Despite growing cyber threats and increasing regulatory pressure, the industrial sector continues to delay the integration of cyber security into control systems (ICS). Is the slow pace of change the result of a cautious strategy – or a costly omission?
In recent years, industrial infrastructure operators have come under intense pressure from two sides: on the one hand, increasingly sophisticated attacks on OT (Operational Technology) systems, and on the other, stringent regulations such as NIS2, which require increased levels of digital resilience. Despite this, security integration at the heart of control systems remains surprisingly slow.
ABI Research data shows that industrial organisations are 10-15 years behind IT in terms of cyber security maturity. And while there is increasing talk of the need for trusted hardware and software in ICS environments, deployments of viable, sustainable security solutions are still rare.
OT versus IT: different worlds, different priorities
Although IT and OT are increasingly intersecting, the way the two areas approach security remains radically different. Industrial environments have traditionally focused on availability and stability – systems are expected to run continuously for many years, and any disruption represents potentially millions in losses.
In this context, cyber security – especially those requiring interference with the hardware layer – is often pushed to the background. It is not a lack of awareness of the risks, but inertia and a limited window for change. For many industrial organisations, security is important but not critical – until something happens.
Practical minimum: network instead of hardware
Instead of investing in new, secure ICS equipment, many companies are turning to network solutions. Segmentation, firewalls, anomaly detection systems – these are technologies familiar to IT that can be implemented relatively quickly, without replacing the production infrastructure.
This approach works on an ad hoc basis – it reduces the risk of an external attack, improves network visibility and allows basic regulatory requirements to be met. However, perimeter protection is not enough when an attacker gains access to the device itself or exploits a vulnerability in the firmware. Without trusted hardware, secure boot or cryptographically verified updates, ICS remain vulnerable to insider attacks and advanced persistent threat techniques.
Costly transformation
Implementing secure ICS solutions is not just a technical problem – it is also a huge financial, organisational and logistical challenge. The life cycles of equipment in industry are counted in decades – many have been in continuous operation for several years and will not soon be replaced.
Upgrading OT infrastructure often means stopping production, changes to master systems and even training for operational staff. This all translates into costs that many companies find difficult to accept – especially in times of economic uncertainty and tight supply chains.
When will equipment become the norm?
Despite the barriers, there are a growing number of suppliers investing in the development of integrated security in ICS. Companies such as Siemens or HMS offer controllers with trusted boot, encrypted communication or logical application separation features. On the other hand, start-ups – such as RDDL or Veridify – are proposing approaches based on blockchain or post-quantum cryptographic algorithms that can significantly enhance hardware security in distributed environments.
In the long term, it is the generational replacement of ICS equipment that will drive change. Every production line upgrade, plant expansion or implementation of Industry 4.0 systems will be an opportunity to replace obsolete components with new, more resilient ones.
Inevitable pace
Regulations such as NIS2, IEC 62443 or the European Cyber Resilience Act are already forcing change – not only on operators, but also on component suppliers and system integrators. Responsibility for the supply chain, the need to document software security and verification of hardware manufacturers will soon become the norm.
For many industrial companies, this means going beyond the bare minimum and starting to plan strategic upgrades – not just for regulatory compliance, but to remain competitive and maintain customer trust.
The foundation for Zero Trust in industry
Finally, integrated ICS security is not just about defence against attack – it is a prerequisite for implementing a Zero Trust model in an OT environment. Without trusted hardware, secure communications and device integrity checks, it is impossible to effectively manage access, segmentation or real-time threat detection.
Zero Trust in industry is still the buzzword of the future, but every step towards secure ICS – even if slow – brings companies closer to a model where there is no room for implicit trust.
Will the industry have time?
The industry cannot afford any further delay. On the one hand – attacks are becoming more sophisticated and targeting OT devices directly. On the other – regulators are no longer going to tolerate security compromises.
Integrated, hardware-based ICS security is not a luxury – it is becoming an essential foundation of modern manufacturing, logistics and infrastructure. The question is no longer ‘if’, but ‘when’ companies will decide to take the step forward.
