Blue Overalls and Gray Suits: Marcel Jutte on OT Security

OT systems form the foundation of many vital processes, from chemistry to water purification. That requires a different approach than IT security, says Marcel Jutte, who has worked in the OT domain for 35 years.

Yet OT and IT are moving ever closer together. Systems are interconnected and increasingly dependent on each other. And precisely because of that, the differences in culture, risk, and pace stand out more.

“Just patching something, which we’d actually always prefer to do quickly with your Microsoft PC, is something you should definitely not do in OT.”
— Marcel Jutte

The Blue Overall vs. the Gray Suit

According to Marcel, the people in overalls are the OT folks, while the IT folks sit in the office. That may sound black-and-white, but the difference between these two worlds runs deep and sometimes causes friction.

In IT, it’s common to patch a vulnerability quickly: you roll out the update and you’re done. But try doing that in a running factory without halting the process. In an OT environment, continuity is everything, and the physical process takes priority. There is often no time or opportunity to shut a process down. Think of a turbine that must keep spinning or a water pipe that’s constantly under pressure.

“Running a pentest during an active installation? That can get you into serious trouble.”
— Marcel Jutte

So, updates or pentests cannot just be carried out while those systems are active. Such changes require more preparation and coordination. On top of that, many OT systems are outdated and interdependent, which doesn’t make things easier.

Visibility Into Your Own Environment

In many organizations, there’s no current and complete overview of the OT environment. Which systems are running, how old are they, how are they interconnected, and what condition are they in?

This lack of oversight partly stems from the fact that OT was long managed technically, without systematically recording changes. At the same time, these systems often last for decades. Some installations even have notes attached warning never to shut them down, because nobody knows if they’ll restart afterward.

“Sometimes you see notes on installations: ‘Do not shut down.’ Because nobody knows if it will restart. Or because the only person who did know has retired.”
— Marcel Jutte

Knowledge of this infrastructure is slowly disappearing from organizations, along with the ability to responsibly manage or modernize it.

Standards as a Guideline, Not an End Goal

Anyone wanting to bring technology and policy together needs something to build on. Standards can help, provided they align with reality. The IEC 62443 series offers a strong international framework. The Cyber Security Implementation Guideline (CSIR) from Rijkswaterstaat has now been largely adopted by water boards and provinces.

With stricter laws and regulations such as the NIS2 directive or the Cyber Resilience Act, OT security is gaining relevance. These obligations force organizations to take action.

“We’re dealing with different worlds. And if they don’t understand each other, nothing will happen.”
— Marcel Jutte

Still, standards, guidelines, and rules only provide direction; they don’t guarantee success. Success requires people who understand each other, are willing to share knowledge, and want to assess risks together.

One Captain on the Ship: The CISO

In practice, responsibility for OT security often shifts between departments. Sometimes it lies with a technical administrator or maintenance staff, while others think it belongs higher up. This causes confusion, slows decision-making, or fragments it.

Ideally, the CISO should be responsible, but they must understand that OT requires a different approach than IT. One person can’t know everything, but the right expertise must be available within the team or engaged via the network.

At the same time, clear direction is necessary: someone who takes charge, makes decisions, and takes operational signals seriously. As OT and IT become more intertwined, the CISO’s role also shifts — extending beyond compliance and risk management into operational understanding.

About Marcel Jutte

Marcel Jutte is an independent OT security expert and moderator of the OT Theater at the upcoming Cybersec Netherlands on 10 and 11 September at Jaarbeurs Utrecht. With 35 years of experience in the field, he shares insights into a world where technology, safety, and continuity are inextricably linked.

As cyber attacks continue to threaten today’s tech landscape, this event is the premier platform for seasoned cyber security professionals and innovative start-ups to exchange knowledge and tackle cybersecurity challenges together. Organizations across all sectors will discover strategies to boost cyber resilience and safeguard critical assets. Don’t miss this chance to strengthen your cyber defenses—register for free now!