There’s a lot to say about the OT market in combination with IT. These two markets might clash, but it’s important to keep them close together. Why? Gerben van der Lei, Principal Consultant & OT Practice Lead at Fox-IT, emphasizes: “Act now, or risk tremendous failures”. With over 12.5 years at Fox-IT and deep expertise extending cryptography to OT consulting, he sheds light on this topic.
Specific threats for the OT market
According to Gerben, the OT market is under attack from multiple fronts: “The threats can come from outside, within, or even from the industry itself.” External risks are intensifying as attackers become more sophisticated, while internal challenges arise when organizations try to apply IT security methods to OT environments. In short, Gerben identifies three critical pillars of threats facing the OT landscape:
- External threats: As attackers become increasingly sophisticated, external threats are evolving at a rapid pace. Traditional defenses are no longer enough to keep pace with these emerging risks.
- Internal threats: A significant risk arises when organizations apply IT security practices to OT environments without considering the unique needs of OT. “Many security models are relevant for both IT and OT, but it’s crucial to carefully consider their implementation, especially since physical processes are at the core of OT operations,” Gerben warns.
- Vendor & SaaS pressures: The push towards cloud-based SaaS models pressures OT companies to adopt solutions that may remove control over their physical processes. “Sales-driven promises of SaaS can lead companies to compromise on the essential nature of their operational control,” he explains.
The typical cultural clash: When IT meets OT
The cultural divide between the two domains is a major obstacle in OT and IT collaboration. “IT professionals are conditioned to move quickly, they believe in a ‘move fast and break things’ mentality. In contrast, OT engineers must consider the physical process, which demands careful deliberation before action.”
“IT often focuses on rapid execution, while OT requires a more thoughtful, deliberate approach before taking action.”
This difference in pace and approach often leads to misunderstandings and misaligned priorities, with potentially dangerous consequences for critical infrastructure.
“My advice to IT professionals is: ‘Make sure you fully understand where OT is coming from before imposing your best practices.’” IT teams are used to rapid change and iterative improvements, while OT engineers prioritize the stability and predictability of physical processes. Therefore, mutual understanding is key. “For OT professionals, it’s equally important to understand what IT people are trying to achieve and the risks they see. Only then can both sides collaborate effectively.”
Keeping the physical process at the core
Central to Gerben’s advice is the principle of maintaining control over the physical process. “My advice is simple: keep IT close to the physical process. In OT, the physical process is what matters most—everything else is meant to support that process. The further you remove your IT controls from the operational process, the harder it becomes to defend, and the more vulnerable you are to disruptions.” For Gerben, a well-architected OT system is one that is simple, with clear boundaries and minimal unnecessary connections.
Tools for resilience: The role of DataDiodes
Among the tools that can help bridge the OT/IT divide, Gerben points to the strategic use of DataDiodes:
“DataDiodes aren’t a magic solution, but they are a highly effective way to enforce a one-way flow of data. They let you extract essential monitoring data from your OT network without exposing it to inbound threats.”
He further explains that DataDiodes can be configured to secure both outbound data (for example, performance or security monitoring data) and inbound data (such as orders entering a production system). This controlled data flow simplifies network architecture and strengthens security. By using DataDiodes, organizations can isolate their critical OT processes while still benefiting from necessary IT connectivity—simplifying complex architectures and making them easier to defend.
The urgency of proactive OT strategy
Regulatory frameworks, such as NIS2, are beginning to play an influential role in aligning IT and OT security efforts. Gerben elaborates: “One of the greatest advantages of these frameworks is that cybersecurity becomes a boardroom issue. When the board holds IT security accountable, it forces organizations that both IT and OT teams are supported in their efforts to secure critical systems. Compliance isn’t just about ticking boxes—it’s a trigger for a more integrated, risk-aware approach across the organization.”
Looking ahead, Gerben is cautious yet optimistic. The shift towards cloud-based services and SaaS models brings undeniable benefits, but also the risk of giving up too much control to external vendors. “Companies must decide now which critical processes they want to keep in-house. You don’t want to end up in a situation where a software vendor is making decisions for you, or where you’re forced to operate on a fraction of the bandwidth you’re used to because of unforeseen market changes.” For Gerben, proactive planning is key:
“The golden opportunity in OT is that many companies still have the chance to make smart choices before it’s too late.”
Note to companies: undertake these steps
Gerben’s advice is both direct and urgent. Companies cannot afford delay. Here’s what must be done according to him:
- Conduct a comprehensive risk analysis: Identify your crown jewels. Understand which operational processes are critical and must remain under direct control.
- Keep IT close to the physical process: “My advice is: keep the operational process as the most important. All IT should support this primary function.”
- Simplify your architecture: Reduce unnecessary connections and complexity. “The more complexity you add, the easier it is for your defenses to be compromised.”
- Implement secure data flows: Utilize DataDiodes and other tools to enforce one-way data transfers between OT and IT networks.
- Plan for a future with limited bandwidth: Prepare for scenarios where network connectivity may be constrained, such as during peak demand or emergencies. Consider how your current decisions and system configurations would hold up if you had only a fraction of your current bandwidth. Would critical operations still function efficiently, or would performance suffer?
- Avoid over-reliance on external vendors: Maintain control over critical systems. “Do not let an external vendor dictate the future of your operations.”
In short: embrace simplicity, enforce robust security measures, and above all, never lose sight of what truly matters: the integrity of your physical processes.
