Becoming an OT Security Specialist today

A long time ago, becoming an ICS Security Specialist often meant finding your own way between two different worlds: IT and industrial operations. In many ways, that is still true today. The strongest OT security professionals are still the ones who understand both cybersecurity and the operational reality of industrial environments. But the field has matured significantly. OT security is no longer just a niche discipline driven by a few specialists. It is now shaped by dedicated training paths, recognized certifications, frameworks such as IEC 62443, and regulatory pressure linked to resilience and supply chain security.

OT security still sits between IT and operations

The most important point has not changed: OT security is not just IT security inside a factory. Industrial environments have different priorities, different risk tolerances, and different operational constraints. Availability, safety, process continuity, and change control typically weigh more heavily than they do in traditional enterprise IT. That is why good OT security professionals need to understand both sides: the cybersecurity side and the operational or engineering side.

This is also why the profile remains so valuable. Organizations still need people who can translate between plant engineers, system integrator, management, and IT security teams. The job is often less about choosing IT or OT, and more about learning how to bridge them properly.

The learning path is more structured now

One major difference compared with 2017 (when I wrote the original blog post on this matter: Becoming an ICS Security Specialist) is that the learning path is no longer as informal as it once was. There are now established options for people who want to build expertise in industrial cybersecurity. SANS maintains a dedicated ICS/OT training portfolio, GIAC offers the GICSP certification, ISA provides an IEC 62443 cybersecurity certificate program, and CISA/INL continue to offer ICS-specific training and hands-on exercises.

That does not mean a certificate alone makes someone an OT security specialist. It does mean that the profession has matured. Today, someone entering the field has more structured ways to learn the technical foundations, the standards landscape, and the operational realities than was the case a decade ago.

You still need real-world exposure

Even with better training options, OT security remains a practical discipline. The best specialists usually build their experience by getting exposed to the environments they want to protect. That may happen through engineering, system integration, incident response, hardening work, network design, assessments, or security testing in industrial settings. The key is not only learning the theory, but understanding how real industrial systems are built, changed, maintained, and supported.

In practice, many strong OT security professionals still come from one side and then learn the other. Some start in IT security and move into industrial environments. Others start in automation, controls, or engineering and grow into cybersecurity. Both paths remain valid. What matters is the willingness to learn the adjacent domain instead of staying inside one silo.

IEC 62443 matters more than ever

Another big change is the growing importance of standards. If you want to become an OT security specialist today, you should understand the basics of IEC 62443. It has become one of the main reference frameworks for industrial cybersecurity and is used by asset owners, system integrator, and suppliers. That makes it relevant not only for compliance-minded roles, but also for engineering, architecture, governance, assessments, and testing.

Understanding IEC 62443 does not mean memorizing every clause. It means understanding how industrial cybersecurity requirements are structured, how responsibilities differ between stakeholders, and how those requirements can be translated into practical controls, validation activities, and evidence.

NIS2 and supply chain security changed the conversation

The field is also more strategic now. OT security specialists are increasingly expected to understand not only technical risk, but also governance and supply chain security. NIS2 places clear emphasis on cybersecurity strategy, awareness, vulnerability management, and supply chain security. That means industrial organizations are under more pressure to assess vendors, manage supplier-related risks, and formalize how they handle cybersecurity in operational environments.

For an OT security specialist, this changes the role. It is no longer enough to only know firewalls, segmentation, and hardening. You also need to understand how cybersecurity expectations are translated into policies, supplier requirements, validation activities, and risk management decisions.

So where should you start?

A good starting point is still to build a foundation in one domain and deliberately learn the other. If you come from IT, spend time understanding industrial processes, control systems, engineering constraints, and operational risk. If you come from OT or engineering, build stronger knowledge of cybersecurity fundamentals, network security, threat detection, identity, secure architecture, and governance.

From there, focus on three things: learning how industrial environments actually work, understanding the standards and regulatory context, and getting hands-on exposure wherever possible. Training and certifications can accelerate that journey, but practical experience and cross-domain communication remain essential.

Conclusion

The old advice still holds: becoming an ICS or OT security specialist means learning to stand between worlds. What has changed is that the profession is now more mature, more visible, and more formalized. There are better training paths, clearer frameworks, and stronger business drivers than there were a while ago. But the core requirement remains the same: understand both cybersecurity and industrial reality, and learn how to connect them.