TL;DR -Building defensible IT and OT infrastructure requires more than just technical controls like firewalls and encryption. It demands a holistic approach that includes physical security, human awareness, and regulatory frameworks like NIS2 and IEC 62443 working together.
The Road to a Defensible IT/OT Architecture
Speaker: Dieter Sarrazyn (Secudea)
Date: October 1, 2025
This was the first Tech & Meet of the academic year, and it provided valuable insights into securing operational technology (OT) and IT infrastructure. The session focused on the NIS2 and IEC 62443 frameworks and how organizations can use them to build more resilient systems.
One of the most important takeaways was understanding that these regulatory frameworks, often perceived as obstacles, can actually serve as solid foundations for security architecture. Rather than viewing compliance as a burden, Dieter demonstrated how standards like NIS2 and IEC 62443 provide structured approaches to identifying and mitigating risks.
The session emphasized a critical but often overlooked aspect of security: physical access control and the human factor. In many organizations, cybersecurity efforts focus heavily on digital defenses, firewalls, encryption, and network segmentation, while neglecting the physical layer and human behavior. Dieter highlighted that this is a significant vulnerability. Someone with physical access to infrastructure or the ability to manipulate people through social engineering can bypass sophisticated digital security measures entirely.
This reinforced an important principle: effective security requires a holistic approach. You cannot simply implement technical controls and assume you’re secure. Organizations must address:
- Physical security: Controlling who can access critical infrastructure
- Technical controls: Proper architecture and encryption
- Human factors: Training, awareness, and procedural discipline
The convergence of IT and OT environments adds another layer of complexity. Traditional IT systems were designed with different assumptions than OT systems (which prioritize availability and safety), so bridging these domains requires careful planning and a clear framework.
What impressed me most was how practical the session was. Rather than presenting theoretical ideals, Dieter showed real world examples of how organizations struggle with these transitions and how frameworks like NIS2 and IEC 62443 can guide them through these challenges.
For anyone working in infrastructure security, this session was a strong reminder that security is multifaceted. It’s not enough to be technically proficient; you need to understand regulatory requirements, physical security implications, and organizational behavior. The most secure system is one where technology, processes, and people all work together toward the same goal.