New risks, new requirements: 5 OT security tips for management

Cybersecurity has become a strategic topic in the energy and utilities sector. In recent years, many organisations have significantly strengthened their IT security. But as digitalisation increasingly reaches production and operations, more are discovering an area where the overall picture is often less clear.

That area is OT — Operational Technology.

OT covers the systems that control physical operations: production facilities, pumping stations, substations and control systems. This is where software meets physical infrastructure — and where the consequences of a security breach are not limited to data loss, but may include operational disruption or impacts on critical infrastructure. For management, this raises a key question:

How do you get started with OT security in a way that creates real business value?

The following five recommendations are based on the experience and advice of Mjølner’s domain experts in energy and utilities, Jakob Hviid and André Bryde Alnor, as well as our partner Jørgen Hartig from SecuriOT.

1. Assign clear ownership

One of the biggest challenges in OT security is organisational.

In many organisations, the issue quickly ends up being passed around between departments: production points to IT, and IT points back to production.

As a result, OT security often falls between several functions: operations, IT and cybersecurity. Everyone recognises the risk – but no one has the clear mandate to drive the effort forward.

That is why OT security does not start with technology. It starts with a management decision about ownership.

But where does it make sense to place that responsibility?

Experience from many organisations shows that the role should rarely sit solely within a pure IT security function. OT security is largely about operations, uptime and physical infrastructure – and therefore requires an understanding of production.

A good rule of thumb is to place responsibility with a function that:

Understands operations and the value chain
The person must be able to assess what is actually critical to production or supply.

Can work across IT and operations
OT security sits at the intersection of multiple disciplines. The role must be able to bring the organisation together, not reinforce silos.

Has the mandate to escalate risk to management
Ultimately, OT security is about business risk. The person responsible must therefore be able to translate technical issues into management decisions. In some organisations, the role sits with a CISO who has OT expertise. In others, it sits within operations or asset management, working closely with IT. The exact placement may vary – but the crucial thing is that responsibility is clear and supported by management.

2. Understand the difference between IT security and OT security

A classic pitfall is to treat OT security as a conventional IT security issue. The two areas operate on fundamentally different premises. In the IT world, security is typically centred on protecting data and systems. In the OT world, the primary focus is stable operations and physical safety.

This also means that some traditional IT security measures do not necessarily fit directly into OT environments.

The point is not that security matters less in OT – but that it must be designed around the operational reality of the utility.

3. Start with risk – not with what is easiest

When organisations begin working with OT security, there is often a tendency to start with the things that are easiest to relate to, such as:

• fencing and physical access control
• network segmentation
• software backups

All three are important. But they are not necessarily where the risk is greatest.

A more effective approach is to start with the risk assessment.

A good first question is: Which functions in our organisation absolutely must work for us to deliver our core service?

Once those essential functions have been identified, you can move on to:

• which systems support them
• which threats could affect them
• what the consequences would be if they failed

Many organisations work with concrete threat scenarios – for example, what would happen if a central control system became unavailable for several days. That makes it much easier for management to prioritise investments, because the discussion is based on business risk rather than technology.

4. IT and OT need to work more closely together

Historically, OT environments have often been relatively isolated from the rest of the organisation’s systems. But as digitalisation and data analysis advance, the integration between IT and OT is becoming increasingly close.

This means that security work can no longer take place in silos. IT and OT specialists need to work more closely together, and management must ensure that the organisation has a structure that supports that collaboration.

5. Find your maturity point – and build from there

Another important lesson from across the sector is that OT security cannot be implemented in one single, all-encompassing effort. This often becomes apparent when the work is driven by compliance requirements or regulation. The organisation tries to implement all controls at once and ends up with a large programme that is difficult to operationalise.

A more realistic approach is to start from the organisation’s current level of maturity.

In practice, that typically means establishing the basic processes first, working systematically with risk and continuously improving security over time. OT security is not a project with an end date. It is a discipline that evolves over time alongside technology, digitalisation and the threat landscape.

Five key recommendations for management – in brief

If the sector’s experiences are boiled down to five key pieces of advice for management in energy and utility companies, they are these:

1. Assign clear ownership of OT security

OT security often falls between operations and IT. Make sure one function has the mandate to lead the area and coordinate the effort across the organisation.

2. Start from business risk

Do not start with the technology. Start with the question: What must not go wrong in our utility – and what would the consequences be if it did?

3. Prioritise based on risk – not on what is easiest

Many organisations start with perimeter protection or network segmentation because it is concrete and visible. That matters – but it is not necessarily where the greatest risk lies. Let the risk assessment guide the effort.

4. Create visibility into your OT landscape

Management should ensure that the organisation has a realistic picture of its OT systems, connections and dependencies. You cannot protect what you do not know

5. Treat OT security as an ongoing maturity journey

OT security is never “finished”. Start from your current level, build structures and processes, and improve them continuously.

The worst thing you can do is nothing

OT security can seem complex. Infrastructure, systems and suppliers have often evolved over many years, and there is rarely a simple fix.

But that does not mean you should wait. Quite the opposite. For many organisations, the greatest risk is not starting too small – it is not getting started at all.

As the sector’s experience shows, the most important step is to begin: create visibility and start working with risk in a structured way.

The worst thing you can do is nothing.

Want to know more about OT security?

👉 Reach out to André Bryde Alnor, Energy Solution Strategist, if you would like to learn more.

Mail: aba@mjolner.dk
Mobile: +45 23 46 04 45