Mr. Hoff, to what extent has communication between OT and IT experts changed?

Communication and thus the understanding between the two has developed positively in recent years. Although the field of OT as part of automation technology is not new, the term OT as a distinction between industrial technology and IT has led to misunderstandings. Traditionally, OT focused on the reliability and safety of physical processes, while IT concentrated on data and network security. Nowadays, the two areas can no longer work separately. Convergence began early on with the adoption of IT components in industrial systems.

What integration trends are emerging between IT and OT security?

From a business perspective, there is a need to exchange data across different areas of the company, which also affects OT security. Security tools are being centralized, for example for joint logging and monitoring, while specialized OT tools can still be used to handle alarms in a targeted manner.

From a security perspective, skills shortages and varying levels of maturity require IT and OT to work together to protect the business and industrial environment. It is often wrongly assumed that IT tools and processes can simply be transferred to OT. IT and OT must therefore be integrated into joint security structures, such as a Security Operation Center - always taking individual requirements into account. A 'one-size-fits-all model' does not make sense due to the differences. The basis for a reference architecture is a 'defensible architecture' that takes protective measures and responses to incidents into account. A first step is the Purdue model in order to develop a common IT/OT reference architecture based on it.

How do the individual sectors differ in terms of IT/OT security requirements?

Historically, the focus has been strongly on the energy industry and the oil and gas sector, but a manufacturing company cannot be treated like an energy supplier. Commonalities include the static architecture and delimitable networks of industrial plants as well as existing security measures. A key factor remains the people who secure and operate these environments.

Digitalization has led to a convergence of infrastructures and challenges in IT/OT security. Protection goals such as availability, integrity, confidentiality, productivity, reliability and safety are present in almost all industries. Depending on the industry, legal requirements from KRITIS or NIS vary, meaning that 'compliance according to a template' is not possible.

Should companies build up their own security expertise?

Companies considering Security-as-a-Service must bear in mind that service providers can only provide limited internal knowledge of security and industry processes. Internal technical and security expertise is crucial for effective incident response. However, building security expertise is long and difficult. Operators should strategically develop the ability to manage external service providers. Maintaining in-house OT security staff is often uneconomical or impossible due to a shortage of skilled workers. Therefore, external OT security experts can supplement internal staff and enable the use of technologies such as network monitoring while operational staff focus on their core tasks and the facility remains protected. Regardless, five measures should be implemented: an OT-specific incident response plan, a well-defended architecture, visibility into networks and systems, secure remote access and risk-based vulnerability management.