Question 1

What industries do you cover?

Accepted Answer

Manufacturing, energy and utilities, oil and gas, transport and logistics, and healthcare infrastructure. Each has its own regulatory and operational context, but the underlying methodology — IEC 62443 zone-and-conduit modelling, NIST SP 800-82r3 reference architecture — is consistent across them.

Question 2

Do you do hands-on testing of live OT systems?

Accepted Answer

Carefully and with explicit written authorisation, including from operations and safety leadership. Active testing of live OT environments carries production-impact and safety-impact risk that does not exist in IT testing. Most engagements default to passive observation, configuration review, and offline-replica testing where available. Active testing happens within agreed maintenance windows with explicit kill-switch criteria.

Question 3

What is the relationship to IT cyber security?

Accepted Answer

OT cyber security shares principles with IT (defence in depth, segmentation, monitoring, IR) but the implementation is meaningfully different. Patching cycles are slower or impractical; vendor-validated configurations matter more than upstream advisories; safety and uptime can override availability of normal cyber controls. We deliver OT engagements with team members who have OT-specific experience, not just IT generalists.

Question 4

How does this connect to NIS-CAF?

Accepted Answer

For UK operators of essential services, the NCSC Cyber Assessment Framework is the regulatory reference and OT often falls within scope. We deliver NIS-CAF programme work as a separate service (see /services/nis-caf) and integrate the OT engagement output into NIS-CAF evidence where the operator is regulated under NIS Regulations 2018.

Question 5

Why do you cite IEC 62443-3-3 from 2013?

Accepted Answer

Because that is the current published edition of that part. The IEC 62443 series is a multi-part standard with different parts revised on different cadences. 62443-2-1 was revised in 2024; 62443-3-3 has not been revised since 2013 but remains current for the requirements it covers. We cite each part by its current published year so the reference is verifiable.

Question 6

What about NIS2?

Accepted Answer

NIS2 is the EU directive. The UK is not in scope. UK operators of essential services are subject to the NIS Regulations 2018 (the UK transposition of the original NIS Directive), with NCSC NIS-CAF as the assessment framework. If you operate in both UK and EU and need NIS2-aligned OT work, we can scope that explicitly — but we do not pretend NIS2 is the UK driver.

Question 7

How often should OT security be assessed?

Accepted Answer

Annually as a baseline, plus after any significant infrastructure change — new control system deployment, vendor hardware change, network architecture change, or merger/acquisition that adds OT scope. The annual cadence is what we recommend on this page; specific regulatory regimes may demand more.

Question 8

Do you name the OT vendor products you work with?

Accepted Answer

Not on this page. The reasonable answer is the same as for SOC and IR: tooling decisions are environment-driven and we are not paid by any OT vendor to direct you somewhere. We are conversant with the major OT-aware monitoring platforms and we will recommend a fit during scoping.

Question 9

How does an OT IR plan differ from an IT IR plan?

Accepted Answer

Three dimensions matter that IT plans usually do not address. Safety: an OT incident may have life-safety consequences and the response has to coordinate with safety procedures. Environmental: incidents involving certain process control can have environmental-impact consequences. Production-impact: the cost of taking a system offline to contain an incident may be very high, and that trade-off has to be made by people who understand both the security and operational sides. Plans we author cover those explicitly.

Question 10

Can the engagement include Penetration Testing of OT systems?

Accepted Answer

Yes, where authorised and scoped appropriately. Active testing of OT systems is not the same as IT pen testing — see the FAQ above. The 'social engineering / red-team scenario' engagement type from our Penetration Testing service can extend into OT scope when both sides agree the scope and the safety constraints. We start cautious and expand based on what is safe to test.

OT and ICS cyber security, IEC 62443-aligned.

What we mean by OT cyber security

What we do

OT risk assessment

Network segmentation review

OT monitoring & detection

OT tabletop exercises

Industries we cover

Manufacturing

Energy & utilities

Oil & gas

Transport & logistics

Healthcare infrastructure

How an engagement runs

Scoping call

OT risk assessment

Roadmap & remediation plan

Implementation & monitoring setup

OT tabletop exercise

Capabilities

OT Risk Assessment

Network segmentation review

OT monitoring & detection

OT incident response planning

Tabletop exercises

Compliance support

Why 1 Sequence Cyber

Standards-aligned

Cross-disciplinary delivery

Frequently asked questions

Ready to scope OT cyber work?