Why This Blog Exists: A Practical Space for Industrial Cybersecurity and OT Security

Hi there! In this first post, I want to share with you why I decided to create this place.

The short story: I believe there is still space out there to talk about the practical implementation of IEC 62443 (we will talk a lot about this norm).

The long story: We already live in a world where industrial systems and machines are permanently interconnected. Operational Technology (OT) environments are no longer isolated, and the old assumption that production networks are separated from the rest of the organization has simply disappeared. Today, industrial systems are connected to corporate IT networks, cloud services, vendors, and remote access platforms as part of normal operations.

At the same time, the traditional boundaries between private, public, and industrial environments have blurred. The same technologies, protocols, and platforms are often reused across all of them. However, the impact of security failures in industrial environments is fundamentally different. In OT and industrial systems, cybersecurity incidents can directly affect safety, availability, physical assets, and business continuity — not just data confidentiality.

IT Security Is Well Covered. OT Security Is Not.

When it comes to cybersecurity, most available documentation, frameworks, and tools are still strongly focused on Information Technology (IT). There is no shortage of guidance on how to protect enterprise systems, applications, or cloud infrastructures. But when you move into Operational Technology (OT) and industrial environments, the situation changes completely.

Many engineers and security professionals still struggle to clearly answer a basic question:

what exactly is OT, and why can’t it be secured in the same way as IT?

This lack of clarity leads to security controls that are copied from IT environments and applied to industrial systems without considering operational constraints, safety requirements, or lifecycle implications.

The Gap Between Industrial Security Expertise and Market Reality

Another recurring issue is the gap between industrial cybersecurity specialists and what the security market actually offers. On one side, there are professionals with deep knowledge of industrial processes, control systems, and OT environments. On the other side, there is a market full of generic cybersecurity solutions, often designed with IT assumptions and later rebranded as “OT-ready”.

The result is confusion, unrealistic expectations, and security programs that look good in presentations but fail when applied to real industrial environments.

Standards Exist — But Are Poorly Understood

There is also a clear lack of practical understanding of industrial cybersecurity standards and certifications. Frameworks such as IEC 62443 exist specifically to address OT and industrial security challenges, yet many organizations are either unaware of them, misunderstand their scope, or perceive certification as something abstract and unreachable.

Too often, compliance is treated as a checkbox exercise, instead of what IEC 62443 actually promotes: a structured, lifecycle-based approach to developing, operating, and maintaining secure industrial products and systems.

The Purpose of This Blog

This blog exists to help close these gaps.

The goal is not to repeat standard text or promote silver-bullet solutions, but to explain how industrial cybersecurity and OT security really work in practice. It focuses on IEC 62443, secure development lifecycles, industrial security architecture, and the reality of applying standards in real organizations.

If you work with industrial systems, product development, OT security, or IEC 62443 certification efforts, this blog is intended to be a practical, honest, and technically grounded reference.