ITM8
Insights · Live Demo Portal

Demo Access

This is a confidential preview. Enter the access code to continue.

Restricted to ITM8 internal & invited executives only.
For demo purposes — contains illustrative data.
ITM8 Insights · Aalborg Portland A/S

Overview

Last sync:
📄 View Full Board Report
Strategic IT & Operational Resilience

Good morning, Aalborg Portland.

Your IT, OT, sustainability and compliance posture — in one live view. Built around the regulatory and operational realities of cement manufacturing.

3
Plants live
612
Endpoints
17
Data sources
🏥
IT Health Score
2.6/5
▲ +0.1 vs last quarter
⚠️
Critical Risks
5
▼ same as last week
📜
Compliance ready
62%
▲ +8% this quarter
💰
Cyber Insurance
Conditional
▼ EDR gap

Maturity Trend (last 8 quarters)

Q1-2024 → Q1-2026
Overall Maturity
2.6 / 5
Developing → Defined

Cement-industry benchmark: 2.9. Two domains lift the average, OT and Compliance pull it down.

Live Activity Feed

Auto-refresh · 10s

Domain Maturity

Click any row for what's pulling it down

IT Operational Reliability

"Does it just work?"
Uptime (12 mo)
99.4%
▲ above SLA
Tickets in SLA
88%
▲ +4% this Q
Patched in SLA
62%
target 90%
Mean time to resolve
3.2 h
▼ improving

Industry-Specific Snapshot

Cement & heavy industry

Kiln SCADA

3 plants online
● Healthy

OT/IT Segmentation

62%
⚠ Partial

CO₂ / ton cement

589 kg
▼ -3.2% YoY

EU ETS allowances

82%
⚠ Tightening
🖥️
On-prem Servers
42
42 up
☁️
Azure Resources
187
all healthy
💻
Endpoints
612
3 offline
🔥
Avg CPU load
34%
▼ stable

Datacentre Network Throughput

Mbps · last 60s

System Load

CPU per host group
Memory per host group

Live Security Events

Defender + SIEM

Live System Events

M365 + Azure + on-prem

Backup & Recovery

Last successful backup
2h 14m ago
▲ within RPO
Job success (24h)
98%
87 of 89 jobs
Immutable offsite copy
✓ Verified
last verified 6h ago
Last restore test
12 days ago
▲ passed

Backup Job Status

Veeam · last 24h
💾
SAP S/4HANA · productionDaily incremental + weekly full
SUCCESS2h ago · 1.2 TB
📁
File servers (Rørdal)Hourly snapshots
SUCCESS23m ago · 340 GB
📁
File servers (Aalborg HQ)Hourly snapshots
SUCCESS17m ago · 480 GB
🖥️
VMware vSphere cluster89 VMs · per-VM backup
SUCCESS2h ago · 87/89
⚠️
Plant historian (Quarry)Snapshot replication
WARNINGretry queued
📨
M365 mailboxes & OneDriveNative + 3rd party retention
SUCCESSlive · 612 users

Service Desk & SLA

Open tickets
47
P1: 1 · P2: 4 · P3: 28 · P4: 14
SLA at risk
3
need attention
Resolved today
22
▲ +14% vs avg
SLA met (30d)
94%
target: 90%

Top 5 Tickets — Oldest Open

ServiceNow
🔴
INC0089421 · ERP report failureFinance · assigned to L2
P15h 22m
🟠
INC0089388 · VPN slow from RørdalPlant operations
P28h 14m
🟠
INC0089374 · SCADA gateway log gapOT team
P211h 03m
🟡
REQ0089201 · New starter onboardingHR · 4 accounts
P31d 02h
🟡
CHG0089150 · Firewall ruleset changeAwaiting CAB approval
P31d 18h

Service Availability (30 days)

Per critical service
SAP S/4HANA SLA target 99.5%
99.92%
M365 / Exchange Online SLA target 99.9%
99.99%
Azure infrastructure SLA target 99.9%
99.95%
SCADA / OT SLA target 99.0%
99.41%
Internet (Fortinet SD-WAN) SLA target 99.5%
99.87%

Patch & Compliance

Endpoints compliant
596/612
97.4% in baseline
Critical patches pending
8
SLA in 4 days
Last patch wave
3 days ago
418 endpoints
Servers out-of-cycle
2
change request open

Certificates Expiring

Next 90 days
🔐
portal.aalborgportland.dkPublic web · Let's Encrypt
14 daysauto-renew
🔐
vpn.ap.localInternal · Fortinet
23 daysmanual
🔐
SAP frontend wildcard*.sap.ap.local
38 daysmanual
🔐
Print server signing certInternal CA
62 daysauto
🔐
SCADA HMI certOT segment
81 daysmanual

