OT Knowledge from Practice: An Interview with our Consultants

In your opinion, what are the biggest challenges companies face when securing their OT systems?

Markus: One of the biggest challenges is reconciling IT security requirements with smooth production processes. Some OT systems have been running in production for quite some time, and their operators are focused on ensuring that production runs consistently and without errors, which makes some IT security requirements difficult or even impossible to implement. For example: Disable SMB V1, but XP should still be able to write to a network share. Another complication is the scope of tasks and the amount of work required by the “new” requirements, which must be handled by existing employees.

Christoph: One of the biggest challenges in protecting OT systems is that many of these systems are very old. This often makes them difficult to update or secure. In addition, many companies do not know exactly which devices are active in their networks, which creates security gaps. On top of that, employees often don’t get enough training on cyber threats. To protect themselves, companies need to take clear security measures, better secure their networks, and regularly train their staff.

What typical vulnerabilities do you frequently encounter in OT environments?

Andreas: In OT environments, we regularly encounter recurring vulnerabilities. Outdated operating systems, lack of network segmentation, and insufficient patch levels are particularly critical. A common problem is the use of identical user accounts with default passwords on multiple production systems – often unchanged for years. This practice provides attackers with an easy point of entry. In addition, there is often a lack of transparency regarding assets, clear access concepts, and appropriate monitoring and response measures. Such security gaps significantly increase the risk of cyberattacks and make targeted protective measures urgently necessary.

Markus: In OT environments, we repeatedly see inadequate backup strategies and poorly managed local accounts. Often, there are no up-to-date, tested backups of critical systems, meaning that neither rapid recovery nor complete data integrity can be guaranteed in the event of a malfunction. Equally problematic is the use of identical local administrator or auto-logon accounts with unchanged default passwords. Since many OT applications require local users with high privileges, this risk often persists for a long time. Sensible countermeasures include automated password rotation, the use of individual, randomly generated passwords, and the integration of solutions such as ondeso SR to securely update auto-logon accounts during restarts. A combination of tested backup concepts and consistent password management reduces these vulnerabilities in the long term.

What are some simple but effective steps that OT managers can implement immediately?

Andreas: OT managers can immediately improve security with a few simple but effective measures which can usually be implemented at a reasonable cost and offer immediate, noticeable security gains:

• Change default passwords and create individual accounts with strong passwords.
• Remove unused user accounts and regularly review permissions.
• Implement network segmentation, e.g., by separating IT and OT.
• Take inventory of all OT devices to increase transparency.
• Restrict or control USB and removable media access.
• Check backups regularly and store them offline.
• Provide basic training for employees to raise awareness.

Markus: An effective and immediately implementable step is to introduce regular backups for OT clients such as engineering workstations or HMIs. These systems often contain critical project and configuration data, the loss of which can lead to production downtime. A central network share with sufficient capacity, automated backups, and simple versioning can be set up quickly. In addition, random restore tests and an offline copy should be provided to prevent manipulation and ransomware. This allows restart capability to be significantly improved with manageable effort.

How can ondeso help with the administration and maintenance of OT systems?

Andreas: ondeso offers specialized solutions for managing and securing OT systems. With ondeso’s software solutions, OT managers can, for example, systematically record assets, document software versions, and automate regular maintenance processes—all without any production downtime. In addition, ondeso supports the distribution of security updates, the management of user accounts, and the introduction of standardized processes across different locations. This reduces risks, meets compliance requirements, and makes operations more efficient – all tailored specifically to industrial IT and OT.

Which measure contributed most to a customer’s OT security in a specific case?

Andreas: In one specific project, the introduction of automated password management via ondeso SR for standard users significantly improved OT security. Together with the customer, a mechanism was established that regularly generates secure, random passwords for local standard accounts. These passwords were not stored on the system, but were transmitted exclusively to a central password server. Access to the password was only possible in a controlled and logged manner. This effectively eliminated the risk posed by permanently stored or repeatedly used passwords – a major security gain combined with high practicality.

Markus: The most effective measure for one customer was the lightning-fast, targeted rollout of the WannaCry security update on all OT-relevant Windows systems via ondeso SR. Immediately after the first media reports, we set up a lean operation that exclusively installed the required patch and rolled it out across the board. The same procedure provided immediate transparency: we could see in a dashboard which machines were already protected, where installations had failed, and where action was still needed. This allowed us to prioritize closing remaining gaps, and the customer significantly reduced their risk in a very short time—there were no production-relevant WannaCry outages.

Christoph: It is very difficult for me to give a specific example here. On the one hand, all customers have very different and heterogeneous infrastructures and, on the other hand, very different measures already in place with regard to OT security. For example, there may already be a backup concept in place, but the vulnerabilities of the individual devices have not yet been identified. OT security must always be viewed holistically, which is why it is always important for me to be able to add missing components using ondeso SR or to advise customers on how they can make their OT security processes more efficient using ondeso SR.

What is your favorite feature of ondeso SR and why?

Markus: Operations – definitely my favorite feature in ondeso SR. It allows me to build standardized processes from the entire toolbox that run identically and reproducibly on every system. Example: commissioning a new client: create defined local users, set strong passwords, assign groups, activate or deactivate RDP as required, set or remove local firewall rules – always the same, without manual deviations. Uniform designations within the operation ensure that results can be evaluated cleanly. I write status and result data directly into Advanced Information Fields; this allows the customer to see at a glance which steps were successful or where follow-up work is needed. And if something special is required, I extend the process with custom scripts via Script Action Item. This combination of automation, consistency, and transparency makes Operations the most powerful feature for me.

Christoph: What I value most is the ability to automatically collect detailed information about the OT systems. We usually set up this functionality right at the start of a project, and customers immediately experience an “aha moment.” When customers then realize that they can use ondeso SR to easily and efficiently build workflows, known as operations, with which they can respond to this information (automatically), they are usually very pleased

Andreas: My favorite feature of ondeso SR is definitely Operations—the ability to fully automate recurring tasks. Whether it’s software installations, script execution, configuration changes, or testing processes, operations allow you to centrally control almost all IT-related activities and roll them out to OT systems in a standardized manner. This saves a tremendous amount of time, minimizes sources of error, and ensures transparent, documented processes — a real game changer for anyone who needs to operate multiple systems efficiently and securely.

Thank you very much for the exciting interview!

If you would like to learn more about ondeso and our software, follow our social media channels:
LinkedIn or YouTube