

The focus was on practical, production-friendly solutions considering availability requirements, safety aspects, and legacy systems. Work followed IEC 62443, ISO 27001, and BSI ICS guidelines, including OT zones/conduit modeling, secure remote maintenance, logging concepts, network segmentation, and compensating controls for non-patchable systems.

The project laid the foundation for audit-ready NIS2 compliance by mid-2026 and served as a pilot within the group.

NIS2 compliance strategy & implementation, OT gap analysis per §30 BSIG, OT target architecture (IEC 62443 zones/conduits), DMZ design & IT/OT segmentation, jump host & secure remote maintenance, OT logging concepts & analysis, OT asset inventory & criticality, action prioritization (quick wins), OT security policies & management approval, compensating controls for legacy PLCs

IEC 62443 (SL-1 to SL-3), ISO 27001 / ISMS (ConSense), NIS2 Directive (§30 BSIG – 10 measures), BSI ICS security compendium, SCADA systems, historian servers, OT network components, OT firewalls, jump host solutions, logging tools

Felleskjøpet Agri SA, a leading Norwegian agricultural service provider, commissioned the implementation of an ISMS to meet regulatory requirements and sustainably strengthen security and compliance structures.

The project included designing, implementing, and operationalizing a fully auditable ISMS, integrating automated security processes, and preparing for external audits by regulators.

• Building an enterprise-wide ISMS framework based on ISO 27001, NIST CSF, and NIS2 requirements, defining roles, responsibilities, and governance structures
• Creating and harmonizing core ISMS policies, security processes, risk management policies, and reporting structures
• Ensuring audit readiness through complete, audit-proof documentation and defining control mechanisms
• Integrating tools to automate key ISMS processes (e.g., risk management, incident management, change requests), and building a dashboard for real-time security monitoring
• Collaborating closely with management, IT security officers, operations managers, and external auditors to align requirements and ensure successful implementation
• Conducting structured risk analyses, assessing protection needs, and deriving technical and organizational measures to reduce risks
• Supporting the development of a security culture through training and awareness campaigns for business units and executives

Project Outcome:

• Established a robust, auditable ISMS that meets all NIS2 Directive requirements
• Reduced security risks through structured processes, automated workflows, and clearly defined responsibilities
• Improved audit and reporting capabilities, as well as real-time transparency of security and compliance status
• Embedded information security sustainably into the corporate organization

Skills: NIS2, Purdue Model, IAM, ISMS, ISO 27001

Tools Used: ServiceNow (GRC & SecOps), Microsoft 365, Confluence, Jira

Project Description As part of a prioritized internal audit initiative, the maturity and effectiveness of OT security measures at Nye Veier AS are being assessed. The context is the growing threat landscape for critical infrastructures and the resulting need to significantly increase the company's cyber resilience. The goal is to identify vulnerabilities, derive concrete improvement opportunities, and strengthen organizational and technical security structures.

Tasks & Responsibilities:

• Providing expert support for internal audit processes focusing on OT security governance, risk management, and control environments
• Advising on best practices and international security standards (IEC 62443) to ensure a comprehensive and technically sound assessment
• Identifying risks related to organizational structures, access management, system dependencies, and process responsibilities
• Developing practical, risk-based recommendations in line with business requirements, regulatory guidelines, and current security maturity
• Ensuring technical accuracy and feasibility of audit findings to support sustainable security improvements

Project Outcome:

• Delivered a data-driven assessment of OT security maturity, highlighting key weaknesses in governance and operational controls
• Developed targeted improvement measures and clearly defined roles and responsibilities
• Reduced reliance on external service providers by strengthening internal competencies and processes
• Enhanced capabilities for detection, response, and recovery after cyber incidents
• Increased resilience and protection of critical infrastructures

Skills: ISO/IEC 62443, OT security, endpoint encryption, endpoint security, public road infrastructure, traffic management systems, telematics, supply chain security, OT security governance, risk analysis, audit support, security maturity assessment, risk-based recommendations

Project Description SSI Schäfer aimed to strategically consolidate its global system landscapes through a hybrid iPaaS architecture (Integration Platform as a Service).

As part of the project, an integration platform was planned and tested in a PoC, connecting about 250 systems and over 5,000 interfaces across 69 international sites. By combining SAP Integration Suite (SAP IS) for core SAP processes and MuleSoft for non-SAP, cloud, and external partner integrations, the goal was to create a scalable, secure, and future-proof integration landscape that significantly improves governance, interoperability, and efficiency.

Tasks & Responsibilities

• Managed the vendor selection and PoC process for SAP CPI and MuleSoft; defined technical, business, and security evaluation criteria
• Developed strategic decision frameworks and oversaw collaboration with partners like NTT DATA, Salesforce, and SAP
• Led enterprise-wide integration governance and cross-platform delivery, aligned with global IT strategy and compliance requirements
• Applied a PI-based agile delivery approach to manage complex integration dependencies and accelerate rollouts across business units
• Coordinated stakeholder management, risk management, and process standardization to ensure long-term interoperability and performance
• Supported the setup of a central framework for security, compliance, and monitoring as part of the global integration strategy

Project Outcome

• Built a standardized, modular integration framework that enables fast partner onboarding, cloud adoption, and scalability for international business units
• Strengthened integration governance, security, and compliance
• Calculated total cost of ownership (TCO) reduction through consolidation and standardization of the integration landscape
• Improved interoperability, operational efficiency, and resilience of the global IT infrastructure
• Designed a future-proof integration architecture as the foundation for digital transformation and new business models

Skills: API-first architecture, enterprise integration patterns, security & compliance standards, ISO 27001, enterprise integration governance, vendor evaluation, agile delivery (PI-based), process standardization, risk management

Tools Used: SAP Integration Suite (CPI), MuleSoft, Salesforce, Microsoft 365, Confluence, Jira

• Led cybersecurity risk assessments and compliance reviews following IEC 62443 standards for a railway signalling digitisation pilot in Stuttgart 21.
• Created security policies under Cybersecurity by Design principles and maintained comprehensive audit documentation.
• Employed IEC 62443, CENELEC 50128, CENELEC 50129, compliance tools, pen testing planning, and IBM Rational DOORS.

• Managed functional requirements and project planning for cloud migration and headless eCommerce development using Frontastic.
• Defined business strategy and technical requirements for predictive maintenance platforms in mining and heavy machinery industries.
• Architected IBM Blockchain and BigCommerce solutions, conducted design sprints, risk assessments, and produced technical documentation.

• Intake and requirements analysis for SAP S/4HANA predictive analytics AWS platform for media.
• Interim program management coordinating market units for predictive maintenance solutions in energy.
• Managed SCM outsourcing projects and PMO setup for supply chain solutions at UBS Bank.

• Developed Swissmedic portal for therapeutic product authorizations, handling 35,000 approvals p.a.
• Managed SAP R/3 to ERP 6.0 upgrades for Bosch Power Tools.
• Migrated SAP CRM data for VW internal customer services across 2000 sites.

• Designed customer billing processes and middle office outsourcing in SAP ECC and CRM.
• Managed bank IT infrastructure and implemented MPLS network architecture.
• Led SAP CRM implementation projects and system architecture for Bosch Customer Contact Centers in Germany and Netherlands.