While IT and Cybersecurity have had a prominent place on the agenda at many companies for years, OT Cybersecurity often lags behind. After all, what happens in the factory is less in view than your monitor in the office. But with NIS2 on the horizon, enterprises are now making great strides in getting their OT Cybersecurity in order. Our OT Cybersecurity specialist Ard Roelvink explains why this is so important: 'Critical companies are essential to society. That requires a sophisticated door policy in your process environment, also digitally.'

What makes Cybersecurity for OT different from IT?

'With the IT environment, you usually deal with it directly and the network is highly visible and approachable. The cloud is always accessible to adjust and new software is quickly implemented. With OT, this is not the case. The factory floor or process room is a completely different environment, with control systems that differ and are sometimes outdated, cables whose exact routing is not always known and PLCs that are hidden, using a non-current operating system and so on. All require maintenance and regular updates, just like your office network, but less in sight. That sometimes results in quite a bit of puzzling.'

The shopfloor is less visible?

'The industrial environment is indeed a very different place; the processes are often literally in a different location than the head office. That can also mean that an update is sometimes forgotten, or that after some time it is no longer clear where parts need replacing. If nothing goes wrong and production continues, there is nothing to worry about, right? And shutting things down for an update or maintenance takes time, which in turn is reflected in the figures. There is also the risk of process disruption.

'What you don't see is often not prioritised. Until something goes wrong, and it turns out that there is no knowledge left to solve it.'

And at the same time, technology does not stand still, and neither do hackers.

'That is correct, and that is also where the NIS2 directive comes from. Keeping the doors closed to unauthorised persons is vital. Where you used to get by with a lathe in the factory, at some point a CNC robot will be fitted, with access to the internet. But if you connect that to an old network, you might unintentionally open the door wide. Or think of switch boxes at energy suppliers or transformers that are decades old and PLCs that run on an outdated operating systems, controlling the lifts at a hospital or busy intersection. You want and need to put that in order.'

Should you then replace everything immediately?

 'No, indeed, that is often not possible at all. But what we can do, for instance, is build a safe shell around an outdated system. Then you can innovate at an appropriate speed within a safe environment, without unintentionally opening all kinds of doors. Many factories or production sites are built for ten, or fifteen years at most. If you then continue with them for longer, those processes can become totally obsolete. That cannot be solved overnight: with a shell around it, you at least ensure that you guarantee safety'.

And for that, you must go out onto the shop floor.

'Often, important information about the infrastructure of cables and systems is available, but sometimes not. Then we literally investigate cables until we have mapped everything out completely. Fortunately, we have now built up so much experience that we can quickly recognise where the bottlenecks are.'

So, in order to avoid those bottlenecks, it's important that you look into it immediately, even when building a new factory or process environment, for example?

'Certainly, that's called secure by design or secure by default. Of course, we at Batenburg have the advantage that we are also experts in building and maintaining these kinds of complex environments. So, we can connect directly to that. In addition, with NIS2 coming up, there is increasing attention to securing the process environment.'

That attention is important, especially since we all depend on those systems?

'OT Security is of great social importance. It involves energy, drinking water, infrastructure and food, all things that are primarily needed to keep our society running. For example, we are involved in the renovation of the Afsluitdijk. We can all imagine how important it is that those locks function properly. And just as important: that only the right people can turn the buttons...'

So that security goes far beyond a new virus scanner.

'That's the beauty of OT, which calls for security on all kinds of layers. Like an onion, you make sure all those layers overlap. That starts with a barrier, then come the fences with cameras, person recognition to enter the building and then ends with a solid lock on a correctly secured server room. And we haven't even covered software yet. We deal with all those layers. We apply more if needed, provide maintenance, and arrange for updates to take place. This allows the company to focus on its own business and expertise.'

Automation through optimisation

Every day, we help customers progress and improve. With a powerful combination of our core competences, we optimise by automating. We do so with deep knowledge and expertise of operational continuity and secure industrial processes. From design, development and implementation, to installation and maintenance. So, we know where things can and must be done better.