OT Cybersecurity and the Evolving Role of Controls Engineers

By Manav Mittal

The shift in responsibilities

Traditionally, control engineers focused on programming PLCs, designing control systems, and ensuring operational efficiency. However, the landscape has changed. Cybersecurity requirements now encompass:

Network segmentation: Implementation of VLANs and firewalls at critical system boundaries
System hardening: Advanced Windows configuration, secure user authentication, and role-based access control
Asset management: Maintaining up-to-date Software Bill of Materials (SBOMs) and asset registers.
Remote access preparation: Designing systems that are both secure and adaptable for future remote operations

These changes do not just reflect sector-specific trends, but it also includes the global need to secure OT networks from breaches that could result in life-threatening consequences, not just financial loss.

The debate: specialist versus generalist approaches

Opinions differ on whether one must be a talented controls engineer and an OT cybersecurity expert to excel in the OT cybersecurity field. Some argue that understanding both is necessary for effective security, others argue that expertise and collaboration are the keys to success.

One professional highlights the importance of specialization, saying: "I drew the line in the sand when it came to my fieldwork. I am an industrial networking professional, not a controls engineer. For me to excel, I had to let the control engineers do their jobs, and they, in turn, let me do mine. This works because, by nature, we industrial folks work together."

This perspective underscores the value of staying in one's lane to avoid spreading oneself too thin and to allow for deep expertise. "Do I know the controls? Sure, but I do not pretend to be a controls engineer. If I tried to do both, I would never get to specialize. Plants appreciate when I fix network issues in minutes because I focus solely on my field."

On the other hand, many believe that a foundational understanding of controls engineering is essential to being a competent OT cybersecurity engineer. "Just an OT cyber engineer is better than nothing, but a combination is essential to actually be good," one expert suggests. This combination ensures a comprehensive understanding of how security measures impact operational functionality.

The air gap myth

The concept of "air gap" OT networks, which is a complete physical separation of IT and external networks, has long been the gold standard of industrial security. But this model is increasingly being challenged by:

USB drives and operator errors creating vulnerabilities in isolated systems
The demand for remote access and IoT connectivity in industries such as oil and gas, pharmaceuticals, and elevators undermining traditional air-gapping
Malicious actors continuing to exploit gaps in both IT and OT environments, pushing organizations to rethink their security strategies

Emerging client specifications and challenges

Client requirements are evolving rapidly. Modern specifications demand:

Deeper levels of Windows configuration beyond basic installation
Network segmentation on larger systems, including the application of firewalls at system boundaries
Comprehensive risk assessments, SBOMs, and asset registers

While these expectations push professionals to develop new skills, they are broadly seen as positive changes. "It's all good, for the record," one engineer notes. These developments reflect the growing maturity of the OT cybersecurity field.

Trusting manufacturers and the role of base networks

Some professionals argue that once a base network is established, OT cybersecurity becomes less of a concern. They emphasize trust in equipment from reputable manufacturers. "I trust what's inside the Allen Bradley umbrella," says one end user. However, this trust does not diminish the need for robust initial setups, as production and quality remain king in industrial settings.

OT cybersecurity as a discipline

While cybersecurity is a specialized field, the convergence of IT and OT requires collaborative expertise:

Control engineers need fundamental cybersecurity knowledge to identify vulnerabilities and work seamlessly with cybersecurity teams.
OT cybersecurity professionals must understand control systems deeply enough to implement security without disrupting operations.

This dual expertise ensures a secure, resilient infrastructure that prioritizes both operational safety and system integrity.

Skills development and training

For control engineers transitioning into cybersecurity roles, continuous learning is vital. Recommended resources include:

Certifications: SANS GICSP (Global Industrial Cyber Security Professional) and CCNA Industrial.
Training programs: Free resources like those offered by experts such as Mike Holcomb.
Podcasts: Industry-specific discussions, such as David at TUV Rheinland's OT cybersecurity podcast.

The business case for cybersecurity investment

As OT cybersecurity becomes an essential part of industrial operations, organizations must recognize the need for specialized expertise. Offering a competitive salary and investing in talent is essential to avoiding pitfalls of workarounds, such as weak passwords or inadequate configuration.

The road ahead

Integrating cybersecurity with "control engineering" is not a shipping trend; it is the future of industrial automation. As customer requirements evolve and technology advances, professionals who adapt and embrace this change will lead the industry into a safer and more efficient era.
In the words of one industry veteran: "If you don't care about security, eventually someone who cares but doesn't understand will take an interest, and that's a bad thing." Let's bridge the gap between IT and OT, ensuring a collaborative, proactive approach to industrial cybersecurity.

You can reach out to me at mav.umich@gmail.com to discuss the topic further.

Tags: Cybersecurity, OT Security, Engineering,