From the field: real OT challenges and customer insights

In January, spotit announced the significant expansion of its OT Network & Security services (Spotit significantly expands Operational Technology (OT) activities with specialized OT team).

Since then, we’ve met with customers across food, manufacturing, logistics, recycling, and other sectors to discuss about the state of OT networking & security—what’s working, what’s not, and what’s urgently needed.

In this blog, Erik De Nert, Head of OT at spotit, shares the key themes we’re seeing in the field and what they reveal about the evolving needs of OT environments.

We’ve had dozens of interactions with security teams, engineers and decision-makers.  Here are the most valuable insights that emerged—and what they can mean for your organisation:

• NIS2 is not an IT-only concern. The OT/ICS environment is also in scope of NIS2 and is more than a check-in-the-box exercise, for example:
  • Regular assessments and up-to-date risk & asset inventories;
  • OT tailored incident response planning;
  • Supply chain security measures: certainly in OT/ICS, companies rely a lot on external suppliers. We often see poor (and unmanaged) remote access solutions, a lack of documentation of the OT/ICS environment, missing cybersecurity responsibilities in contracts;

• The one-liner “you can’t protect what you don’t know about” still holds true, although a robust ICS network & security architecture should also take the unknown into account. For us, an OT visibility ( & NIS2) assessment is more than just a snapshot from a discovery tool:
  • On-site production walkarounds and interviews with IT & OT teams are of great value;
  • Look a bit further than just the OT network:
    • What are the dependencies with IT applications? Take the total (IT + OT) architecture into account
    • Don’t forget about wireless (guest) networks, private hotspots & LTE/IOT devices
  • Look at the roadmap towards a good defensible architecture for your specific situation, taking risk prioritization, existing architecture & budget into account. There is no one-size-fits-all architecture, and an OT Visibility assessment is the ideal starting point to take all these aspects into account.
• The industrial network infrastructure not only plays an important role in the availability, performance and safety of the industrial process, the technology choices here also impact the security architecture (centralized management improves security, industrial network equipment acting as security sensor, …)

• When planning for a new machine, production line or factory, don’t forget to:
  • Include cybersecurity architecture requirements in the RFP and contracts to avoid surprises afterwards (costs, discussions, delays);
  • Open up the discussion about remote access and propose your standards;
  • Make sure you do an initial assessment and discover potential vulnerabilities before going into production (during FAT or SAT for example). We all know how difficult it is to fix things once they are in production, and this might even cause re-validation of the process in some cases.
  • Involve both IT & OT team – this is a great opportunity to build the mutual awareness and human connection as well;

• Early April, we visited Hannover Messe – shaping the future with technology, where you can find a lot of very cool digitalization & AI enabled use cases drastically improving organizations’ efficiency, but you also start to see more attention for industrial cybersecurity.

• Maybe one of the bigger threats (or at least issues): there is still a lot of work to be done in the collaboration between IT and OT teams. Sometimes it’s related to different priorities, a knowledge gap, a lack of understanding or awareness, … Building a shared language between IT and OT starts with a balanced awareness program, meaning:
  • Bringing teams together in meaningful ways
  • Avoiding one-size-fits-all online training
  • Investing in tailored programs like our OT security awareness sessions