The factory gate is open even though the shift hasn’t even started yet. This is clearly an anomaly that stands out and demands immediate action. In the case of digital anomalies in process networks or control units, however, such issues often remain hidden for a long time, making them a widespread OT cyber risk. With the NIS2 regulation, this has changed, and cybersecurity has finally made its way into the Operational Technology (OT) of German companies. But while IT departments have relied on established standard processes for decades, OT managers face a completely different reality.
Infrastructures that have evolved over time, legacy systems with lifecycles exceeding 20 years, and the absolute priority of plant availability make a blind, sweeping overhaul based on the classic IT model impossible. Anyone who attempts to impose rigid IT concepts on production without careful consideration risks costly downtime in the worst-case scenario.
So what does effective, practical OT security look like when it takes real-world budget and staffing constraints into account? A good approach is to shift your perspective and view your own infrastructure through the eyes of an attacker or a penetration tester.
A glimpse into a penetration tester’s diary
Two real-world examples demonstrate that even well-intentioned, superficial security measures can fall flat, making it unmistakably clear that cybersecurity doesn’t start at the firewall, it starts at the factory gate.
Case study 1: Accessing the turbine control system in 20 minutes
.webp)
At a modern power plant, the operators had already done their homework to an exemplary standard: Windows updates were up to date, group policies had been implemented in accordance with CIS benchmarks, and strong passwords had been assigned. A penetration test was conducted to assess the effectiveness of these measures. The result was sobering: The penetration tester entered the premises unnoticed in a vehicle, found an unlocked control room, and connected his laptop to a port on an OT firewall that had been left open for maintenance purposes. Through a poorly configured OPC UA server, which turned out to be an unmonitored blind spot. He gained unrestricted read and write access to the power plant’s sensitive turbine control systems in just 20 minutes.
Case study 2: The backdoor in the control system
Another operator placed a high priority on transparent access management and implemented strict two-factor authentication (2FA) for third-party support. However, when a maintenance issue arose, the technician performed the support work entirely without the required authorization. The cause? The control system manufacturer had, without the customer’s knowledge, installed a 5G modem directly into the system as a permanent backdoor. Without a VPN, without encryption, and open around the clock. Each third-party company thus had unrestricted access directly to the innermost OT network without being detected.
3 Immediate Steps for Significantly Improved OT Security
These examples show that the greatest danger in OT lies in blind spots and a lack of visibility. To effectively harden your infrastructure without compromising production, you should prioritize the following three steps:
- Clarify responsibilities and processes: Clearly define who on the IT and OT sides is responsible for which components. Unmonitored “shadow IT” or forgotten systems (such as the OPC UA server) are the number one entry points.
- Segment the network (zones & conduits): Consistently separate the IT environment, the OT infrastructure, and engineering and remote access. Use hardened firewalls between zones to nip lateral movement by attackers in the bud.
- Control residual risk through passive monitoring: Since 100% prevention in OT (due to legacy systems) is an illusion, you need an early warning system. A network-based intrusion detection system (NIDS) mirrors communication via a mirror port without any impact on the system. It detects anomalies, protocol violations, and cyberattacks in real time without placing even the slightest burden on the industrial process.
Ready for the complete pentester playbook?
Securing your industrial infrastructure isn’t an insurmountable, mammoth project, you just have to get started. Step by step. In our new “Playbook for OT Security—A Penetration Tester’s Guide”, we go far beyond these first steps. We’ll walk you through the ten most important organizational and technical hardening measures in detail (from group policies to application whitelisting to incident management) and show you how to meet the requirements of IEC 62443, ISO 27001, and NIS2 in a practical and cost-effective way.
Download our free playbook here and effectively secure your OT infrastructure.
