The global and independent platform for the SAP community.

Properly Securing OT And IoT

Cybercriminals have found lucrative targets in IoT and OT. Most companies are not prepared to face this threat. A structured approach helps to minimize risks.
Christian Koch NTT Data
22 July 2021
avatar

Attacks on water supply systems, manipulated mixing ratios of drugs at pharmaceutical companies, outages of public transport display boards: Hackers are increasingly discovering operational technology (OT) and the Internet of Things (IoT) as a lucrative target for attacks. While most people now know that they shouldn’t click on dubious emails full of spelling errors, machines and systems are often unprotected.

For a long time, cybercriminals had no interest in OT because production plants or supply systems for electricity, water, and gas were not connected to other IT systems, so they could hardly cause any damage. Sometimes, attacks were just too complex to warrant the effort.

Interconnected production entices criminals

The manufacturing industry is digitizing its business processes along the entire value chain, from virtualization in the product creation process and more flexible service and business models to new manufacturing processes such as additive manufacturing. The risk of malware and cyberattacks is increasing as a result of the interconnectivity of production plants and machines with internal systems for production control or, increasingly often, with the cloud. In the process, cybercriminals try to disrupt a plant and extort a ransom or obtain trade secrets on behalf of mostly foreign competitors or countries. Then, months later, copies of car spare parts turn up that not even a service technician can distinguish from the original.

The fact that OT security lags so far behind security in IT is due to the fact that OT is planned by engineers who have to implement technical production requirements under cost pressure and in a short time, but for whom cybersecurity was rarely an issue in the past. They developed a plant purely according to functional aspects.

When new cybersecurity risks arise, the plant’s software would have to be patched. But the conditions in OT are less than ideal. Never touch a running system applies even more in OT than in IT. There is usually no time to apply patches either. Even if the update only takes a few minutes, it can bring an entire production line to a standstill and result in a lengthy restart, especially since functional tests are usually also necessary. Consequently, companies have to leverage regularly scheduled maintenance windows, but these are rare. In chemical production plants, for example, it can take several years before the opportunity arises for an update including all functional tests.

What to do

The starting point for better OT security is greater visibility in OT networks. Often, companies don’t even know what components they have in the systems, what software versions they use, what data they exchange, and what connections exist to external companies. However, you can’t protect what you don’t know. Knowing the software versions in use, communication relationships, external access, zoning in the network, and much more is the basis of any cybersecurity strategy.

Network segmentation is often the first recommended measure to take. This involves separating parts of a system from other systems according to risk level and criticality. For this approach to succeed, the detailed structure and communication of the systems must be known. It is also advisable to separate legacy systems, which can sometimes be decades old and for which updates are no longer available, from new parts and to apply separate security strategies. However, it is not only the manufacturer and operator of a system who are required to ensure a high level of security; the maintenance staff must also be on board. In the case of remote maintenance, they usually access a jump server via a VPN connection. From time to time, hackers use such connections to plant malware and spyware that can then infect entire plants and facilities, especially if access to the jump server or VPN authentication is only weakly protected. To mitigate such risks, a better architecture is needed. Some security service providers recommend an audit for this purpose with a penetration test, which should reveal vulnerabilities in the IT and OT infrastructure. You will probably find plenty of vulnerabilities, but the gain in knowledge is low, especially if no security has been implemented in the OT systems. It is much better to implement measures first and then evaluate them with an audit.

Many companies asking for OT security support have already had a security incident or know companies in their industry that have. Awareness has increased in recent years and companies are motivated to do more for security. However, they often feel overwhelmed and don’t know where to start. What is needed here is a structured approach that provides the company with orientation.

PDF in English

NTTDataCI banner.jpg
avatar
Christian Koch NTT Data

Christian Koch, Vice President Cybersecurity and Lead for IoT/OT at NTT Data.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

FourSide Hotel Salzburg,
Trademark Collection by Wyndham
Am Messezentrum 2, 5020 Salzburg, Austria
+43-66-24355460

Event date

Wednesday, June 10, and
Thursday, June 11, 2026

Early Bird Ticket

Regular ticket

EUR 390 excl. VAT
available until 1.10.2025
EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, April 22 and
Thursday, April 23, 2026

Tickets

Regular ticket
EUR 590 excl. VAT
Subscribers to the E3 magazine
reduced with promocode STAbo26
EUR 390 excl. VAT
Students*
reduced with promocode STStud26.
Please send proof of studies by e-mail to office@b4bmedia.net.
EUR 290 excl. VAT
*The first 10 tickets are free of charge for students. Try your luck! 🍀
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2026, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.