The previous strict separation of IT (information technology) and OT (operational technology) is coming to an end. OT is opening up its paths to the internet, cloud and AI via Linux. This increases the risk of cyberattacks on the one hand, but also opens up new doors for cybersecurity on the other. But one thing is clear: all companies must now address the issue, as the legal situation hardly knows any exceptions.
There is talk of OT and IT converging, or even merging. I explained this development in detail in my “Analysis of the fall of the wall between OT and IT” from January 20, 2025 and in the article “Fall of the wall between OT and IT” from August 27, 2024. The question of what this has to do with cyber security did not play a role there. Quite a lot. It leads to new threats and therefore also to new regulations and laws, and it means that almost every industrial company now has to deal with it. But what is already available for cybersecurity in IT can now also be used in OT.
Until now, cybersecurity has been a specialist area of IT, and many companies – especially larger ones – had specialists in their IT teams. The main focus was on the security of in-house servers and data centers, the security of workstation computers and IT usage by employees and customers, including the standard software systems used in all areas of the company.
Such a CNC lathe also had a lot of software. But none that could be connected to the internet and the cloud. (Image Ulrich Sendler with the help of Microsoft Copilot)
The “security” of the old OT
The area of production engineering and production, literally the machine room of the industrial company, was largely left out in its decisive elements. OT was manufacturer- or machine-specific, monolithic software that nobody but the manufacturer could access. Neither to modify it nor to record, analyze and process the data generated by the machines.
Embedded software and machine-oriented programming had almost nothing to do with IT – according to the common view and also the view of most IT managers – and therefore there were few points of contact with cybersecurity.
The cloud, AI, the internet and the global networking of IT initially only led to measures, rules and technologies that were limited to IT security. No one should be able to access servers, workstation computers or – let’s say – data from standard software in engineering without authorization. Such security systems were developed and were effective.
The fact that attacks were nevertheless on the rise, that industrial companies were increasingly affected by attacks from the internet and were often forced to shut down machines and production lines, made it clear that many companies did not even begin to understand the relevance of cyber security.
Anyone who believes that it is safe to use a private cloud running on their own servers on company premises instead of a public cloud has not yet understood how many billions hyperscalers have invested in the security of their services. And they underestimate how much criminal energy is spent on cyberattacks. Increasingly supported by authoritarian rulers and political actors in both East and West.
Nevertheless, the OT and the software running in the machines and devices were still relatively safe from attacks from external networks and unauthorized access. This type of software was too specialized and the implementation too individual for it to lead to mass attacks. The wall around OT and its isolation from IT not only kept out many technical advances, but also many dangerous attackers. Now, however, this wall is coming down at a rapid pace.
The thrust of the fall of the Wall between OT and IT
In the 2010s, real-time Linux was the door opener in the wall between OT and IT. Almost immediately, developers and managers in the manufacturing industry and increasingly also in the process industry opened this door and began to use it for themselves and their customers. For new service business models such as predictive maintenance and for ever new possibilities for data analysis and utilization from production and production lines. The way was now open to all the technologies that had already been established in IT for 10 to 20 years.
The best example of the innovative power that this has unleashed in the industry are the open, Linux-based automation platforms that have been growing into a market of their own for several years, as listed in the Smart Automation market overview since April 2024. They are paving the way for the final realization of Industry 4.0. There are currently 13 providers with 14 platforms:
Bosch Rexroth with ctrlX AUTOMATION, FLECS Technologies with FLECS, German Edge Cloud with ONCITE DPS, Hilscher Gesellschaft für Systemautomation with netFIELD, KEB Automation KG with NOA, KEBA AG with Kemro X, Lenze with Lenze NUPANO, Phoenix Contact with PLCnext Technology, SALZ Automation with SALZ Controller, TTTech Digital Solutions with Ubique, TTTech Industrial Automation AG with Nerve, WAGO with WAGO OS and WAGO ctrlX OS, and Weidmüller with u-OS and easyConnect.
There are also two sides to the coin of OT/IT convergence. As great as the benefits and new opportunities that arise with the opening of OT to the Internet are, the danger of cyberattacks, to which the shop floor is now also exposed, is suddenly becoming greater.
Governments and authorities in Germany and Europe have already responded with stricter rules and laws. Probably the most important requirements resulting from this are the Cyber Resilience Act (CRA) and the 2nd EU Directive on Network and Information Security (NIS-2 Directive). Both have been in force since the end of 2024.
No digital factory without cyber security (Image Ulrich Sendler with the help of Microsoft Copilot)
Cyber security becomes law
By the end of 2027 at the latest, the CRA requires manufacturers and providers of networked and networkable products in industry to be able to prove that their use is protected against cyberattacks throughout their entire life cycle. And with the implementation of NIS-2 into German law, several thousand additional companies and organizations will be subject to supervision by the Federal Office for Information Security (BSI) in addition to the critical infrastructures already defined.
(See the article “CRA, NIS-2 and the cybersecurity factor for automation platforms“).
Cybersecurity is no longer a matter of opinion and a question of IT priorities. Companies must take action and make their products and production facilities secure. This presents them with a new challenge. This is because IT security experts, if there are any, are being given a new field of work that is quite alien to them after decades of isolation. Until now, they have not had to reckon with latency times of thousandth of a second. However, this is the norm for machines and sensors in manufacturing or in the pharmaceutical process. New expertise is therefore required here, or alternatively access to external services.
The size and urgency of the challenge can also be seen in the number of companies that have made cyber security their business area in recent years. There are now an abundance of apps for securing products and devices in the industry. And also many providers of advice and services on this topic are to find.
Europe must also become digitally independent
What has become apparent since Trump and Musk took power is now added to the problem: The USA offers a large number of market leaders not only for AI and the cloud, but also for cybersecurity. But who in the old Europe and the remaining countries of the free world can still rely on these companies to put the security of their customers above the interests of the USA and its new leadership?
The task of digitalizing the industry has thus become even greater. Germany and Europe must now not only try to catch up with the AI and cloud market leaders. As with military security, they must also develop their own cybersecurity for industry. Security in cyberspace is no longer something that is organized according to known rules and international law. It must be viewed and dealt with in the context of the geopolitical situation. European and national.
Incidentally, the open, Linux-based smart automation platforms can also contribute an important element here. Firstly, by themselves leading the way in guaranteeing cybersecurity for the platforms and their use. And secondly, by offering corresponding apps and systems that users can use to ensure cyber security for their own products and production facilities.