IT vs. OT: two worlds, one goal

© Pilz GmbH & Co. KG, Ostfildern

Secu­rity becomes manda­tory: New EU reg­u­la­tions such as the Cyber Resilience Act (CRA), NIS 2 and the Machinery Reg­u­la­tion man­date greater Secu­rity in pro­duc­tion. Matthias Kuczera and Simon Nutz explain what machine man­u­fac­turers and oper­a­tors need to know now – and how they can pro­vide effec­tive pro­tec­tion for their plant.

The number of cyber attacks on companies is increasing. What is the first step towards greater protection against such attacks?

Matthias Kuczera: Cyber­se­cu­rity dis­tin­guishes between IT and OT Secu­rity. IT con­cerns office com­mu­ni­ca­tion, whereas OT con­cerns the phys­ical processes in pro­duc­tion. Our prod­ucts and ser­vices are spe­cialised for OT Secu­rity. Com­pa­nies should first of all check whether they are affected by cur­rent legal require­ments such as the Cyber Resilience Act, the NIS 2 Direc­tive or the new Machinery Reg­u­la­tion, and if so to what extent. Because leg­is­la­tors have also recog­nised that Secu­rity is highly rel­e­vant. An ini­tial risk analysis is essen­tial: what is worth pro­tecting? What could happen? Which mea­sures are appro­priate? And: What to do in an emer­gency?

CRA, NIS 2 and MR: What awaits machine manufacturers and operators?

Simon, how does the subject of cybersecurity present itself when you are talking to customers in the field?

Simon Nutz: Most people know that they need to act, but many are unsure about what exactly is required. We do a lot of edu­ca­tional work and explain to cus­tomers what to expect: what needs to be imple­mented? What really affects the com­pany? We start with the basics: what should be pro­tected? What hap­pens if a plant or OT in gen­eral is attacked? On this basis we build appro­priate pro­tec­tion con­cepts.

What is the best possible way for machine manufacturers to prepare under the current conditions?

Kuczera: Com­pa­nies actu­ally have a vested interest in pro­tecting them­selves against cyber attacks. The EU guide­lines are merely intended to ensure that all com­pa­nies are ade­quately pre­pared.

The CRA affects all prod­ucts with dig­ital ele­ments. From December 2027, these must meet a defined Secu­rity level. Anyone who pur­chases new machinery or IT infra­struc­ture must act in accor­dance with CRA. Man­u­fac­turers who place their own prod­ucts on the market must comply with the rel­e­vant processes. At Pilz, for example, we have a devel­op­ment process cer­ti­fied in accor­dance with IEC 62443–4‑1, thereby ensuring that secure product devel­op­ment life­cycle require­ments are met.

Nutz: Anyone who fol­lows IEC 62443 is already doing a lot of things right. Even if not all of the stan­dards are fully avail­able yet, it is a solid foun­da­tion.

What does the NIS 2 Directive require?

Nutz: NIS 2 is about enabling com­pa­nies to pre­pare for a cyber threat sce­nario. The NIS 2 Direc­tive applies to com­pa­nies with over 50 employees or an annual turnover of more than 10 mil­lion Euro. These com­pa­nies must iden­tify risks and take appro­priate mea­sures: risk man­age­ment, backup man­age­ment and vul­ner­a­bility man­age­ment. In future, attacks must be reported. This allows other com­pa­nies to quickly check whether they are also affected.

“There’s no Safety without Secu­rity – that’s the core mes­sage of the Machinery Reg­u­la­tion. Any Safety func­tion can be com­pro­mised and must be pro­tected.”

Matthias Kuczera, Stan­dards Group at Pilz

Kuczera: An infor­ma­tion secu­rity man­age­ment system in accor­dance with ISO 27001 is an ele­gant way to meet the require­ments. Alter­na­tively there are infor­ma­tion secu­rity man­age­ment sys­tems such as TISAX (Trusted Infor­ma­tion Secu­rity Assess­ment Exchange). Each com­pany must decide whether to go down this route or imple­ment other mea­sures.

