Building Stronger OT Security Through Processes, Not Tools

Industrial automation has unlocked massive efficiency gains, but it has also expanded the operational technology (OT) attack surface. In factories and plants where uptime is sacred, security has to prioritize availability while relentlessly shrinking exposure. That mindset—process over product—underpins the approach championed by Rainer Rodler, head of production IT security at ZF Group, who argues that the surest path to resilient operations is disciplined hardening and governance rather than piling on more tools.

The Legacy Challenge in Modern Plants

Most industrial environments are a blend of eras: legacy programmable logic controllers, machine tools, and specialized HMIs that run for decades, surrounded by fast-moving IT systems and cloud-connected analytics. This mismatch creates risk. Many OT assets were never designed for today’s threat landscape, rarely get patched on a tight cadence, and can’t tolerate frequent restarts. Meanwhile, modern networks and remote access pathways introduce new entry points and lateral movement opportunities for attackers.

Rodler’s core message: before you reach for advanced detection, get the basics right across every machine, cell, and line. In OT, prevention through standardization and control frequently beats reaction.

Hardening First, Tools Second

Security should start with hardening—removing the unnecessary and constraining what remains. That means:

• Disable unused services and ports to shrink the attack surface.
• Block risky or legacy protocols at the network and host level.
• Adopt application allowlisting so only approved binaries can run.
• Enforce least privilege on accounts, services, and vendor access.
• Lock down configurations and monitor for drift.

Rodler contrasts allowlisting with traditional antivirus, which he characterizes as inherently reactive: signature-based defenses respond after threats are known, while allowlisting denies everything except what’s explicitly trusted. In OT, where availability and determinism matter, that default-deny posture can dramatically reduce the opportunity for malware and unauthorized tools to execute in the first place.

People, Process, and Insider Risk

Attackers don’t always arrive from the outside. In industrial settings, insider risk often stems from well-intentioned behavior: a technician plugging in a convenient utility, a contractor reusing credentials, or a rushed change applied outside of procedure. Effective defenses address human factors as much as technical ones.

• Role-based access and separation of duties for operations, engineering, and vendors.
• Time-bound, just-in-time remote access with strong authentication and session recording.
• Change approval workflows and “management of change” (MoC) rigor for any deviation.
• Training that’s specific to OT realities—what not to plug in, what not to click, and when to escalate.
• Audit trails that make it easy to see who did what, where, and when.

The goal is not to slow operations but to build a culture where security-enhancing friction is normal and predictable.

Build the Governance Backbone

Tools are most effective when anchored by clear governance. Rodler’s long-running playbook for production environments emphasizes a few fundamentals:

• Accurate asset inventory: Know every device, OS, firmware, and communication path.
• Network segmentation: Separate IT and OT; isolate cells and lines; implement secure conduits and data diodes where appropriate.
• Patch and compensating controls: When patching is constrained, pair risk acceptance with hardening, monitoring, and backup strategies.
• Baseline configuration standards: Golden images and validated builds for repeatability and rapid recovery.
• Secure remote maintenance: Brokered, monitored access for OEMs; block ad hoc connections and shadow IT.
• Backup and recovery you’ve actually tested: Regular, offline, and immutable backups; documented restoration steps for PLCs and HMIs.
• Incident response tailored to OT: Clear decision trees for isolate-vs-continue scenarios; communication plans with production and safety leads.

Related: From tabletops to threat hunting—use scenario-driven tabletop exercises to practice these processes under realistic time pressure and to tighten the seams between IT, OT, and safety teams.

Allowlisting in Practice

Application allowlisting can be a heavy lift without the right approach. A pragmatic rollout looks like this:

• Start with static systems—engineering workstations, fixed-function HMIs—before tackling dynamic environments.
• Profile normal operations to build the initial allowlist; use maintenance windows to capture legitimate updates and vendor tools.
• Implement staged enforcement: monitor-only, then warn, then block.
• Define a rapid exception process for urgent production needs, with time limits and logging.
• Integrate allowlisting with configuration management so updates don’t break the whitelist.

This shifts the security model from hunting unknown malware to controlling known-good operations—better aligned with the predictability that OT demands.

Measure What Matters

To sustain progress, track outcomes that reflect real risk reduction rather than tool activity:

• Hardening coverage: percentage of assets with unused services disabled and risky protocols blocked.
• Allowlisting coverage and exceptions: how many systems are enforced and how many temporary allowances exist.
• Access hygiene: number of stale accounts; frequency of vendor access reviews; percentage using MFA.
• Patch latency by criticality—and compensating controls applied when patching isn’t possible.
• Resilience metrics: mean time to isolate, restore, and return to safe operation during incidents or exercises.
• Tabletop and recovery test cadence: frequency and findings closed.

A Process-First Roadmap

For plants wrestling with legacy systems and expanding connectivity, a process-first journey might look like this:

1. Inventory and classify assets; map data flows and dependencies (safety, quality, production impact).
2. Segment networks and establish secure remote maintenance pathways.
3. Apply hardening baselines and remove unnecessary services and protocols.
4. Roll out application allowlisting to fixed-function and high-criticality systems.
5. Formalize MoC, access governance, and vendor management with auditing.
6. Stand up tested backup/restore for critical OT components.
7. Conduct OT-aware tabletop exercises; integrate lessons into runbooks and designs.
8. Iterate: expand coverage, refine exceptions, and align with business objectives and safety requirements.

Why Processes Outlast Tools

Tools age quickly; processes compound. Rodler’s multi-decade experience in industrial environments, including his leadership at ZF Group developing production IT security concepts and global guidelines, underscores that sustainable protection comes from standardizing how systems are built, changed, and recovered—especially as Industry 4.0 and IIoT add more software, connectivity, and third-party access into the mix.

In conversations such as his interview at Nullcon Berlin 2025, the takeaway is consistent: don’t chase every new threat with another point solution. Instead, constrain the environment so fewer threats matter. Disable what you don’t need. Only run what you trust. Control who can do what, when, and how. Practice failure safely so recovery is repeatable. When availability is paramount, process—not products—keeps the line running and the business resilient.