Identity Health

Entra ID + AD
MFA enrollment
96%
Privileged accounts active (24h)
12
Risky sign-ins (24h)
4
Stale accounts (> 90 days)
7
Conditional Access policies
14 active
Service account audit
due in 9 d

Capacity & Cost

Storage free (on-prem)
68%
42 TB available
Azure MTD spend
DKK 142k
87% of forecast
Unused M365 seats
32
≈ DKK 38k/yr saving
VMs over-provisioned
14
right-size opportunity
Threats blocked (24h)
847
▲ normal
Mean detect (MTTD)
19 min
▼ improving
Patched within SLA
71%
below target
EDR coverage
68%
gap on OT segment

Operational Technology (OT/ICS)

Rørdal Plant

Healthy
● 14 PLCs · 3 HMIs

Cement Mill SCADA

Healthy
● Last update 2 min

Quarry Telemetry

Degraded
⚠ 1 sensor offline

Kiln Control

Healthy
● Air-gapped

OT environment monitored via Claroty / Nozomi sensors mirrored to ITM8 SOC. Plant networks remain isolated; only one-way telemetry leaves OT segments.

Physical & Facility Resilience

UPS / Battery

OK · 8 min
● Tested Q1

Cooling redundancy

N+0
⚠ Single CRAC

Fire suppression

FM-200
● Inspected 2025

Datacentre access

PIN+Card
● Logged

Cabling docs

Partial
⚠ Rørdal complete

Hardware EOL

14 units
⚠ Plan needed

Telephony / Teams Voice

Live
● Operator Connect

Print fleet

42 MFPs
● Secure print

The bread-and-butter dimensions of IT operations — the part nobody mentions until it fails. ITM8 monitors UPS state, cooling redundancy, physical access logs and hardware EOL via existing facility integrations.

Risk Heatmap

Likelihood × Impact

Hover the dots
R1
R2
R3
R4
R5
R6
R7
R8
Likelihood →
Impact →

Industry Threat Pulse

Cement & heavy industry
3
DK manufacturers hit
last 90 days
4.2
Avg days production
halt per incident
68%
Entered via endpoint
or stolen credential
🚨
DK metal works · ransomware5 days production halt · DKK 6M loss
Q1 26
🎣
Nordic food producer · CFO phishingDKK 1.2M wire fraud
Q1 26
🔗
EU automotive supplier breach3 OEM lines paused
Q4 25

Sources: CFCS, ENISA, Computerworld DK · refreshed quarterly

Top Security Risks

🛡️
EDR not on OT segment15 industrial PCs
CriticalDKK 2.4M risk
🔑
Admin MFA gap4 service accounts
HighDKK 800k risk
💾
Backup not immutableTape rotation only
HighDKK 1.2M risk
🌐
Flat OT/IT networkVLAN incomplete
HighDKK 900k risk
🧠
Phishing click rate 14%Industry: 8%
MediumAwareness

Recent Security Events

Compliance Posture · Cement & Heavy Industry

Auto-mapped to your sector

Aalborg Portland is subject to multiple overlapping frameworks. Each card shows readiness, evidence collected, and the next concrete deadline.

CSRDCorporate Sustainability Reporting
ESG
68%
Evidence: 142/210Due Apr 2027
EU ETSEmissions Trading System
Carbon
82%
Verified annuallyDue Mar 2026
CBAMCarbon Border Adjustment
Trade
55%
Reporting activeDefinitive Jan 2026
NIS2Network & Information Security 2
Cyber
45%
Essential entityFirst audit Q4 2026
ISO 27001Information Security
Cyber
38%
Pre-audit phaseTarget 2027
ISO 14001Environmental Management
ESG
88%
CertifiedRecert. 2027
GDPRData Protection
Privacy
79%
Annual reviewDue Jun 2026
IEDIndustrial Emissions Directive
Env
91%
BAT compliantInspection Q3 2026
Cyber InsuranceRenewal eligibility
Insure
60%
ConditionalRenewal Sep 2026

Cyber Insurance Posture

Today vs. after Option B
Today
Conditional renewal
DKK 480k / year
✗ EDR not on OT segment
✗ MFA gap on service accounts
✗ Backup not immutable (tape only)
✓ Asset register exists
After Option B
Qualifies · preferred tier
DKK 360k / year
✓ EDR rolled out IT + OT
✓ MFA enforced everywhere
✓ Immutable, offsite backup
✓ Documented incident response
Direct premium saving: DKK 120k / year · plus broader coverage and lower deductible. Renewal window: September 2026.

