The new European Machinery Directive makes security mandatory. As an OT security specialist, what reactions have you seen from the mechanical and industrial engineering sector against this backdrop?

Dr Terence Liu: The Cyber Resilience Act (CRA) is the reason for such security awareness and enforcement. It's a very meaningful initiative for the security of industrial products, and the leading machine builders we're talking to take this very seriously.

To main challenge is to create a product with enough security level inside, without introducing any hassle for the end users who are never trained for any security configurations and operations. That's why we're heading in the direction of built-in solutions where security implementations are included in every machine and preconfigured for the maximum security level without any end user involvement.

Why is it so difficult for many companies to implement security measures?

Liu : Putting aside budget issues, for OT, there are some common difficulties:

First: Lack of security staff, in terms of planning and managing all security controls.

Second: Technical constraints to install security software. For example, business constraints such as the SLA prohibiting any installation of 3rd-party apps. Or technical constraints such as legacy systems unable to install or run security software.

Third: Negative impacts to operations due to improperly designed security measures. This happens mostly when organizations try to reuse the IT security products and find they don't fit in OT.

Fourth: Many industries depend on complex interdependencies, diverse technologies, and potential vulnerabilities throughout the entire supply chain.

This is why we established TXOne Networks. We aim to create OT-native security solutions with the mindset to always keep operation at our first concern. Our goal is to break every barrier for the OT environments to have appropriate security implementations in one way or another, through our multi-layer solutions optimized for OT environments with operational insights.

What advice do you give to small and medium-sized companies (SMB) that are taking their first steps in terms of OT security?

Liu: With the limited budget and limited security staff, our suggestion is to begin with the protection.

Among other major security pillars such as governance, identification, protection, detection, response, and recover, marching towards protection is the easiest one with immediate outcome. When you have a robust frontier established, you can have more time to look into other aspects of security for further enhancement plans.

As an OT security expert, how can you provide support?

Liu: From the product point of view, our products are built based on domain knowhows. Take one example here, only when we're familiar with the semiconductor manufacturing details will we create security products that perfectly match the security expectations of semiconductor manufacturers, in terms of feature and the use case.

Our major customers are VLEs. Working side-by-side with our partners and customers is part of our business routine. In most cases we work with industry leaders. Once the anticipation is fulfilled, other players in the field will enjoy the same benefits because in each industry there are still a big portion of similarity, such as manufacturing process and controls, industrial regulations, and technical setups.

To what extent is it possible to apply IT security measures to an OT environment?

Liu: It's very unlikely for IT security measures to fit into OT. The dependency upon internet, security experts, and computing resources are the major pain points for people to use IT security tools into OT.

Meanwhile, IT products are not committed for prolonged service periods, because they are set to only embrace the mainstream. For example, the market share of Windows XP which Microsoft ceased supporting is 0.33% according to the statistics. When you investigate the OT environments it's a totally different story. Many assets in OT environments have been running perfectly for more than 20 years and is still working well. Those valuable legacies are not protected by most IT security measures. An OT-centric security product will make sure the security measure is 100% compatible with such legacy system and offering security features without impacting this very valuable legacy asset.