Segmentation first — without waiting for the big retrofit
Instead of waiting a decade to replace every legacy component, I collaborate with many clients to first structure the network architecture per IEC 62443 principles. That means defining zones and conduits, installing firewalls and industrial DMZs, consolidating and hardening remote access. Even if legacy systems keep running inside these zones, clear segmentation massively reduces options for lateral movement.
Monitoring that understands OT
Classic IT security tools hit their limits in OT environments if they don’t know protocols, process characteristics and operating modes. That’s why I advocate integrating OT-specific monitoring solutions into an existing SOC or a dedicated OT SOC — with use cases focused on industrial anomalies, like unexpected PLC program changes, unusual communication paths or atypical process values. Only with this visibility can organizations shift from reactive firefighting to proactive detection and containment.
Regulation as leverage — not obstacle
Sector-specific mandates and standards like ISO 27001 or IEC 62443 aren’t burdensome compliance in my view, but a politically and legally backed business case for security. In projects, I translate legal requirements into a roadmap with concrete controls: from risk management and incident response to supply chain security and business continuity planning. This helps management legitimize investments and make priorities transparent — including the message that inaction under evolving regulations is no longer an option.