Vendor & Partner Management

NIS2 supplier risk requirement
Total vendors
42
tracked
Critical vendors
5
80% of risk
SLAs in place
39/42
3 missing
Security assessed
28/42
below NIS2 bar
🛡️
ITM8 (managed services)SOC, infrastructure, end-user support
SLA OK99.5% uptime
☁️
Microsoft (M365 + Azure)Tenant + cloud services
SLA OK99.9% SLA
🏭
Siemens (kiln SCADA)OT support contract
REVIEWSLA expires Q3
📊
Cementir Group ITSAP S/4HANA, group reporting
SLA OKinternal
🚛
Logistics 3PL providerTransport & Scope 3 emissions data
PARTIALno security review

Why This Matters for Aalborg Portland

As a cement producer, Aalborg Portland sits at the intersection of three regulatory pressures: heavy environmental regulation (EU ETS, CBAM, IED, ISO 14001, CSRD), critical infrastructure cyber rules (NIS2), and group-level reporting from Cementir Holding. The dashboard automatically maps each control to the framework it supports, so a single piece of evidence (e.g. an MFA rollout) can satisfy NIS2, ISO 27001 and the cyber-insurance underwriter at the same time.

CO₂ / ton cement
589 kg
▼ -3.2% YoY
Alternative fuels
38%
▲ +5pp YoY
Renewable electricity
71%
▲ on track
FutureCEM mix
22%
▲ scaling

CO₂ Reduction Roadmap

vs. 1990 baseline

Target: -30% by 2030, net-zero by 2050. Carbon capture project (C2CC at Rørdal) on track for 2030 commissioning.

ESG Data Pipeline

📊
Energy meter data15-min granularity
LIVE→ Dataverse
🚛
Logistics emissionsTruck telemetry + 3PL
LIVE→ Power BI
⚗️
Process emissionsKiln + raw mill
LIVE→ ERP
🏭
Scope 3 (suppliers)Annual collection
PARTIAL142 / 380
💧
Water withdrawalSite sensors
LIVE→ ESG report

CSRD Disclosure Readiness

Aalborg Portland is in scope via Cementir Holding (listed parent, large undertaking). First full report covers FY2026, due April 2027.

🌱
E1 Climate ChangeScope 1+2+3 inventory complete
92%
💧
E3 WaterStress-area assessment ongoing
64%
👥
S1 WorkforceDiversity + safety metrics in place
81%
🔗
S2 Value chain workersSupplier survey not started
22%
IT Maturity Score
2.6 / 5
Developing

Cement industry: 2.9
Top quartile: 3.7

Domain Maturity — Click to Expand

Tap any row for what's pulling the score down + what fixes it

Extended Insights · Cement Industry Cut

10 add-on dimensions
IT Spend vs. Industry
2.1% rev
▼ industry: 2.6%
M365 Adoption
58%
Copilot ready: 24%
Service Desk maturity
2.4/5
▲ ITSM rollout in progress
OT/ICS coverage
68%
SCADA gaps
Tech debt (quantified)
DKK 8.2M
12 systems
Security culture
14%
phishing click
Sovereignty
EU-only
data residency OK
Project delivery
62%
on-time last 6
CSRD readiness
68%
on track

This is the dashboard summary — the full assessment includes 7 domains, 40+ sub-areas, raw findings and evidence per control.

📄 Open Full Maturity Report

The Ask

Approve Option B — Phased Plan at DKK 4.8M over 24 months, starting Q3 2026. Decision needed by 30 June 2026 to align with the cyber-insurance renewal and the NIS2 first-audit window.

If We Do Nothing

Month 1-3
Insurance flagged

Renewal requires EDR + MFA. Premium +25% or refused.

Month 4-6
NIS2 self-assessment due

Essential entity. Board carries personal liability.

Month 7-12
Probable incident

1 in 4 unprotected industrial sites hit per year. 4-5 days halt.

Month 12-24
Compounded cost

Audit findings + SLA penalties. DKK 12-25M total exposure.

