OT devices – and their security – urgently need to step out of the shadow of traditional business IT. The risk of potential cyber threats is too high – after all, OT is now connected, vulnerable and business-critical. A rethink is needed: eco’s Security and IoT Competence Groups have taken on this task and raised awareness of the issue with an event.
Control machines, IIoT sensors and SCADA systems (Supervisory Control and Data Acquisition): Operational Technology (OT) is more diverse and, above all, significantly more digitalised today than it was seven decades ago. Over the past 15 years or so, what was then revolutionary technology for factory work and manufacturing has revolutionised itself once again. Modern OT is now highly connected, can often be maintained remotely, is scalable and provides data for AI models that enable real-time analysis.
However, all these beneficial features also mean that industrial companies must protect their OT devices more comprehensively against cyber attacks. The keyword here is IT-OT convergence: the networked systems of the smart factory can no longer be viewed separately from classic IT systems – the boundary between IT and OT is becoming increasingly blurred. This is due to robots retrofitted with sensors or processes that have been automated at a later stage. Are companies already aware of this development? Or is there some catching up to do?
Give OT security higher priority
“Many industrial companies are still unaware that OT devices need to be just as resilient to cyber threats as traditional IT,” says Olaf Pursche, Leader of the eco Security Competence Group. “There is an urgent need for a strategic approach to OT security – both organisational and technical.”
On 13 May 2025, eco’s Security and IoT Competence Groups therefore hosted the “Security meets Operational Technology’” event in Cologne. The aim was to raise awareness of the relevance of OT security and discuss current challenges and solutions with participants.
Three important aspects emerged in particular:
1. Cultural level: OT must emerge from invisibility
In many companies, it is not yet common practice to view OT as part of IT – and therefore also part of their security strategy. This starts with a lack of knowledge about which OT devices are used where in the process cycle and who has access to them. The first step should therefore be to carry out an asset inventory – on the basis of which comprehensive asset management can then be implemented. After all, you can only protect what you know.
And it is precisely outside ERP, CRM and SCM systems – in the production hall – that value is created: SCADA systems, PLCs, sensors and actuators ensure that systems can operate smoothly and provide ample data for analysis and optimisation purposes. However, whether via phishing, USB sticks, hacked VPN networks or remote access, many attack vectors today run via traditional IT. If a malfunction or cyber attack paralyses the systems, the entire manufacturing process can quickly come to a standstill – and in the worst case, this can lead to economic losses every second. However, if OT and IT form a secure unit, IT systems act as a bulwark to protect OT devices.
The NIS 2 regulations will soon force many manufacturing companies to take action, but they are also creating much-needed awareness of the issue of OT security.
2. Technical level: OT is “legacy legacy”
Classic legacy systems in IT are outdated, cannot be updated and are therefore obsolete in terms of their functions. In OT, however, legacy systems are sometimes several decades old and were often only digitised retrospectively. Especially where the Industrial Internet of Things (IIoT) is in use, sensors and edge gateways are usually installed retrospectively. Technology without built-in security measures still dominates, particularly at low functional levels. Overall, the numerous heterogeneous systems make it difficult to maintain an overview of current standards and to measure security in manufacturing in a uniform manner.
Why it is advisable to take a fundamental approach to security strategies: How many people have physical and digital access to OT devices? Are there devices that do not need to be online and access points that can be dispensed with? Are IT and OT networks separated to adequately shield OT devices? Which IT security methods can be applied to the OT area? What safeguards are in place in an emergency? For example, fewer remote access points and services also mean less surface area for attacks. And even small measures such as VPN, password changes and disabling unnecessary access points have an immediate effect.
3. Organisational level: Understanding OT and IT as a single entity – with boundaries
Experience shows that it makes sense to have OT and IT reviewed by separate experts, but that they should coordinate sufficiently. However, IT and OT teams often do not work hand in hand – if there is a designated IT team at all. Companies have some catching up to do, not only in terms of expertise, but also in terms of organisational structure.
OT and IT teams should think and act together, but define a clear framework for their cooperation in advance. Clear roles and responsibilities are needed, as well as interfaces to share expertise and coordinate processes. Both teams can only benefit from each other’s different areas of expertise.
From management level to machine control: a consistently coordinated cybersecurity approach is required. To this end, companies should define in advance which levels of multi-layered production control still belong to OT and which already belong to IT. For example, which area of responsibility does a system that combines a human machine interface (HMI) and a supervisory control and data acquisition (SCADA) system fall under? As a rule, OT begins with sensors and actuators that supply data for OT security tools and ends where manufacturing execution systems (MES) document and optimise production processes – in operations management in manufacturing. However, each company should define this boundary individually.
It is important to understand that not every IT security method can be applied one-to-one to the OT area, but many principles (e.g. segmentation, monitoring, access control) are transferable – provided they are implemented in a manner appropriate to OT.
You can find out more about security in Industry 4.0 from the eco Security and Internet of Things (IoT) Competence Groups. Become a member and experience real industry dynamics!
