Many organisations have significantly strengthened their IT security in recent years. But while attention was focused there, operational technology risked being overlooked: the systems that keep factories, power plants and transport networks running. Those systems are increasingly connected, and increasingly a potential target.
IT and OT are converging. With far-reaching consequences
From isolated to interconnected
Operational technology (OT) has traditionally operated in complete isolation. Industrial control systems (ICS), SCADA platforms and programmable logic controllers (PLCs) were designed for reliability and continuity, not for security in a connected world.
Digitalisation breaks down the barriers
The pressure to work more efficiently, to monitor and maintain systems remotely, and to make data-driven decisions has broken down that isolation. PLCs communicate with cloud platforms. Engineers log in via VPN, often without any form of access control. ERP systems exchange data with production floors.
Third parties frequently have remote access to OT systems for maintenance, patching and support. The result: OT networks are increasingly reachable via the same attack routes as IT environments, such as poorly secured remote access and operating systems without updates, but without the security layers that IT has built up over the past decades.
Attackers are taking advantage
Countries like Russia and China deploy hacker groups to target critical infrastructure. The attacks attributed to the Sandworm group against European energy companies and government organisations are a clear example. Criminal groups have also discovered OT environments as an attractive target. The impact of an attack on an OT environment affects the continuity of business processes and, more importantly, the safety of people.
Why OT security requires a different approach
As a CISO or IT director, you are familiar with the classic security principles. But in OT environments, different rules apply, and underestimating this will lead to problems. In IT, security revolves around confidentiality, integrity and availability. In OT, availability and safety carry extra weight. A production line that goes down costs money immediately and can create dangerous situations. That means updating, restarting or isolating systems is often not an option. Security measures must be chosen with that in mind.
Legacy systems and limited visibility
Many OT environments run on systems that are decades old. Vendors no longer supply updates, but the systems cannot simply be replaced or shut down. They remain vulnerable, and therefore require specific measures such as virtual patching. Organisations must know what is running in their OT environment. PLCs, HMIs, SCADA systems, sensors: there are often dozens or hundreds of them, without a complete overview. That is not a minor issue. You cannot protect what you do not know.
Poor segmentation and third-party access
The separation between IT and OT is often inadequate. Once an attacker gains a foothold in the IT network, the step to OT systems can be a small one. On top of that, OT environments are maintained by external vendors with remote access. Those access points are often insufficiently secured, barely monitored, or sometimes not even known. Striving for Zero Trust is essential here.
Regulation makes waiting no longer an option
From voluntary to mandatory: executives personally liable
Security standards for OT have existed for some time. IEC 62443 provides a solid framework for industrial cybersecurity, and the NIST guidelines for ICS are widely recognised. For a long time, however, compliance was voluntary: organisations decided for themselves whether to adopt these standards. That is now over.
TheNIS2 Directive imposes stricter requirements on organisations in sectors such as energy, water, transport and healthcare. Executives are personally liable for shortcomings. Incidents must be reported within 24 hours, followed by a full notification within 72 hours and a final report within one month. Risk management measures are no longer optional, and that applies to OT as well.
In addition, the Cyber Resilience Act requires manufacturers of OT components to demonstrably secure their products and keep them secure throughout their entire lifecycle. For a CISO or IT director, this means OT security is no longer purely a technical matter. It requires board-level involvement, clear accountability, demonstrable risk decisions and a well-designed process for when things go wrong.
Where to start? A clear order of priorities
The scale of the challenge can feel overwhelming. There is, however, a logical sequence:
- Create visibility. Know what is running in your network. A current inventory of all assets is the foundation of everything. Without this overview, every subsequent step is built on sand.
- Strengthen segmentation. Ensure a clear separation between IT and OT, and limit how far an attacker can move within the OT network as well.
- Secure remote access. Establish centralised access control to critical systems, determining who gets access and under what conditions.
- Set priorities. Not everything can be addressed at once. Start with the systems where downtime or a breach would have the greatest impact.
- Establish accountability. Ensure OT security has a permanent place in the boardroom, with clear ownership and a corresponding budget.
How Fortinet protects OT environments
One platform for IT and OT
Fortinet is one of the few vendors with a complete portfolio specifically tailored to OT. What makes it distinctive: all components work together through the Fortinet Security Fabric, allowing IT and OT to be managed and monitored from a single platform. This eliminates the blind spots that arise when standalone tools fail to communicate with each other.
Protecting the production floor
The foundation is FortiGate Rugged, a broad portfolio of industrial firewalls built to withstand harsh conditions on the production floor and capable of deep inspection of industrial protocols such as Modbus and DNP3 through OT Security Services. FortiGuard Labs provides continuously updated threat intelligence specifically targeting vulnerabilities in PLCs, HMIs and SCADA systems. With Fortinet Virtual Patching, even systems that cannot be patched remain protected.
Detection and response
FortiAnalyzer and FortiNDR provide visibility and detection: together they map the entire environment, identify anomalous behaviour using AI, and can respond automatically. And if an attacker does get in, FortiSOAR and FortiDeceptor support fast detection and response. FortiDeceptor lures attackers towards decoy systems, keeping real systems out of harm's way.
The role of Nomios: expertise over sales
Technology is only half the work
Technology is one thing. The real question is how to deploy it effectively in an environment where operational continuity and safety come first, where legacy systems are the norm and where regulatory pressure is mounting. We always start with insight: what is running, how is it connected, and where are the real risks? We then help with the design and rollout of a security architecture (segmentation), based on IEC 62443 and built on the Fortinet Security Fabric.
What we see in practice
Nomios has been working with Fortinet for many years to secure OT environments. The greatest risks rarely lie in a lack of technology, but in how that technology is configured. A firewall that does not understand OT protocols. Segmentation that looks sound on paper but is leaky in practice. Monitoring that does collect data, but which nobody actively looks at. Many organisations are moving away from a fully isolated (air-gapped) environment and bringing IT and OT closer together. It is precisely at that moment that security is at its most vulnerable and therefore most important.
OT security starts today
OT security is no longer a niche topic for specialist engineers. It affects the continuity of your organisation, the safety of people and, with NIS2 in mind, the personal liability of executives. Organisations that invest now in visibility, solid segmentation and clear accountability are building an environment that will hold up tomorrow as well. Those who wait risk being forced into far more costly measures at the worst possible moment.
Want to know where the blind spots are in your OT environment? Nomios carries out a focused OT security quickscan and gives you a clear picture of the risks and the steps that matter, in a short timeframe.
Our team is ready for you
Give us a call or leave a message. We are looking forward to learn about your security project, infrastructure challenges or any other inquiries.