Security starts in the machine

The new Machinery Regulation stipulates that Security aspects must now also be taken into account when assessing Machinery Safety. What is the best approach for a machine manufacturer or operator?

Kuczera: There’s no Safety without Secu­rity – that’s the core mes­sage of the Machinery Reg­u­la­tion. It is now nec­es­sary to check whether a Safety func­tion can be com­pro­mised and must there­fore be pro­tected accord­ingly. Even though the MR does not take effect until 2027, it makes sense to imple­ment it now. Secu­rity gaps actu­ally exist within the machine, i.e. in the OT. I need to know what my machine does and what the worst-case sce­nario is if an unau­tho­rised person is in con­trol of it. Is the data con­fi­den­tial? Is avail­ability cru­cial? Then I analyse how an attacker might pro­ceed and how to secure the con­trol system. Because this con­trols the plant and must not be exposed on the Internet without pro­tec­tion. Misuse due to oper­ating errors also need to be con­sid­ered. Close com­mu­ni­ca­tion between man­u­fac­turer and oper­ator is impor­tant. Only the oper­ator knows the actual risk in their appli­ca­tion.

Pilz Podcast #43 || OT Security is coming – but how do I deal with it?

Click here to view the con­tent from Spo­tify.
Learn more in Spotify’s pri­vacy policy.

Open Spo­tify directly

Industrial Security Consulting from Pilz

How does Pilz work with its customers to create an appropriate Safety concept, including Security?

Nutz: We start with a pro­tec­tion require­ments analysis: is it about avail­ability, func­tional safety or exper­tise? This is fol­lowed by a detailed risk assess­ment. We analyse all the assets, run through attack sce­narios and develop pro­tec­tive mea­sures. Then we eval­uate their effec­tive­ness. The process is cyclical: what is secure today might be obso­lete tomorrow. Our advan­tage: we know the plants thanks to our safety exper­tise and we are involved in devel­oping the rel­e­vant stan­dards, e.g. IEC 62443.

“We know the plant’s weak points and work with our cus­tomers to develop effec­tive pro­tec­tion con­cepts.”

Simon Nutz, Indus­trial Secu­rity at Pilz

Kuczera: Exactly.Pilz actively brings its expe­ri­ence to stan­dards com­mit­tees. EN 50742 is cur­rently in devel­op­ment – a stan­dard for pro­tec­tion against machine cor­rup­tion. We are expecting the first draft at the end of the year.

Training for greater competence

Is there also training on Industrial Security?

Nutz: Yes, our entire training port­folio has been adapted to the Machinery Reg­u­la­tion. Secu­rity is a com­po­nent of every course. We also offer two spe­cialist training courses:

  • Fun­da­men­tals of Indus­trial Secu­rity
  • CESA – Cer­ti­fied Expert for Secu­rity in Automa­tion

The basic training course delivers the­o­ret­ical knowl­edge and prac­tical exam­ples. In the CESA training, we delve deeper into IEC 62443 and del­e­gates qualify as secu­rity experts for indus­trial automa­tion sys­tems.

6 steps to Industrial Security – what companies should do now

1. Carry out a risk analysis

Which assets are worth pro­tecting? What is the worst case?

2. Integrate Security into the Safety strategy

Safety func­tions must be pro­tected from manip­u­la­tion.

3. Increase communication with operators

Only they know the spe­cific appli­ca­tion sce­nario and risk.

4. Set up a firewall and access protection

Basic mea­sures such as net­work sep­a­ra­tion and access con­trol are essen­tial.

5. Comply with standards and laws

CRA, NIS 2 and MR define clear require­ments.

6. Evaluate Security cyclically

A one-off risk assess­ment is not enough – threats change.

Dis­cover Pilz’s Indus­trial Secu­rity training courses: Indus­trial Secu­rity training in accor­dance with IEC 62443

This inter­view was con­ducted by Johannes Gillar and appeared in KEM Konstruktion|Automation, 06/2025 issue.

November 2025

Share with your network!

1 Star2 Stars3 Stars4 Stars5 Stars (Be the first to give a rating!)
Loading...

Leave a Reply

Your email address will not be published. Required fields are marked *.