Investment Options

Option A — Defer

DKK 0
No action this year
  • DKK 12–25M ransomware exposure
  • Personal liability under NIS2
  • Insurance non-renewal risk
  • OT segment unprotected

Option B — Phased Plan

DKK 4.8M
Over 24 months
  • EDR across IT + OT
  • NIS2 essential-entity ready
  • Cyber insurance qualifies
  • Score 2.6 → 4.0

Option C — Accelerated

DKK 6.4M
All within 12 months
  • Closed within one year
  • High peak load on internal IT
  • Best fit if M&A pending
  • Score 2.6 → 4.2

Business Benefits

~2,200 hrs / year savedAutomation across IT + ops
≈ DKK 1.3M
🏭
−40% unplanned downtimeDirect production impact
≈ DKK 3M
🛡
−25% insurance premiumOnce EDR + MFA + immutable backup
≈ DKK 600k
🤝
Tier-1 customer audit readyOEM + retailer questionnaires
Unlock
🌱
CSRD reporting automatedSaves manual ESG cycle
≈ DKK 400k

Board KPIs · Tracked Quarterly

Maturity score2.6 → 4.0
Critical risks open5 → 0
NIS2 ready45% → 95%
CSRD ready68% → 100%
EDR coverage (incl. OT)68% → 99%
Insurance qualifiesNo → Yes

Quick Wins · Free or Almost Free

Enforce MFA for everyone

Already in your M365 license. Blocks 99.9% of identity attacks. Less than one week to roll out.

DKK 0 extra
🛡️
Microsoft Secure Score actions

14 recommendations from Microsoft can be enabled immediately, no new licenses needed.

DKK 0 extra
🌐
OT/IT network segmentation

Use existing Fortinet gear to fully isolate plant networks. Stops malware spread to production.

Existing gear

AI & Automation Opportunity

3.1 / 5
AI Readiness

Where Aalborg Portland sits today

Strong M365 + Azure foundation, but most automation today is manual or scripted. With the security base in place (Option B), three concrete AI use cases ship within 6 months — cement-industry specific.

Data foundation (Dataverse, lake)
3.7
Copilot adoption readiness
2.4
AI governance & guardrails
1.8
OT data accessibility
3.1
📑
Copilot for Finance & Reporting

Automate monthly close commentary, ESG narratives and board-pack drafting.

Ship in 60 days
⚗️
Kiln anomaly detection

AI on plant historian data spots unusual readings before they cause downtime. Pilot one line.

Pilot 6 mo.
📨
Automated supplier invoice intake

AI extracts and books supplier invoices into Dynamics 365. Cuts manual entry ~70%.

Ship in 90 days

For the full board-level walkthrough including risk heatmap, cost-of-inaction, cyber insurance posture, and full domain detail:

📄 Open Full Board Report

Connected Data Sources

17 active · 2 partial · 1 offline

All numbers in this dashboard come from real telemetry — not consultant guesses. ITM8 Insights connects to your existing systems via read-only collectors.

Phase 0 Auto-Scan

~62% of findings in this report were collected automatically from your tenant before the first consultant interview. The remaining 38% comes from structured workshops — never raw guesswork.

🟦
Microsoft 365 (E5 tenant)Adoption, Secure Score, Defender
CONNECTEDlast sync 2m
☁️
Microsoft AzureResource graph, Cost mgmt, Defender for Cloud
CONNECTEDlast sync 1m
🛡️
Defender for EndpointEDR signals across 612 endpoints
CONNECTEDlive stream
🏢
On-prem Active DirectoryHybrid identity, GPO, group health
CONNECTEDlast sync 5m
🖥️
VMware vSphere (4 clusters)VM inventory, host health
CONNECTEDlast sync 3m
💾
Veeam Backup & ReplicationJob status, RPO/RTO compliance
PARTIALtape data missing
🔧
SCCM / IntunePatch state, compliance baseline
CONNECTEDlast sync 8m
🌐
Fortinet NGFW + SD-WAN3 sites, traffic + threat logs
CONNECTEDlive stream
🏭
OT / SCADA gateway (Claroty)Read-only mirror from plant networks
CONNECTEDlast sync 4m
📊
Power BI / DataverseESG & ERP data lake
CONNECTEDrefreshed 2h
📜
Dynamics 365 FinanceIT spend mapping
CONNECTEDrefreshed 1h
🎫
ServiceNow ITSMTickets, change, problem
CONNECTEDlive stream
🧠
KnowBe4 (Security awareness)Phishing tests, training completion
CONNECTEDrefreshed 6h
⚗️
Plant DCS / HistorianEnergy & emissions readings
PARTIAL2 of 3 plants
🚛
Logistics 3PL telemetryScope 3 transport emissions
CONNECTEDrefreshed 12h
📞
Teams Voice / Operator ConnectCall quality, capacity
CONNECTEDlive stream
🛂
SAP S/4HANA (group)Cementir consolidation
OFFLINEawaiting key

🔒 All connectors are read-only and use service principals scoped to telemetry-only API permissions. No production data leaves Aalborg Portland's tenant.

AP
Tailored ITM8 Insights for Aalborg Portland A/S
Live data · CSRD · NIS2 essential entity · OT/SCADA · cement-industry context
Cement EU ETS CSRD NIS2